On 18^th January, ID5’s ‘Identity 2023’ event took place where our Chief Privacy Officer, Fiona Campbell-Webster spoke with Joe Quaglia, VP Sales & Business Development on how the changing privacy landscape is affecting digital advertising.

The event also features other speakers from multiple companies to give you new and exciting content surrounding a theme that sits at the very foundation of data-driven advertising: user identification. Looking at test results, which identification solutions are coming out on top, what’s going on in CTV, and more, Identity 2023 can you help you identify how to best structure your identity strategy for this next chapter.

Watch the full video on the link below or skip ahead to Fiona’s section which is at 2:40:06

The ways in which companies use customer data and the laws surrounding its use are constantly evolving to provide greater protection for consumers and their data. However, it has also been revealed that when customers have trust in a brand to use their data well, they are open to providing more information. 

 Our Chief Privacy Officer, Fiona Campbell-Webster, recently sat down with Greg Kihlström from The Agile Brand to discuss the importance of consumer privacy in fostering stronger relations between platforms and customers. 

 Listen to the full podcast episode on The Agile Brand website here 

Somewhat surprisingly, and certainly with very little pre-warning or fanfare, the Litigation Chamber of the Belgian APD has approved the compliance plan put forward by IAB Europe to remedy certain deficiencies in the Transparency and Consent Framework (TCF) aligning with GDPR. In fact, the update was a postscript to the APD’s press release dated 2 February 2022. Read in to that what you will, and you can read here.   

There were (and still are) some fundamental points which need to be determined, and which have been referred (at the APD’s request) to the CJEU: is the consent string generated by the TCF personal data and does the IAB in administering the TCF act as a joint controller. Implementation of a compliance plan may be impacted by the outcome of CJEU proceedings, and given that the IAB only have 6 months to implement the plan you can understand their mixed response to the update. 

 Townsend Feehan, CEO of IAB Europe, had the following comment.  

“The validation of IAB Europe’s action plan confirms the legality of the TCF as a standard that can help digital publishers and their partners comply with certain provisions of the GDPR and ePrivacy Directive. However, it is important to bear in mind that implementation of the action plan – which IAB Europe is now being required to effect over a period of six months – would entail operating changes for TCF participants that may ultimately be found inadequate by the European Court.”   

The full reaction is available here. 

 No doubt, positive news for AdTech – but as this blog post is written by a lawyer, let’s keep the lemonade on ice just for now as much is still to happen. The prize on the horizon is wonderfully clear – a regulator ratified framework for digital advertising in Europe. As the IAB notes, progress thus far has been possible due to industry collaboration and that momentum should continue. When life gives you lemons, make lemonade. 

James Kerr is MediaMath’s Senior Counsel and DPO for EMEA and APAC 

This year, new privacy laws will come into effect in Colorado, Connecticut, Utah, Virginia and California, where the existing California Consumer Privacy Act will be replaced by an even more comprehensive California Privacy Right Act (CPRA). 

Our Chief Privacy Officer, Fiona Campbell-Webster, recently spoke with Digiday to discuss how the California Privacy Right Act will reshape U.S. privacy compliance in 2023. 

Read the full article and watch the interview on Digiday here 

PART 2 – EU, UK 

This PART 2 of our client privacy newsletter is filled with information to help our MediaMath clients prepare for multiple changes coming in global privacy laws in 2023. Part 1 was with a focus now on preparation for compliance with 5 new US State Laws, some of which are in force from 1 January 2023.  This Part 2 is focused on EU GDPR requirements and most importantly international data transfer requirements. 

EU 

GDPR & E-Privacy 

Relatively stable however what we are now seeing are privacy activists testing the boundaries of the legislation, successfully claiming against “Big Tech”. This naturally percolates through the industry. 

IAB EU TCF: At MediaMath, we have been at the forefront of integrating privacy into our technology. As an example, we were an author of initial specs to the IAB’s TCF (The Consent Framework), which is key to standardizing how a legal basis, such as consent for personalized ads, could be conveyed to all parties.
 

Proceedings between the IAB and the Belgian Data Protection Authority (APD) have been heard by the Market Court (which is part of the Brussels Court of Appeal). For background on the origins of these proceedings please refer to our blog post here. On 7 September 2022 an interim ruling was handed down referring preliminary questions to the Court of Justice of the European Union (CJEU). The exam questions – how the concept of data controllership in the GDPR is to be interpreted in this case (are the IAB an independent controller) and whether the TC string (the string of code containing user preferences) is, in and of itself, “personal data”. No trifling matters there! 

