Good morning, and thank you for the opportunity to offer comments. I commend the Office of the Attorney General for holding these important sessions. As concerns about online privacy and the safeguarding of consumer data grow in the United States and across the globe, public forums that welcome participation and opinion are essential to gathering and disseminating viewpoints on an issue that has become central to everyday life.
My name is Dave Grimaldi, and I am Executive Vice President of the Interactive Advertising Bureau. Founded in 1996, the IAB represents over 650 leading media and technology companies that are responsible for selling, delivering, and optimizing digital advertising or marketing campaigns. Together, our members account for 86 percent of online advertising in the United States. Working with our member companies, the IAB develops technical standards and best practices, and fields critical research on interactive advertising, while also educating brands, agencies, and the wider business community on the importance of digital marketing. We are committed to professional development and elevating the knowledge, skills, expertise, and diversity of the workforce across the industry.
We have long championed transparency and choice. The existing privacy regulatory framework, based in part on those concepts, has enabled tremendous growth and innovation in the modern economy, while protecting consumer privacy and giving consumers meaningful options regarding how their data will be used.
IAB’s member companies offer content and services that Americans love, and are accustomed to accessing with little difficulty, and at little to no expense. Digital advertising enables that access. Consumer data is integral to the value exchange that exists behind the free, ad-supported online ecosystem, and the responsible safeguarding of that data is a role that online publishers and ad tech companies take seriously.
However, CCPA has vividly illustrated how consumer trust of that duty has eroded, and Californians are looking for increased transparency into how their online data is used, and how it is protected. The lead-up to the enactment of CCPA, and the momentum behind it, demonstrate how curiosity changed into frustration, which then turned into action. This sentiment also took root in Europe, and led to the passage of the General Data Protection Regulation, and is also gaining traction in Congress, where members of the House and Senate have released privacy-centric bills.
We absolutely agree with the spirit of CCPA, and its guiding principles of transparency, control and accountability. Our cross-industry development of the Digital Advertising Alliance, or “DAA,” was created precisely to address those core concepts, and has gained widespread acclaim, from government and public interest groups alike. The Federal Trade Commission noted that the DAA (via its AdChoices icon) “[has] taken steps to keep up with evolving technologies and provide important guidance to [its] members and the public,” and “[Its] work has improved the level of consumer protection in the marketplace.” The DAA’s accountability programs, which include independent monitoring, self-reporting, and enforcement, go to the heart of CCPA’s foundational goals. Creating the DAA took years of cross-industry collaboration and testing, and included extensive input from consumer groups and industry leaders. A balance was achieved that provided first-of-its-kind transparency and user control, backed by an enforcement regime monitors and enforces compliance, as well as manages consumer complaint resolution. We are proud of this and other examples of smart, pragmatic, and effective self-regulation with teeth, that gives online users the control they deserve.
While CCPA seeks to enshrine these concepts toward increased consumer rights around the use of online data, the bill’s language could result in unintended consequences that could run counter to its mission of smart and pragmatic privacy protection. The need to clarify definitions, and consider their impact on businesses large and small, is pivotal to promulgating a law that preserves the responsible use of data and the online value exchange between company and consumer.
IAB looks forward to providing more detailed written comments to the Attorney General’s office, but today I would like to highlight a few issues where we feel could provide guidance and clarification to businesses in the media and marketing industries as they work to comply with CCPA.
First, it is important that CCPA’s Non-Discrimination provisions do not prevent publishers from charging a reasonable fee as an alternative to using an advertising-supported business model. There is concern that the CCPA non- discrimination provisions will prevent publishers from charging a reasonable fee to access their content for consumers who elect to opt-out. Publishers, especially small ones, rely on third-party advertising providers to generate revenue, in order to provide sought-after content. Thus, it is critical that we avoid requiring websites to grant everyone access to their digital sites, even visitors who have opted-out, without allowing for a paid alternative. Doing so would limit the ability of businesses to pursue their historic business model, and would result in lost voices across the digital medium. We ask the Attorney General to permit a business to charge a reasonable fee as an alternative to using an advertising-supported business model.
Second, it is important that CCPA provide flexibility for small businesses where consumer requests are cost prohibitive. Small and medium-sized businesses, and self-employed individuals, rely upon consumer data to improve products and services and to find new customers and business partners. Compared with larger companies, smaller businesses face significant expense in complying with consumer requests. CCPA already recognizes that a business may charge “a reasonable fee” or “refuse to act” on a consumer request when they are “manifestly unfounded or excessive.” We ask the Attorney General to interpret “excessive” to include requests that are unreasonably costly relative to the size of the business.
Third, it is important that CCPA provide the needed flexibility for businesses to verify consumer requests. In many scenarios within the digital advertising industry, businesses have limited ability to verify the legitimacy of consumer requests under CCPA. This difficulty in determining which requests are legitimate and which are fraudulent puts consumers and their data at risk from unauthorized requests. We ask that the Attorney General recognize that verifying consumer requests may take many forms, and should refrain from enforcement actions when companies make commercially reasonable efforts to verify a consumer. We also ask that the Attorney General distinguish between parties that hold data that is purely pseudonymous and that have no means of connecting it to a natural person.
I appreciate the opportunity to be able to speak to you today. We look forward to collaborating with you going forward.