Introducing the IAB Diligence Platform
With more than a dozen privacy laws in effect or coming into effect, each of which provides for an opt-out of “sales” and targeted advertising, digital advertising is increasingly becoming a regulated industry. This change in the law must be met with a change in business practices, including how we conduct diligence around privacy in digital ad transactions.
Liability is shifting
One of the fundamental changes in state privacy laws is the inclusion of accountability. There are new requirements around what partners can and cannot do with the personal information you provide them. Indeed, you must take “reasonable and appropriate steps” to make sure that your partner uses that personal information consistent with the law — for example, by including mandatory audit provisions in your contracts.
Perhaps the most significant change is the California Privacy Protection Agency’s (CPPA) regulation stating that whether you conduct diligence of your partners with whom you disclose personal information is a material factor in determining whether you will be liable for their wrongdoing. In other words, due diligence and third-party risk management should now be integral aspects of your data privacy program.
Enforcement is getting tougher — and digital advertising will face new scrutiny
Not only is liability shifting, but enforcement is too. Upon the effective dates of the dozen-plus privacy laws, each vests enforcement in its attorney general’s office. In California, both the Attorney General’s Office and the CPPA each have enforcement powers.
Those enforcers have shown a clear intent to protect consumers under their privacy laws. On January 26, the California Attorney General’s announced a sweep of streaming services under the CCPA. The Connecticut Attorney General’s Office announced its enforcement priorities for the digital advertising industry at the IAB State Privacy Law Summit on November 15, including setting bright lines on the right to opt-out of the disclosure of personal information to vendors for measurement and frequency capping (where those vendors do not serve as your processors), as well as parameters on the categorizing information as deidentified.
Colorado’s Attorney General Phil Weiser has said “Enforcement of the Colorado Privacy Act is a critical tool to protect consumers’ data and privacy (…) If we become aware of organizations that are flouting the law or refusing to comply with it, we are prepared to act.”
Finally, the CPPA has a fully staffed enforcement division to investigate possible violations, and it’s hard to imagine digital advertising won’t be one of its key focus areas. Importantly, you can expect announced or unannounced audits to commence soon, particularly: for companies who’ve had any history of non-compliance with any privacy law; where there are potential violations of the law; or where the subject’s “collection or processing of personal information presents significant risk to consumer privacy or security”. And there is no longer a mandatory 30-day “cure period” — no guaranteed second chances — under the CCPA.
Companies should not underprice state privacy risk because doing so could become a big — and very costly — mistake.
Industry diligence must improve
Historically, privacy diligence has relied on two things. First, you obtained a representation and warranty in the contract that the business partner would comply with applicable law and then indemnity if it failed to do so. Second, you typically sent out a generic questionnaire.
This approach will no longer do.
For a fully digital industry, diligence is woefully analog and outdated. It’s underfunded, understaffed, and in an underdeveloped state. Companies send out and receive dozens of questionnaires monthly in connection with transactions and partnerships. These often ask the same questions in multiple different ways, which makes responding to them a rote exercise of managing answers in spreadsheets and cutting and pasting. Worse, these questionnaires are often generic and out of date, and the majority fail to address the actual uses of personal information contemplated by the business arrangement and the entirety of each state law. Sometimes, the surveys come back incomplete — if they come back at all.
The industry must solve for privacy diligence, and it can’t do so by doubling down on its current approach. Rather, what’s needed are standards around privacy diligence that can achieve effectiveness and efficiency so that all industry participants are speaking the same language. We need standardized privacy diligence questions that address both the letter of the law and the specific data flows and business use cases for every vendor and sub-vendor. We also need a more effective and efficient means of managing the diligence process.
It’s a digital problem that demands a digital solution.
Introducing the IAB Diligence Platform
To proactively meet the needs of regulators, the IAB convened a Privacy Implementation and Accountability Taskforce (PIAT), composed of publishers, advertisers, agencies and ad tech companies. The group highlighted the need for an effective and efficient solution: the IAB Diligence Platform.
The Platform provides a privacy diligence solution that is purpose-built for the digital advertising industry. This solution will combine new industry vertical business questions with US state law assessments in one collaborative platform to make the diligence workflow effective and efficient for both sides of the partnership.
Leading industry privacy lawyers and law firms are collaborating in the PIAT initiative to draft the right business and privacy questions of each digital advertising use case and vendor type. We know that the right questions that a publisher should ask an SSP aren’t the right questions for an advertiser or its agency to ask a DSP. These questions will be complemented by questions specifically tailored to assess compliance with each state privacy law.
The IAB Diligence Platform will be built on the SafeGuard Privacy Platform, which features robust state law assessments and a vendor compliance hub. Users will be able to complete the diligence questionnaire once and share it with the partners on the platform as they engage in digital ad transactions. By moving the industry towards use of the Platform, there will be a strong network effect to drive efficiency and improve deal speed. In fact, IAB members that are already on the SafeGuard Privacy platform are seeing 80%+ efficiency gains by managing multiple laws concurrently and automating vendor compliance. They have a single source of truth for members to handle their diligence efficiently, and they’re saving dozens of FTE hours a month.
The solution provides:
- Standardized privacy questions that will be leveraged by the industry.
- Ability to fill out assessments and questionnaires once and easily share with partners many times.
- Ability to update compliance as new laws come online or existing laws and regulations evolve.
It’s better for vendors. Automated sharing means significant time and labor savings for vendors — they answer the right set of questions once and share everywhere. Deals close faster when there are no overlapping, inappropriate, out of date, and repetitive questions to wrestle with.
It’s better for accountability. It’s auditable, fully accountable, and provides a clear record of compliance: companies that are audited can show the actions they’ve taken to ensure that control and privacy of company data was assured. The combination of SafeGuard Privacy assessments and IAB PIAT (Privacy Implementation & Accountability Task Force) questionnaires delivers what the heightened regulatory landscape calls for.
Of inertia, lack of budgets, and finger-pointing
The first challenge is for the industry to overcome inertia. We must recognize that we are now becoming a regulated industry, and expect that regulators will do their job diligently. What worked in the past will not work in the future.
Despite this, few budgets have a line item for a diligence platform. This must change.
Company leaders must not allow this to devolve into finger-pointing about which budget this should come from — especially since nobody’s going to point at their own budget first.
This needs to be a priority driven by top management, with real effort to find the resources and get a real solution in place. The good news is, the cost is lower than it might appear — and certainly lower than the financial and reputational cost of an enforcement action arising from your partner failing to properly process personal information you provided to it.
Additionally, the costs of the industry’s current approach are high, but largely hidden. Every hour that employees spend sending out questionnaires, working with vendors to fill in the inevitable gaps, and chasing down vendors who are too overwhelmed to reply has a hard-dollar cost. This is to say nothing of the opportunity cost of executives stepping in to push through contracts that have been held up in the process.
What to do now
We encourage everyone to understand the new legal landscape, and prepare for smarter diligence. If you’re not already a member of IAB PIAT (Privacy Implementation & Accountability Task Force), you can email [email protected]. You can also contact SafeGuard Privacy here to see a demo of the IAB Diligence Platform.
The new regulations are real, and we expect them to be enforced. The most important thing to do is to start today to prepare for new state privacy law diligence requirements.