There are positive and negatives from this interim ruling. Proceedings are unlikely to be concluded until late 2023 or even in to 2024 – creating a limbo period. IAB are clarifying that the hiatus in Market Court proceedings also means a stay on enforcement of the APD’s decision until the appeal is concluded. MediaMath assumes so. The key benefit as we see it is that views will be taken from all European regulators as well as the involved parties. That should result in consensus on the fundamental questions at stake, much like the CJEU’s determination on IP address as personal data. Expect much discussion over the next 12 months but be assured we will keep you up to date. 

You can read the IAB’s update on the ongoing proceedings here. 

UK GDPR 

Following the UK’s exit from the European Union, the UK Government has transposed the GDPR into UK national law (thereby creating the “UK GDPR”). In so doing, the UK has made a number of technical changes to the GDPR in order account for its status as a national law of the United Kingdom.  

The changes set out in the Data Protection and Digital Information Bill, July 2022 range from relatively minor adjustments to significant legal changes. The intent seems clear – create separation from previous and future EU interpretation of laws and regulations, putting the interests of the UK first. The resulting legislative framework for UK citizens is the Data Protection Act 2018 and a slimmed down GDPR. The separation may also result in data protection adequacy status being revoked by the EU. We will see. 

We could dedicate an entire newsletter to the UK GDPR v EU GDPR analysis but we shall resist the temptation: instead, it is worth focussing on two aspects which may have an impact in industry. 

The Purpose Limitation Principle has been broadened, with legal tests to determine compatibility with new uses of data collected. Furthermore, legitimate interest is very much at the forefront (which is interesting in the light of the APD’s view on legitimate interest in AdTech, shared by many EU regulators). Certain data processing activities have been deemed to meet the legitimate interest balancing test meaning no requirement for a legitimate interest assessment. In summary the changes aim to facilitate business, putting UK interests first. Noble causes, but at odds with European counterparts.                                                                                                                                                                                                                      

Read More: U.K: Some nice training videos and materials for businesses to use from the ICO UK here. 

EU SCCs vs Privacy Shield 

MediaMath certifies to Privacy Shield but does not use this as a transfer mechanism for the time being.  

Standard Contractual Clauses (SCCs)/UK International Data Transfer Agreement 

It is no longer possible to simply ”paper” a data transfer: before any transfer is carried out, transfer impact assessments are required. You, as our clients, have a right to expect these are done when we act as custodians of your consumers’ personal data and we take that responsibility seriously. We welcome the changes that came out of the Schrems II case, as it is absolutely right that data exporters consider not just the recipient of data but the destination of that transfer. 

In the UK, the EU’s (perceived) restrictive data transfer position has been replaced by a more flexible approach. Data exporters can pick n mix from Adequacy Regulations, UK SCCs, UK Binding Corporate Rules, or derogations for special situations. UK SCCs are likely to be the preferred method (they are for MediaMath), and both the guidance and templates issued by the ICO are very user friendly – bravo ICO. You can take a look for yourselves here. 

“Direct Marketing” gets some consideration under the Privacy and Electronic Communications (EC Directive} Regulations – referred to as PECR. The use of cookies without consent has broadened, which yet again is at odds with the European disposition. Marketeers may rejoice: however, the complexity of dealing with jurisdictional differences for global businesses is significant and at the forefront of MediaMath’s privacy team given our position as a leading global DSP. We believe that to be a strong USP for our clients and partners.  

WHATS NEXT? MediaMath Legal & Compliance will be reaching out and following up with further information on the new contractual requirements as a result of data transfer requirements of the EU and UK.  

WHAT ABOUT COOKIES VS IDENTITY SOLUTIONS? 

This privacy laws briefing is focused on upcoming privacy laws and contractual and technical solutions. The information is generally applicable to all data defined as “personal data” or “personally identifiable information” that governs the collection, processing and transfer of existing identifiers such as cookies and MAIDs and also of new ID solutions, both probabilistic and deterministic, and we do not discuss the pros and cons of any of these technologies in this article. 

