Starting in 2023, five U.S. states (California, Virginia, Colorado, Connecticut and Utah) will require companies to offer an opt-out on the collection and sale of personal data, as well as targeted advertising. California’s new regulation amends and expands on the requirements of CCPA, while the other four represent an entirely new set of obligations.

A new approach to consent

U.S. data privacy laws are currently built on an opt-out model, meaning personal data can be collected and processed unless the individual indicates otherwise.

However, many new laws require companies to provide notice at the time data is collected.

The new laws take effect throughout the year, and while all five state laws feature similar language, their requirements differ slightly.

For instance, California and Colorado require companies to respect a “universal opt-out” signal, and the states plan to publish technical specifications on how to comply with their requirements. Colorado further requires that, as part of respecting the opt-out signal, companies must “…be as consistent as possible with any other similar platform, technology, or mechanism required by any federal or state law or regulation.”

Meanwhile, neither Virginia nor Utah include an obligation to respect a universal opt-out preference signal, but they do require companies to provide a way for consumers to opt-out.

In the world of digital advertising, where auctions happen in a matter of milliseconds, these new approaches present a significant challenge, but a consent management platform (CMP) can streamline a publisher’s compliance efforts. This tool presents site visitors with choices according to state-specific requirements regarding using their personal data, which can be compiled into a consent signal and leveraged by all downstream partners.

Each of the five state laws uses unique revenue and data volume thresholds to determine applicability and specific exemptions. Publishers should consult with legal counsel to determine which laws apply and how best to comply with the relevant requirements. That said, even small publishers that fall below these thresholds should prepare for the new requirements, as the technology partners and other vendors they work with are likely subject to the new laws. A few examples include privacy policy disclosures, notice at the time of data collection, opt-out mechanisms and processes for supporting the exercise of data rights.

New technology aids in compliance

These new and varied consent requirements present a significant technical challenge for publishers, largely because they lack visibility into the residence of each site visitor. This makes it difficult to determine the applicable data rights — and indirect identifiers like IP addresses tend to be fallible with so many people using mobile devices or a virtual private network to mask their location.

Fortunately, publishers have a powerful, proactive partner in the Interactive Advertising Bureau …read more

Source:: Digiday

Author: Aaron