2024 will be a massive year for data privacy with the impending deprecation of third-party cookies. But, as we mentioned in a recap of our recent webinar on navigating the data and privacy landscape, more changes are coming with new state privacy laws scheduled to take effect. Nearly 20 states have passed comprehensive privacy bills or are in the process of doing so while Washington continues to debate what a federal privacy law might look like.
As you can imagine (and are likely experiencing if you’re a brand doing business in the U.S.), this patchwork of laws can create immense complexities for advertisers, most of whom have customers across states. This gets even more challenging for global brands that must also adhere to other regions’ laws, such as the EU’s General Data Protection Regulation (GDPR).
The Association of National Advertisers recently explored the topic in more detail in the article “Is the Patchwork of U.S. State Privacy Laws Untenable?” PebblePost’s Chief Privacy Officer and General Counsel, Lori Mason, contributed the following insights to the piece.
Complying with one state law doesn’t mean complying with others
Brands that must comply with the GDPR will remember all the preparations they made before May 2018, when the regulation took effect. It took months and months of collaboration and work across legal, data, product, marketing, and other internal teams, not to mention outside vendors, clients, and experts. And that was just one law.
Now imagine trying to comply with a dozen to two dozen individual laws that don’t necessarily connect. In addition, state laws are easy to amend—the California Consumer Privacy Act already was. This means state legislation could become even more unwieldy and confusing in years to come.
Mason said in the ANA article that just because a company complies with one state law doesn’t mean it complies with another, as some regulations are broader than others. Each law varies in its definition of personal data and sensitive information, applicability, and enforcement. Most companies aren’t set up with the teams, tools, or processes to manage these nuances and more down the line—including a possible federal law.
As Mason shared in our webinar, “Some of the challenges are really how [federal law] would interact with state legislation like the CCPA. California has a very strong legislative body that is really keen on keeping CCPA and CPRA and wouldn’t want to have legislation diluted by federal legislation that would supersede it.”
Getting legal and data privacy teams involved earlier
One of the bright sides of this privacy law complexity is that more and more brands are bringing in legal and data privacy experts earlier in their discussions. Mason advocated for this in our webinar by encouraging brands to “lean in and get involved early. Much of the work that you are going to do will involve data. And when you’re involving data, you’re involving privacy and regulation.”
PebblePost’s prospective clients are asking Mason’s team to join sooner on business discussions to vet how the company obtains, processes, and stores data. “It used to be that by the time the lawyers got involved, the companies were negotiating the terms of service or whatever it might be,” she said in the ANA article. “Now, if we are not the first call, we are the third or fourth,” she says.
For additional tips on navigating the 2024 privacy landscape as brand marketers, check out our webinar here.