Watch This Space 

Much of what happens in the privacy space in industry is reactive in response to legislation, but it is also worth keeping an eye on the more innovative aspects on the horizon. One such area is the meeting of the G7 on ‘Data Free Flows with Trust”. As a global business we are very much for alignment cross jurisdiction, especially where initiatives have trust and transparency at their core. MediaMath will certainly follow this one closely and keep you updated as things progress. You can dive into the detail here. 

The EU courts have backed the antitrust fine against Google, albeit at a lower amount (that amount still being in excess of 4.1Bn Euro). This could pave the way for class action claims, and with the Digital Markets Act soon coming in to force it is clear that there are increasing market restrictions on how Big Tech operates. 

MediaMath will focus on the APAC region in further updates but just to show that the focus on Big Tech is not just in Europe, worth noting that South Korea’s DOA has fined Google and Meta a combined 100Bn won ($72m) for tracking consumers’ online behaviour without consent and using their personal data for targeted advertising. An appeal is likely, Watch This Space. Read more about the fines here. 

DISCLAIMER: Please note this article is for informational purposes only and does not constitute legal advice. Clients should consult their own legal advisors about their specific compliance requirements.

by Justin Adler-Swanberg, Director, Marketplace Quality 

 

MediaMath has consistently been at the forefront of efforts to support trust and transparency in the digital advertising ecosystem.  

Early in 2020, at the start of the covid pandemic and later in the spring of that year with the response to the death of George Floyd and the Black Lives Matter movement, it became clear that taking a position on the prevention of misinformation and disinformation, while at the same time supporting and avoiding over-blocking quality news content, became an important way that MediaMath could help its clients and provide a social benefit. Through our Purpose Driven Advertising initiative we focused on providing tools for clients to both prevent the spread of misinformation and disinformation as well as engage with trusted news sources. Read more in MediaMath Blog on Project Purpose Drive Advertising. The importance of this position became even clearer with the events of January 6. Read more in MediaMath Blog Stop Financing Misinformation and Disinformation Fueling Chaos.  

Combatting The Rise of Misinformation and Disinformation 

2022 has seen expansion and greater public awareness of and engagement with issues of trust and transparency, particularly in relation to misinformation and disinformation. At the recent RSA Conference earlier this summer in San Francisco, which is a conference more typically focused on cybersecurity, disinformation and “information disorder” was the topic of the final keynote speech . This shows how broadly identified it has become as a threat vector.  

Why has it become important? 

There is significant social harm attached to both misinformation and disinformation. This is harm that directly affects the end user or consumer in the ad ecosystem, as well as society at large. Companies positioned to facilitate or prevent the spread of misinformation and disinformation will find it harder to simply remain neutral bystanders on the sidelines as activists, reporters, politicians, and the general public increasingly scrutinize the role that advertisers and platforms play in the dissemination of harmful misinformation and disinformation. This spread represents a Brand Safety risk to advertisers with which they might be associated through monetization of misinformation and disinformation content, and it also represents a Brand Safety and business risk to any company that is viewed as participating in or facilitating the spread, including the providers of advertising technology infrastructure who may be more used to a lower public profile.  

What can advertisers do? 

Misinformation and disinformation represent challenges since there is no universal methodology to assess them, and there is no one central list of misinformation and disinformation sources and bad actors. This means that vigilance and a pro-active approach is required. It becomes incumbent upon parties to take responsibility to ensure that they take a clear position against misinformation and disinformation as well as craft policies to define this position and actions to be taken to prevent the monetization and propagation of misinformation and disinformation, as well as to utilize and make available prevention resources and tools. The tools to stop misinformation and disinformation typically fall within the category of Brand Safety protections, often provided by various contextual data providers.  

In 2020 we learned the value and importance of new developments in machine learning approaches to contextual targeting in the efforts to avoid broad-brush blocking such as older keyword blocking approaches and use more targeted customized solutions that would allow the prevention of specifically undesirable content while permitting important and valuable news content, which also helps prevent misinformation and disinformation. In parallel we saw the rise of Brand Suitability, a conceptual expansion beyond Brand Safety promoted by the 4As and GARM (Global Alliance for Responsible Media) to create the GARM Brand Safety Floor and Brand Suitability Framework. Recently, GARM announced the expansion of this framework to encompass protections against misinformation. 

