On the heels of RampUp New York and our well-attended sessions on CCPA, we recorded a podcast with speaker Noga Rosenthal, chief privacy officer at Ampersand. She shared recent updates to CCPA, including the second ballot initiative put forth by Alistair Mactaggart, and what’s happening at the state level that companies need to pay attention to.
Listen to her in conversation with Audrey Luk, head of RampUp content, below, or read an excerpt.
I’m curious to know how you got your start in the regulatory space.
Sure. I started at 24/7 Real Media, which is a WPP company, back in 2008. At the time, I was just corporate counsel there. In the beginning, privacy only took about 10% of my time, but as ad tech got more sophisticated and more questions came up, it ended up taking about close to 60% to 70% of my time.
I served on the Network Advertising Initiative’s (NAI) board from 2008. At the time there were only seven of us, and in my mind those seven were some of the biggest privacy greats out there. Even from the beginning there were a lot of questions around how data was being used as consumers surfed the net.
This was ten years ago—now, we’re obviously at the point where laws are being passed like GDPR and CCPA. Back then, who was asking the questions around data collection and data sharing? What were some of the initial questions that perhaps led to what we’re experiencing now?
That’s a great question, Audrey. I would say a lot of the issues that we were facing then are starting to repeat themselves now, or we’re facing them again and people’s attitudes have changed. For instance, the NAI was formed because of questions around merging people’s names, addresses, and emails—information that was collected offline—to their online behavior.
So when those individuals surfed the internet, their online behavior would then be linked to their name and address. This was deemed very creepy and there was a big uproar. There was actually no regulation around this so the Federal Trade Commission didn’t step in. Instead, there was public pressure for that model not to take hold.
This is an issue that I’m still seeing today, where companies are considering merging those two data sets. There seems to be some movement towards that not being as big of a deal as it was in the past.
There were a lot of questions around sensitive health segments, mobile phone transparency, and precise location data. Alistair Mactaggart actually proposed another addition to the CCPA related to “precise location” in his second ballot initiative.
I didn’t hear about that. It sounds like CCPA as we know it is already a little bit nebulous in certain areas. People are interpreting in terms of what fits their business model. So, that begs the question, are people going to be ready for January 1st with all these questions still up in the air about how to achieve compliance and how to interpret the law?
That’s a tough question that a lot of companies are facing. CCPA has some ambiguities—some open questions that the industry is trying to address. I am worried about companies interpreting the law on their own, and veering far off from what it actually represents.
Ampersand is very vocal in the Interactive Advertising Bureau’s working group, as well as the ANA. We’re all working together to try to figure out in which cases we are a service provider, a third party, and when we fall under the sale definition.
All of these ambiguous definitions are triggering different stances. I’ll give you a really great example: re-targeting. If a cookie becomes associated with me and my visit to a shoe brand’s site, I’m re-targeted with an ad for the shoes I was looking at on another website.
The ad tech company serving the ad on that other website is acting as an agent of the shoe brand. You could argue that there is no sale and therefore the ad tech company in that instance is a service provider, an entity or a vendor that’s only working for that advertiser, almost like an agency. I remember now that this was the perspective on re-targeting that industry took years ago.
Now, where it ends up getting a little bit tricky is if the ad tech company adds information or additional data points in the process of re-targeting, it ends up being categorized as a third-party vendor versus a service provider because they are using the data for their own purposes outside of what the advertiser requested or instructed. This can happen if the advertiser and the ad tech company does not limit the use of the data just for the advertiser’s campaign.
These are the discussions that we are addressing within the industry groups. It’s opening up minds. I didn’t originally think of re-targeting that way. I thought it was a sale. But now my viewpoint is shifting as I hear other people’s thoughts.
It sounds like the law is bringing up a lot of healthy discussion amongst the various members of the ecosystem. I’m curious to know if you have a pulse on what consumers think of this law coming down the line, as ostensibly, it is written for their protection. Using GDPR as an example, we do see extremely high opt-in rates, pointing to the idea that people just want to get on with it and access the content that they’re after and will just click opt-in without reading a lengthy privacy statement or truly understanding what is happening if they click ‘yes, I accept.’
What are your thoughts there?
In my personal point of view, which doesn’t reflect the point of view of my company, I’m not a big proponent of opt in. I think it has a lot of problems and I think GDPR is reflecting those problems. For instance, like you said, consumers are just clicking ‘I accept’ without further investigation in order to access the content they want. It’s opt-in fatigue. In Europe, they were facing this fatigue before GDPR, under the cookie banners that have existed since 2010, if not earlier. I definitely question whether or not consumers truly know what they’re opting into, and I don’t think they do. I don’t think they’re reading the consent notice.
What I advocate is that individuals think this through and take on the responsibility of making sure that they aren’t sharing more information than they need to, so they aren’t surprised by the data collection and use and sharing.
Is there anything else you’d like to share at this point, especially with the big privacy professionals conference this week?
CCPA is just one law marketers should be aware of and discussing internally. There are other states proposing privacy laws, including New York and New Jersey. I encourage companies that do currently business in these states or plan to in the future to be active in these discussions. Otherwise, legislators will not know or take into account your perspective.
During a meeting we had, one Attorney General said to us that they were merely copying and pasting CCPA into their law. We’re also seeing others go the GDPR route, including Washington state. Companies need to look at these laws and start considering how are they going to comply if they go into effect so they don’t repeat the efforts they are taking today to meet the obligations of current laws.
Right. So, certainly a patchwork to come, but the same patches are being reused. I want to thank you for your time and I appreciate your thoughts
My pleasure, Audrey. Thank you again.
The information provided in this blog does not constitute legal advice. Please consult your legal counsel to obtain legal advice.