Perhaps no industry stands to be upended by the groundswell of new consumer privacy laws emerging in the U.S. and around the world than advertising technology companies.
Global privacy regulators are placing a greater emphasis on due diligence requirements for the adtech industry, such as demonstrating lawful consent for collecting and selling personal data. This evolving regulatory scrutiny on the privacy practices of a given adtech entity and its third-party partners is creating more of a compliance headache for industry stakeholders.
To help adtech firms prepare for the increasing due diligence demands on their data collection practices, the Interactive Advertising Bureau partnered with compliance vendor SafeGuard Privacy to develop a legal compliance tool called the IAB Diligence Platform.
As part of the solution, members of the IAB's Privacy, Implementation and Accountability task force — along with leading privacy lawyers, publishers and advertisers — are developing diligence questionnaires that are stakeholder-specific to each entity's role within the adtech ecosystem, whether they are a publisher's diligence of a supply-side platform or an advertiser's diligence of a demand-side platform. SafeGuard Privacy customers and IAB members who license the diligence platform will be able to complete all of their diligence questions and make them available through the platform to other stakeholders to satisfy such requirements under global privacy laws.
"If you look at the different privacy laws themselves, what you see is an increased focus on the concept of accountability; accountability for your own actions, your own processes and procedures, as well as those of your partners," IAB Executive Vice President and General Counsel Michael Hahn told the IAPP.
While the language of the California Consumer Privacy Act, according to Hahn, states you're not responsible for the wrongdoing of your partner unless you know, or reasonably should know of their wrongdoing, the California Privacy Protection Agency's new diligence rules change that landscape. Companies can now be held responsible for the wrongdoing of their partners if they have been deemed to have conducted insufficient diligence on their partner's uses of personal data.
"That is a big change in the law," Hahn said. "And that was intended to increase the role and responsibility of controllers, like publishers and advertisers, where they're disclosing personal information to their partners."
In the existing adtech ecosystem, SSPs and DSPs may have their legal teams draft requests for information to issue to their other adtech partners. However, SafeGuard Privacy co-founder and CEO Richy Glassberg indicated the information sought and provided was generally dated and would not meet third-party vendor diligence requirements. Additionally, diligence questions asked in the RFI are typically not specific enough to a given entity's role within the market and could result in nonresponses for diligence inquiries.
"So, what happened? Nobody answered, or even worse, there would be a junior person at a publisher at one of these companies with a salesperson who's trying to sell the advertising just fill out the RFI," Glassberg said. "So you had a system that was not meeting the obligations under the law and put both parties at risk."
Hahn added that the adtech industry's prior shortcomings for due diligence was "not resulting in unlawful conduct." However, less comprehensive diligence measures could leave adtech partners on either end of a contract exposed to legal liability with regulators.
IAB's ultimate goal is to eventually have all its members use the Diligence Platform. Hahn said as the IAB task force continues to build out the full questionnaire on the Diligence Platform, the first major tranche of business-specific questions will be added within the next two months.
"There's an opportunity to advance privacy through asking the right questions that are tied to law, that are tied to the actual data flows and to do that more efficiently," Hahn said. "The beauty of the SafeGuard Privacy platform is its efficiency. If everyone is on the platform, and everyone has their own secure instance within the platform, they can fill out the questionnaire once and then share it with partners as they do deals with them."
In terms of integration, the Diligence Platform is compatible with any privacy program management solution, flagging any potential legal violations and present remediation solutions. The platform is also able to be audited for compliance.
"We're agnostic to any tool our customers use," Glassberg said. "(The platform) is all permission based. Customers can go through it with its review capabilities, so that their external counsel or their internal counsel can review everything and approve every answer."
Davis+Gilbert Partner Gary Kibel, CIPP/US, said while due diligence requirements are not yet mandated under most privacy laws, they are still "very strongly suggested" under a state privacy law, such as the CCPA. He said whether or not such diligence ever becomes a legal requirement under a given privacy law, being able to demonstrate that it was conducted to the best spirit of law is a wise business practice.
"It'll be great to get to a place where there is one system for compliance and the diligence questions are appropriate for the type of business you are," said Kibel, whose firm is a SafeGuard Privacy customer. "What SafeGuard Privacy does right now is that their assessments test you against the black letter of the law, and that is the foundation that the adtech-specific questions are built on."