MediaMath Takes a Stand and Provides Solutions 

In late 2020, we began our ongoing partnership with the Global Disinformation Index, aka GDI, an organization that attempts to confront the challenges regarding the lack of universal disinformation standards by leveraging an approach that identifies what they refer to as “adversarial narratives”. The benefit of this approach is that it seeks to create a method of analysis that avoids bias based on things such as political viewpoints. MediaMath incorporates sites identified as high risk by GDI into our Universal Block List which provides protection across our network to all clients.  

The value of this partnership was shown earlier this year, when Russia invaded Ukraine in February. Immediately the ongoing issue of state-sponsored disinformation came to the fore, and many information sources came under more serious scrutiny. It had long been known that certain sources represented outlets for state-sponsored disinformation, but suddenly it became critical for advertisers to identify and remove such outlets from their media mix. Fortunately, through MediaMath’s partnership with GDI, we had long since included such known state-sponsored disinformation bad actors in our Universal Block List, so that when this issue suddenly gained widespread attention, MediaMath already had a robust protection in place covering all our clients. 

Additionally, MediaMath provides protections against misinformation and disinformation while also fostering quality news by working with Newsguard via data segments provided by contextual partners such as Peer 39 and ComScore. The benefit of Newsguard’s approach is that it also seeks to find an objective approach to combatting the spread of misinformation and disinformation through the application of journalistic standards in the evaluation of news sources. 

Ongoing protection can also be found on the MediaMath Platform via Brand Safety partners such as Oracle (which has also partnered with the Global Disinformation Index), DoubleVerify, Integral Ad Science, and Semasio. A number of our contextual providers offer segments that leverage GARM’s Brand Safety Floor and Brand Suitability Framework, and these are available to all of our clients to select. Read more about Brand Safety and Brand Suitability and the MediaMath Platform.  

Europe Enhances Protections Against Disinformation 

Starting in late 2021 and through 2022, MediaMath by invitation of the IAB EU and the European Commission (EC) participated with numerous other stakeholders across the digital ecosystem, including well-known online platforms, in working groups chaired by the EC and overseen by a neutral “honest broker” focused on crafting a revision to the 2018 Code of Practice on Disinformation, a voluntary self-regulatory framework. The purpose of this was to come up with a broader document to meet the current times and the diversity of different players that make up the global digital environment, with a goal to enhance policies, tools, transparency, and other efforts to demonetize and further prevent the spread of harmful misinformation and disinformation. MediaMath focused its efforts on sections related to the scrutiny of ad placements as well as political advertising, two areas which particularly pertained to online advertising and the services MediaMath offers. The outcome of this was a strengthened 2022 Code of Practice on Disinformation, to which MediaMath was proud to be a signatory as a reflection of our strong commitment. More information about the Code of Practice can be found here. 

As described in the strengthened Code of Practice on Disinformation, the European Democracy Action Plan (EDAP) defines misinformation as “false or misleading content shared without harmful intent though the effects can be still harmful, e.g. when people share false information with friends and family in good faith.” Disinformation is defined as “false or misleading content that is spread with an intention to deceive or secure economic or political gain and which may cause public harm.” Both are problematic and require efforts to prevent, and misinformation may be sourced from disinformation.  

Subsequent to the rollout of the new Code of Practice, the IAB EU very recently held its event “The Great Debate: Trust and Transparency in Digital Advertising,” in which MediaMath participated on the Disinformation panel. A recording can be viewed here. 

MediaMath is also working with the IAB EU and other stakeholders to contribute to a Guide to Disinformation, which is currently being finalized for distribution in the near future. 

Enhancing and Supporting Transparency in Political Advertising 

As previously mentioned, political advertising is one of the areas in which MediaMath contributed to the Code of Practice, which is consistent with MediaMath’s pre-existing commitment to transparency in the political advertising space. In order to provide the public with the information it needs to make informed decisions, it is important to maintain baseline transparency standards with regard to political advertising. To this extent, as part of MediaMath’s ongoing partnership with the Digital Advertising Alliance (DAA) and the Digital Advertising Alliance of Canada (DAAC) and adherence to the principles of these organizations, MediaMath supports and requires the use of the purple Political Ads icon for political advertising in the US and Canada. This icon provides consumers with a way to easily link to and see background information on the source of political advertising. To facilitate this for our clients, we provide an easy way to opt-in to the Political Ads icon within the MediaMath platform and with minimal effort. For more information on this, please contact your MediaMath representative. The DAA recently put out an informative blog post to describe their efforts. 

