The ANA-BAA Law Marketing conference Nov 15-17 in San Diego included a half dozen sessions on data privacy. To varying degrees, each of them referenced on the landmark California privacy laws, CCPA and CPRA. Below are several takeaways related to California regulations from two sessions in particular.
1. CA Attorney General enforcement of CCPA addresses many business types
In their presentation on California privacy regulations, Alan Friel of Squire Patton Boggs and Dave Manek of Ankura cited 27 examples of CCPA noncompliance notices. The notices covered a breadth of industries, perhaps reinforcing all firms that process personal data need to comply.
They noted companies that buy and sell personal data, share data or allow others to collect data for interest-based advertising (IBA) were prevalent through the examples. Examples include a data broker, social media site, online event seller, online advertiser, and online marketer.
Firms accessing data from children and other sensitive data such as geolocation were also mentioned, such as a video game site, toy distributor, and education technology provider. The attorney general’s office also included auto, consumer electronics, grocery, clothing retailer, and pet industries in their examples.
2. Global Privacy Controls (GPC) are a force to be reckoned with.
GPCs are browser plug-ins, device settings, or other signals when a visitor reaches a website to tell the website the visitor doesn’t want to be tracked and doesn’t want their personal information sold. They can be much faster and more user-friendly than opt-out links or emails.
In their presentation on state, federal, and international regulation, Elliott Siebers of Frankfurt Kurnit Klein and Selz and Nicolette Martz of Yelp showed how GPC is getting serious attention from US state regulators.
They cited CCPA regulations that say businesses provide two or more methods for submitting opt out requests. The methods can be the “Do Not Sell” link as well as a toll-free phone number, email address, web form, in-person form or mail-in form. But businesses collecting online information must accept GPCs as a valid opt-out.
Colorado’s privacy law requires mandatory recognition of a GPC-like mechanism as of July 1, 2024. Virginia has no such requirement, but a working group recently recommended adoption of global controls. Further momentum came two weeks prior to the conference, when Mozilla Firefox announced it joined a group of privacy-first browsers to implement GPC.
3. Compliance teams may want to consider a CCPA year end checklist for enforcement
Friel and Manek also provided a year end CCPA checklist for enforcement topics
· Consumer Rights – Audit consumer rights request process to ensure it includes all rights and responses are complete and timely. Revisit the right to protection from discrimination and instructions for authorized agents.
· Sale Position – Either have a Do Not Sell link, or make statement that you do not sell. Also include reference to having no knowledge of a sale of minor's data in the last 12 months. If you take the position you do not sell:
- Revisit third party cookies
- Check your privacy notice for conflicting language such as “we may share your information with third-party companies,” “our advertising partners may collect information about you,” or “we provide information to other companies, sites, or platforms to develop services to offer you”
· Service Provider Contracts – Make sure you meet requirements of final CCPA regulations and consider updating now for upcoming laws such as CPRA, VCDPA anc CPA
· Pre-collection Notices At Entry Points – Maintain a data inventory that includes a log of all personal information entry points and confirm there is a privacy notice at each collection point. Don’t forget white labeled marketing sites, login pages of portals and mobile apps.
· Cookie Solutions including GPC – Run regular cookie scans and bucket cookies. Consider cookie banners and consent management platforms (CMPs), addressing GPC signals, understanding of IAB programs and Google / Facebook solutions.
To learn about how to keep your brand and your site compliant with data privacy laws in California and elsewhere, check out Boltive Privacy Guard.
Boltive Launches New Product Ad Monitor: Revolutionizing Ad Insights with AI-Powered Discovery Engine
Go to Post
Text LinkIAPP GPS - Our Thoughts, Part 2: What Regulators Want Us To Do – The Value of Proactivity
Go to Post
Text LinkIAPP GPS - Our Thoughts, Part 1: What Regulators Want Us To Know – Busting Common Myths
Go to Post
Text LinkPrioritizing Children's Privacy: Strategies for Ethical Advertising and the Use of AI
Go to Post
Text LinkBusiness Ninjas Podcast - Secure Protection for Advertisers Against Invasive Media
Go to Post
Text LinkBoltive and Slalom Consulting Join Forces to Bolster Data Privacy: A Powerful Alliance Against Emerging Risks
Go to Post
Text LinkAutomating Threat Detection: How Boltive is Harnessing Artificial Intelligence to Reshape Ad Security
Go to Post
Text LinkForbes Article - The Privacy Prescription: Rules Restricting Health Data Use And How To Employ More Holistic Security Measures
Go to Post
Text LinkOur CEO, Dan Frechtling, featured on Leadership Live podcast with Daphna Horowitz
Go to Post
Text LinkWhy Data Privacy is Being Overhauled in 2023: Dan Frechtling featured on the Security Weekly Productions podcast
Go to Post
Text LinkOur Director of Product, Christine Desrosiers, discusses the current state of Ad Tech with Brand Safety Institute
Go to Post
Text LinkGeekwire wrote about the heartening link that brought our CEO and CFO to Boltive.
Go to Post
Text LinkWe're fresh out of content!
All the news that's fit to print.
