Why This Matters: The ANA’s Dan Jaffe says online privacy overregulation is now his members’ top policy concern.
For decades, fending off ad taxes has been the top priority of the Association of National Advertisers. Not anymore. Dan Jaffe, group executive vice president, government relations at the ANA and its point person on Washington issues, says that the impact of online privacy overregulation is now the top issue for his membership, which comprises a Who’s Who of brands from Amazon to Zillow and just about everyone in between.
Jaffe spoke with B&C about why ANA pushed back on California’s new privacy law — the trade group has said troubling portions should be preempted by federal legislation — and why Congress needs to step in.
How worried are you about Congress adopting an opt-in regime for online information sharing?
I think it would be very detrimental. Opt-in systems will be very intrusive. The history of such systems is that because people are busy, if they are constantly getting barraged with opt-ins, they very well may not opt in and then you have a limited ability to reach consumers efficiently and effectively.
But as of now, I do not see that as a likely outcome, because the California Consumer Protection Act [CCPA] takes an opt-out approach, and because the Federal Trade Commission in the past has never been in favor of calling for a similar system to the GDPR [General Data Protection Regulation, the European Union’s new privacy framework].
What is new is that I am hearing, from multiple sources, more serious consideration of a broad general privacy law than I have heard at any time in years. Because of GDPR and the [CCPA] there is a growing drumbeat of people saying we need some sort of federal law. It would pre-empt the bad aspects of CCPA and set a reasonable approach to privacy in the U.S.
That was the overwhelming message that came out of the recent privacy hearing on the Hill. Now the issue is what it should encompass.
What do advertisers think is ‘reasonable?’
We certainly have to pre-empt the provisions we think are overbroad in the CCPA, provisions that we think radically increase the risk of data breach and data fraud.
It would have to be an opt-out system. It would have to distinguish between sensitive and nonsensitive data so all data is not treated equally, because all data is not equal. It will have to reasonably deal with all the existing privacy laws. There could be an optout system like we have for the Digital Advertising Alliance self-regulatory program, [with that] either grandfathered in or creating a safe harbor [for those in the DAA], or come up with provisions that deal those issues with the way that we have.
All the groups in the Digital Advertising Alliance would then be held liable by the FTC if they didn’t keep to their promises. The distance between regulation and self-regulation is a lot less than people think. Our self-regulatory program is basically backed up by the FTC’s enforcement.
You clearly have a lot of issues with CCPA.
We think it is one of the most badly drafted and ill-considered pieces of legislation.
They have created an unworkable system that will cause severe damage and sweep in hundreds of thousands of companies, big and small. It’s going to require them to pull all of the data the companies have into one data pool that they can then give either to an individual or to third parties. And they had better be able to do that in a very, very systematic way because that will be creating a Fort Knox of information that will be extraordinarily attractive grounds for a data breach. Then, once there is a data breach, there will be hundreds of millions of dollars in lawsuits because they don’t distinguish between sensitive and nonsensitive data.
So, if I go to some particular site to find out what the weather is, or to find out what the score of a baseball game is … that data can be sued against, not just by the attorney general of California, but the trial bar of California, which is one of the most active and aggressive in the country.
What are you doing to try and “clean up” the law, given that it doesn’t go into effect for almost two years?
We are actively working with the California Chamber of Commerce and many other groups to try and clean it up. The bill has already been amended to extend the effective date of the legislation from January to July, but there is a vast range of other issues. We sent the California legislature 20 pages of amendments and they took, like, two of the things on the list. Are they willing to do anything further? Will they be able to?
But you have until 2020.
I made the exact same statement to my legal affairs committee a couple of weeks ago, and they said, ‘We need to start thinking this through today. We have to be ready.’ … So, while companies are rushing to try and get teams together within their companies so that they can manage this, they may find, very close to the time this does go into effect, that what they were doing doesn’t meet the criteria — and what they did to comply with GDPR is not identical.
If I am a broadcaster or cable operator in California, couldn’t I benefit? Couldn’t some of those online ad dollars move back to traditional media?
Unfortunately, the CCPA is not just an online law. It covers both offline and online. … This bill is much more encompassing than people think, and will certainly cover the kind of things people are doing in California in terms of on-air advertising. I would assume they are doing Nielsen surveys and collecting data about people and using it to decide whether to run an ad. And you don’t have to be a California company, so long as you meet the triggers and are doing business in California.