MediaMath’s close partnership with the DAA/DAAC on political advertising is reflected in a recent webinar the DAA put together with Venable LLP,  MediaMath, and Campaigns & Elections magazine which can be viewed here. 

Read about the DAA Self-Regulatory Principles in relation to political advertising and the DAAC’s companion Political Ads Principles & Guidelines.  

Future Developments 

By the beginning of 2024 a new level of transparency regarding all advertising in the European Union will be expected to be adhered to as part of the EU’s new Digital Services Act. Discussions are ongoing with the IAB EU and various stakeholders including MediaMath regarding the precise form and mechanism of compliance that will be needed, however some baseline transparency regarding the source of the advertisement (on whose behalf the ad is displayed) and information about how the recipient of the ad was determined will be among the required disclosures. As with our other transparency efforts, MediaMath is working to stay abreast of these new developments. 

Trust and Transparency  

As you can see from all of the above, trust and transparency remain key elements of MediaMath’s offerings to clients and positioning in the larger ad ecosystem. We are proud of our commitments to the fight against misinformation and disinformation, the support of quality news, and the enhancement of transparency in advertising. We are uniquely positioned to not only provide the best protections and support for our clients, but to also contribute to the larger social good that these initiatives enhance. We will continue to remain your trusted partner as these topics continue to evolve in the future. 

PART 1 – NORTH AMERICA – US LAWS (STATES AND FEDERAL), CANADA 

US States Privacy Compliance:
From Jan 1, 2023, we will have the beginning of five new US state laws which all have similar definitions of what constitutes “personally identifiable information” which includes persistent IDs used in AdTech. 

• In 2018, the California Consumer Privacy Act (CCPA) was a turning point for US state privacy laws. The California Privacy Rights Act (CPRA) has since been passed, extending and amending many of the CCPA’s provisions.  
• In 2021, Virginia and Colorado passed their own privacy laws, the Virginia Consumer Data Protection Act (CDPA) and the Colorado Privacy Act (CPA) respectively.  
• In 2022, Utah passed the Utah Consumer Privacy Act (UCPA) and Connecticut passed the Connecticut Data Privacy Act (CTDPA). 

As more states introduce privacy laws, organizations must be aware of, and able to manage, the varying provisions which can make cross-state compliance complicated.  

US States Priority What’s needed Now, Next, Later for 2023 (with some links to IAPP resources)  

• Priority Now: California (CCPA & CPRA) | will be in force 1 Jan 2023 
• Priority Now: Virginia (VCPDA) | will be in force 1 Jan 2023 
• Priority Next: Colorado (CPA) |will be in force 1 July 2023 
• Priority Next: Connecticut (CTDPA) | will be in force 1 July 2023 
• Priority Later: Utah (UCPA) | will be in force 31 December 2023 

Listen to AdExchanger Podcast interview with MediaMath CPO “Doing the Math on Privacy Compliance”  

CPRA: The NAI submitted written comments to the California Privacy Protection Agency (CPPA) in response to their proposed CPRA regulations. 

US State Laws comparison: Resource on US State Laws comparison from partner Sourcepoint 

California recent enforcements:  

The recent California AG’s enforcement action against Sephora which resulted in a $1.2 million civil penalty “marks a considerable uptick in risk”. The attorney general is focused on online tracking and on implementation of and compliance with global opt-out signals, such as the Global Privacy Control. The complaint alleged that Sephora disclosed its use of online tracking technology but not the sale of personal information, that the privacy policy incorrectly stated “we do not sell personal information,” and the company did not offer an opt-out of sale by any method. The complaint also charged Sephora with failing to respond to user-enabled global privacy controls (GPC).  

Why does this matter to marketer clients?  

