Media companies and online businesses must comply with abundant diverging privacy and data protection law requirements across jurisdictions. With respect to targeted advertising, companies face particularly complex rules on opt-in consent and opt-out requirements. Smaller and newer businesses often find this exceedingly challenging, as they rely on advertising technology services and data brokerages to compete with more established companies, which have more — and more direct — consumer relationships and data. Accordingly, smaller businesses depend less on third-party data sharing and unsolicited marketing communications that trigger regulatory requirements and scrutiny.
Under the EU General Data Protection Regulation, for example, a news site operator wanting to serve interest-based advertisements must obtain express, affirmative, specific, informed and voluntary opt-in consent before placing cookies and using that personal data for marketing. If it wants to bolster its own data with mailing lists and information from third parties, the operator may need to notify data subjects and confirm that the third party obtained consent.
In practice, companies prompt users for consent regarding cookies with banners, offering “accept all” and “reject all but necessary” choices and unchecked boxes regarding marketing emails or newsletter subscriptions, with an additional “double opt-in consent” confirmation in Germany.
If a business prompts consumers in California with such consent requirements, however, it may violate the requirement of waiting at least 12 months following an opt out before asking for authorization for selling or sharing personal information for cross-context behavioral advertising. Instead, the business must recognize universal opt-out signals and offer opt outs for certain disclosures of personal information and email marketing, which an EU-style “cookie banner” cannot achieve — as the California Privacy Protection Agency expressly notes in §7026(a)(4) of its regulations.
Smaller companies often lack the resources to fully localize their disclosures and opt-in/opt-out mechanisms for each jurisdiction and every adtech service. Even with a “highest common denominator approach” — complying with the strictest data privacy requirements — they may fail on different particulars in some jurisdictions given increasingly prescriptive and intricate requirements.
Practically, businesses may forgo using new adtech features and return to contextual advertising or paid services or operate only on larger platforms that cover most compliance requirements. But many smaller and newer companies believe this may stymie their competitiveness.
Alternatively, businesses can develop risk-based approaches to address requirements under the laws most likely to be enforced against them. Considering the fast-moving regulatory landscape, a risk-based approach may improve a business’s ability to handle vast amounts of personal information in a more informed, structured and accountable way. It requires an understanding of applicable requirements and careful monitoring of the enforcement landscape through five key analyses.