IAB warns ad legislation is coming

Advertisers—don’t be distracted by the death of cookies. It’s privacy legislation you should be worried about, according to the Interactive Advertising Bureau in a report released Tuesday. It’s the sixth edition of the trade group’s State of Data report, which includes qualitative surveys and recommendations from advertisers, media buyers, and developers on advertising strategies.

More specifically, it raised red flags about “inconsistent state-level and/or poorly crafted privacy regulation” that it anticipates will make targeting consumers and measuring ad campaigns more difficult. Though the IAB declined to name specific states, the introduction of new state-level laws and revisions to current ones are “outpacing companies’ abilities to enact and adopt consistent measures and protocols,” the report read.

• Amendments to California’s California Consumer Privacy Act (CCPA) will take hold on January 1, and new privacy laws in Virginia, Colorado, Connecticut, and Utah will go into effect before the end of 2023.
• In Michigan, Pennsylvania, and Ohio, privacy laws are in committee.
• A federal privacy law is currently stuck in legislative limbo. In July, the IAB said that the proposed legislation “falls short” and would impose “heavier regulations than any state currently does.”

The “vitality of the entire digital media economy as it operates today is at stake” as a result, according to the report, and, of the those surveyed, “few seemed truly prepared for ongoing data-privacy legislation changes and the effect that these impending laws, and platform and browser changes, will have on their businesses.”

• Zoom in: Last month, Sephora got hit with a $1.2 million fine for allegedly sharing customer data with third-party analytic tools, failing to disclose it, and failing to remedy the problem, in violation of the CCPA. California initially estimated that CCPA compliance could cost businesses about $55 billion.

“Although leveraging email addresses for marketing purposes is currently privacy-compliant,” the IAB  anticipates that  email and IP addresses will “face restrictions in the future as state privacy legislation continues to evolve its definition of ‘sensitive data’ and further refines what information can/cannot be shared with third-parties for advertising purposes.” For example, California considers IP addresses (in many instances) as personal information.

“It’s not just for the legal and compliance team to work on this, but also marketers, ad ops people, [and] analysts need to understand what those changes are because it’s going to impact their day-to-day responsibilities,” Angelina Eng, VP of measurement and attribution at the IAB, told us. Though not a legislative change, she pointed to Apple’s iOS 14.5 privacy update as something that has significantly impacted data privacy. Meta said the move will cost it an estimated $10 billion this year.

To navigate the space, advertisers are having to think about whether they want to take a more conservative “one-size-fits-all” approach or tailor data-collection practices to individual state laws, which could be more onerous, Eng said.

Advertisers should also be clearer to consumers about all that sweet, sweet data they’re collecting, the IAB suggests.

“It’s not enough to simply offer them an option to opt-in to ‘cookies’ (a term they likely don’t understand) or expect them to read complex legal policies,” the report states. “Companies need to provide users with a clear opportunity to select the types of data they are willing to allow for business purposes, including advertising.”

+1: To help the industry transition away from tracking tools like third-party cookies, the IAB has backed industry efforts like seller-defined audiences, but as the report notes, “buy-side awareness is currently low.”