• Global Privacy Controls 

It is important for marketers to continue to monitor developments on opt-out preference signals, which are addressed in greater detail in the CPPA’s draft regulations. Ensure your technology team fully recognizes the new opt-out requirements. The “frictionless” opt-out approach (recognizing opt-out signal preferences) may have challenges. You should understand how the business can practically implement this approach. Alternatively, you may choose the alternative approach of including links to allow consumers to opt-out. This AdExchanger article encourages marketers to be proactive in thinking about privacy, data collection and governance, stating that “by embedding privacy considerations into their larger business strategies, companies can build longer, more loyal relationships with customers.” Following learnings from the Sephora settlement, this article from the IAPP offers some helpful practical steps for clients to take for CCPA compliance. https://iapp.org/news/a/ccpa-enforcement-action-a-case-study-at-the-intersection-of-privacy-and-marketing/ 

Read More  

• Future of Privacy Forum Comments to the California AG on Global Opt Out signals
• Commentary from Odia Kagan CA AG 2nd Year CCPA Enforcement Report is out!

Privacy Policies, Privacy Notices, Cookie Policies
Clients should now start reviewing and updating disclosure documents on their sites and digital properties, as the new US State privacy laws and rules will require many changes, such as what are the categories of data disclosed to third parties. In the Sephora complaint the State alleged that: “Sephora did not tell consumers that it sold their personal information; instead, Sephora did the opposite, telling California consumers on its website that ‘we do not sell personal information.’”  Clients should reassess whether their online tracking practices result in CCPA sales and also whether or not analytics warrant treatment as a service provider offering. 

Read More:  

• https://www.jdsupra.com/legalnews/california-attorney-general-s-first-5529031/ 
• https://www.natlawreview.com/article/first-california-consumer-privacy-act-enforcement-action-and-settlement 

Compliance Approaches to US State Laws 

• Contract updates will be required  

Clients should start now reviewing the updated definitions and practices for compliance with US State Privacy Laws which contain new contractual requirements regarding data, requirements that will need to be integrated into both new and existing contracts. For example, under the CPRA Regs there is now a complete ban on a business (client) sharing California user data to a service provider for the purpose of cross-contextual advertising, which is common today, and so we will need to make appropriate contractual updates to accommodate compliance with these changes. 

 MediaMath will be reaching out to existing clients with an addendum including appropriate contractual terms to address these new US State Privacy Laws requirements. 

• Industry contracts may solve some challenges – IAB US Multi-State Privacy Agreement (MSPA) 

Advertisers have increased obligations of accountability under CPRA and the IAB US recommend that everyone in the RTB chain (including advertisers) should be signing up to the MSPA so we have a common framework and can scale the contractual privacy and privity requirements. The MSPA covers contract requirements between first parties (Publishers and Advertisers) and downstream participants (SSPs and DSPs, also adservers and other vendors in the RTB chain). 

• Technical signals: IAB Tech Lab Global Privacy Platform (GPP) 

The industry must comply with several forthcoming state privacy laws (i.e., CA, VA, CO, UT, CT), with California and Virginia’s privacy laws becoming effective on January 1. Tech Lab plans to support state-level privacy signaling for each of these states in the GPP only and will not be available using the existing USP API. Therefore, to support signaling for the new changes to California’s privacy laws and the other state privacy laws, GPP must be adopted. https://iabtechlab.com/gpp/. IAB Tech Lab will not officially deprecate the USPrivacy String until later in 2023, it can only accommodate opt-out of sales in California, but not California opt-outs relating to cross-context behavioral advertising and sensitive personal information (including personal information about minors). These proposed changes to the USP API materially impact the industry. 

Read More: An Explainer for GPP from IAB Tech Lab: 

PRIORITY NEXT: KEEP A WATCHING BRIEF ON POSSIBLE FEDERAL PRIVACY LAW CHANGES. 

US Federal proposals:  

• The American Data Privacy and Protection Act (ADPPA) 
• What Is It? The ADPPA is an attempt by Congress to bring harmonization and pre-emption to US state laws and provide comprehensive federal data protection. Read more on progress of ADPPA 
• Will it become law? This is the closest ever bi-partisan effort to propose federal privacy protections in the US. It is possible but still not probable, especially after Nancy Pelosi said she wouldn’t support it in its current form.  Read more on AdExchanger  
• Is it a good idea for digital advertising? It could provide much needed clarity on what is required for US data protection compliance for businesses and greater clarity regarding consumer data rights. The bill diverges from a consent-based privacy structure (collection is generally allowed, so long as the user consents to it) towards a data minimalization one (a company cannot collect any more data than they reasonably need, as defined by statute). It provides for 17 purposes where collecting data is deemed necessary and permitted. This includes targeted advertising, but in a more limited form. Additionally, users would be allowed to opt-out of targeted advertisements (requiring more consumer-friendly language than other major laws) and appoints the FTC to create a universal opt-out standard. 
• What are the key issues that challenge digital advertising? Targeting ads towards minors and those using “sensitive covered data” (which includes health, financial, precise geolocation, sexual behavior, biometric, and racial data, among other types) would be banned. Of greatest relevance to the digital ads industry is that the definition of sensitive covered data was unusually expanded to include internet browsing history overtime and across third party websites or online services. Industry bodies such as Privacy 4 America have objected to this and warned about the potential harmful consequences to the US data driven economy. 

