Data Transparency Laws Are Coming. Are You Ready to Disclose?

“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Gary Kibel, a partner in the digital media, technology and privacy practice group at Davis & Gilbert.

Sir Francis Bacon is often credited with the phrase, “Knowledge is power.” It is commonly believed that people are better able to make informed decisions when they have all the information necessary to evaluate their options.

US lawmakers are starting to believe the same applies to privacy and data. If people better understand what data has been collected about them, then they are better positioned to determine how that data should be used and whether they want a company to retain that data.

Welcome to data transparency.

California passed the first significant data transparency legislation in 2003. Its “Shine The Light” Law requires companies to disclose to a consumer what personal information has been shared with a third party for that third party’s own direct marketing purposes. Fortunately, the definition of personal information under that law only included items that would traditionally be considered personal, such as name, email address or telephone number. It did not include broader items such as persistent identifiers. 

Data transparency did not gain much traction until the EU’s General Data Protection Regulation (GDPR) forced companies to put in place processes and procedures to comply with data subject access rights requests that are more comprehensive and harder to satisfy.

Now, data transparency is coming to a state near you. The California Consumer Privacy Act of 2018 (CCPA) contains data transparency obligations that require covered businesses to disclose to a consumer upon request the specific pieces of personal information collected and the purposes for which they were collected.  The data must be provided in a portable and readily usable format.

As you may have heard, the definition of personal information under CCPA is very broad and includes IP addresses, browsing history, geolocation data and even “inferences” drawn from such data for profiling. While CCPA has sucked all the air out of the room, other states are getting into the act.

Washington State has proposed the Washington Privacy Act. The act would bring GDPR-type requirements, including comprehensive data subject access rights, to Washington State. New York State has proposed the Right to Know Act of 2019, which would provide consumers with more transparency and control over the collection and use of their personal information, as well as data access. Vermont has already enacted a data broker regulation that requires data brokers to register with the state.

The ad tech industry is big on process and procedures. There are processes and procedures for exchanging RTB bid requests, allowing consumers to opt out of behavioral advertising and for API calls.

However, most companies are unprepared to tell an inquisitive consumer what data they have about that consumer, such as tracking cookies, device IDs and other persistent identifiers. If a consumer sends a US ad tech company an email today asking for a detailed list of such data and the purposes for which it was collected, the ad tech company would likely struggle to respond. Just imagine receiving thousands of such requests and your organization frantically trying to respond.

The time is fast approaching for industry members to develop and implement new processes and procedures to quickly and completely respond to these types of data transparency requests.

Follow Gary Kibel (@GaryKibel), Davis & Gilbert LLP (@dglaw) and AdExchanger (@adexchanger) on Twitter.

This post was syndicated from Ad Exchanger.