• Federal Trade Commission (FTC) S5 & ANPR  

The Federal Trade Commission issued an Advance Notice of Proposed Rulemaking (ANPR) seeking feedback about whether rules are needed to protect people’s privacy and information, how to balance costs and benefits of current practices under S5 unfair and deceptive practices, and how, if at all, the FTC should regulate harmful “commercial surveillance” (described broadly by the FTC as the “collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information”). 

• Why does this matter to digital advertising? The terms “commercial surveillance” and “surveillance advertising” have been frequently used over the past year by advocates looking to restrict or even ban targeted advertising. 

Read More on FTC ANPR:  

• The Network Advertising initiative (NAI) issued a statement calling “surveillance” a loaded term to describe established business practices that benefit consumers, small business, and a competitive marketplace.  

• A couple of clear articles discussing the FTC ANPR on privacy issues. This will take a long time so there is no immediate impact on privacy compliance requirements or changes to current FTC S5 enforcement under unfair or deceptive practices.
  https://www.adttorneyslawblog.com/ftc/nine-things-you-should-know-about-the-new-ftc-rulemaking-on-privacy-and-targeted-advertising 
• https://www.adlawaccess.com/2022/08/articles/the-ftcs-privacy-rulemaking-broad-and-far-reaching-but-unlikely-to-lead-to-a-rule-anytime-soon/ 

CANADA 

IAB Canada TCF is Ready 

The IAB Canada TCF (The Transparency & Consent Framework) is similar to the IAB EU TCF, where it ensures privacy signaling for various parties in the programmatic chain.  In short, when MediaMath bids on a bid request, we need to ensure that the user has received the proper disclosures and has given the proper level of consent in order to bid for an ad.  The TCF is the signal that informs MediaMath whether or not that has happened.  The IAB Canada TCF is very similar to the EU TCF, in that it outlines similar purposes for data collection, including generalized ads, personalized ads, and measurement.  The bases for collecting data fall under either express consent or implied consent. The IAB Canada TCF will be rolled out as part of the IAB’s Global Privacy Platform, which will standardize the way privacy signaling in the programmatic chain can be exchanged across partners. 

WHATS NEXT?  

MediaMath Legal & Compliance will be reaching out and following up with further information on the new contractual requirements because of new US State laws.  

WHAT ABOUT COOKIES VS IDENTITY SOLUTIONS? 

This privacy laws briefing is focused on upcoming privacy laws and contractual and technical solutions. The information is generally applicable to all data defined as “personal data” or “personally identifiable information” that governs the collection, processing and transfer of existing identifiers such as cookies and MAIDs and also of new ID solutions, both probabilistic and deterministic, and we do not discuss the pros and cons of any of these technologies in this article. However, we have some links for information from our privacy team that discuss how the laws will apply to IDs post third party cookies. 

Webinars: Our Chief Privacy Officer Fiona Campbell-Webster, was a panel speaker for the ID5 Identity 2022 Event on Consent Post Third Party Cookies,  

Guides: Ferdinand David, VP, Product Policy & Compliance Lead, and James Kerr, Regional Counsel and Data Protection Officer, EMEA and APAC, contributed to IAB Europe‘s updated “Guide to the Post Third-Party Cookie Era.” Covering the latest on alternatives and best practices ahead of the end of third-party cookies.  

DISCLAIMER: Please note this article is for informational purposes only and does not constitute legal advice. Clients should consult their own legal advisors about their specific compliance requirements. 

Where are we now in the global digital advertising privacy landscape?
A complex global and state level web of privacy regulations has made it a requirement that companies staff and invest in global privacy and security compliance, with an eye to the consumer. MediaMath welcomes the shift towards consumer-first privacy, we believe programmatic advertising should be conducted in transparent,  high quality media environments that keep consumer interest top of mind.  

Read More: Global predictions: Article by Gartner: Gartner forecasts consumer data protection will cover three-quarters of all people by 2024  

What’s MediaMath doing in response to these global privacy challenges?  

Future-proof our platform: We continue to future-proof our platform and global privacy and security program to support our client’s, partner’s and vendor’s efforts to do the same. But we need to scale our efforts. Due to rapidly evolving global privacy changes, we will continue to invest and increase our investment in our privacy and security programs and product resources, as well as build strategic partnerships with privacy-enhancing technologies (PETS). Read More: IAB Tech Labs work on PETS  

Trust & Transparency: MediaMath ensures consumer trust is amplified through our supply chain. We collaborate with our partnerships and ecosystems teams to enhance our privacy-first position by building partnerships with partners such as SOURCEPOINT to provide clients with “greater visibility into the quality of their media buys using commitment to privacy as a new metric.” 

Security, Scale & Efficiency: We aim to automate our internal and external privacy, security and data governance compliance wherever possible, through the use of technologies for consumer requests, targeted data discovery, data mapping and vendor data privacy impact assessments. There are ongoing reviews and improvements of MediaMath privacy and security controls and assessments (SOC 2, Risk assessments, Pen Test, etc.) to strengthen and ensure full compliance with regulatory requirements and security best practises. This includes but is not limited to the EU General Data Protection Regulation.  MediaMath also participates in programs such as TAG to help combat fraudulent and criminal activity in digital advertising.  

Industry participation: We regularly engage with industry trade groups including IAB Europe, IAB US, IAB Tech Lab, the NAI US, the DAA, DAAC and EDAA to ensure our point of view is influencing positive outcomes for our clients and the wider industry, which depends on the continued success of the digital advertising sector outside the walled gardens. We are also participating on several privacy-driven working groups, including: 

• IAB EU TCF working group: EU privacy signalling for programmatic ads 
• NAI State Policy working group:  Industry voice to shape state privacy laws in the context of advertising. 
• NAI working group for Addressable IDs: Set industry best practices for future identifiers 
• IAB US Project Crosswalk for CTV: Privacy compliance in CTV 
• IAB Tech Lab Global Privacy Platform working group:  Regional privacy signalling that will include Canada, US, and the EU 

Privacy, Security & Identity Hub: We have created a MediaMath Privacy, Security & Identity Hub on our website where you can find updates and articles on what’s happening. 

WHO ARE WE? 

MediaMath has assembled a strong privacy and security team who report into our General Counsel, Ingrid Hackett, under the Legal & Compliance team. Our global privacy compliance is headed up by our Chief Privacy Officer, Fiona Campbell-Webster, in the USA, as well our official Data Protection Officer, James Kerr in Europe and the U.K, each with clearly delineated responsibilities. Our security compliance team is headed up by Simone Wynter, Head of Information Security and Compliance, supported by Clifford Andam, Sr. Analyst, Security & Compliance. We work together with the product team along with Ferdinand David, VP, Product, Policy & Compliance, who reports to our Chief Product Officer, Anudit Vikram. We collaborate to continuously assess and refine our capability to technically comply with the legal and privacy requirements of all global applicable privacy and data protection laws. We have a clear goal to support positive business outcomes for our clients by building and scaling privacy-first security trusted programmatic journeys through transparency and choice for the consumer. 

WHAT DO WE DO? 

We help shape privacy regulations worldwide, but also conduct privacy and security risk assessments of our internal controls including vetting of all partnerships, vendors, and internal product initiatives. In addition to policy, we are well prepared to handle changing privacy and security regulations from a product standpoint, where we are agnostic and flexible to future, and embrace more privacy friendly approaches to user targeting, whether it be via first party identifiers or a more aggregated, cohort approach. We are foremost laser-focused on helping unlock revenue opportunities for our clients and drive more efficient results while strengthening our industry leadership position on privacy, security and identity. Our mission is to help the business accelerate business objectives with responsive and insightful guidance to maximize value and optimize risk, while sustaining a world-class, industry-leading privacy and security compliance culture.  

Continue reading to find out how to prepare for changes to US and Canadian law