WASHINGTON — Advertisers are pushing for a national privacy bill, but with little chance of comprehensive legislation in the near term, they are pushing back on efforts by states to push for privacy legislation. State-level laws, they argue, are a Balkanized approach that could boost the power of the Big Tech players that both states and the federal government are looking to rein in.
Dan Jaffe, group executive vice president of government relations for the Association of National Advertisers, has been a point man in this pushback, notably against the California Consumer Privacy Act (CCPA). The CCPA becomes law on Jan. 1 and compliance will cost businesses billions — that is, when they can figure out what to comply with, which Jaffe said remains a moving target.
Jaffe spoke with Multichannel News about the implications of privacy by design, if that design is a patchwork of state approaches. Here’s an edited transcript of that conversation.
MCN: What are ANA’s main problems with the California Consumer Privacy Act?
Dan Jaffe: At the most fundamental level, it is that it is a single state law. We don’t think that privacy rules work on a state-by-state basis. The business has already gone through a substantial amount of fragmentation and that is only going to increase in 2020 unless there is a federal law passed that pre-empts state laws.
MCN: You say “laws,” so clearly the problem isn’t just California.
DJ: Let me give you the quick list of what I know, and I may not be covering everything. There is CCPA, as well as a [California] data-broker registration bill that is not the same as a Vermont databroker bill. Nevada’s new law goes into effect today [Sept. 30]. Maine has an ISP law and New Jersey has a major piece of privacy legislation with private-rights-of-action provisions in it. The attorney general of Ohio is talking about holding privacy hearings. … You get the general gist.
Overlaying all of this is the [European Union’s] General Data Protection Rules [which apply to any business over a certain size doing business in the EU, just as the CCPA applies to any business over a certain size doing business in the state].
I know a number of companies who have spent multi, multimillions of dollars to become GDPR compliant and are now spending millions on becoming CCPA compliant because of the differences in definitions.
MCN: Speaking of big money, the California attorney general’s office has put out a regulatory impact statement. What trouble signs are in that report?
DJ: I have said since the outset that this was going to be a major tax on California consumers because I could see there were going to be major regulatory compliance requirements. Now the attorney general’s report is talking about as much as $55 billion dollars in costs from the CCPA, and a further $16.9 billion in costs for compliance with the attorney general’s [rules].
I don’t want to be hyperventilating here, but the report says this is going to fall particularly hard on small business. Because of the way the act is designed, a relatively large number of relatively small businesses will be covered.
Big companies are going to be able to do well in this situation because they have compliance lawyers and IT experts and advertising experts. Companies midsize and below are going to have a very much harder time — and that is if everything goes smoothly.
Now, people may say that the privacy protections people have gotten outweigh all of these costs. I don’t necessarily think that that’s true.
MCN: Obviously, you don’t want this Balkanized model, but if it develops, is the free web content model sustainable?
DJ: For some, yes. The Tyrannosaurus Rexes survive, at least in the short run. But I don’t know how Google and Amazon and all these other companies that started out in garages and dorm rooms would have done if they had faced all these restrictions.
MCN: But an already divided Congress fighting over impeachment is unlikely to come together on privacy legislation anytime soon.
DJ: To pass any major legislation when they don’t like each other and they don’t work well together is very hard. I don’t know what’s possible. I just know what’s needed. We are going to make every effort to move [federal legislation] as far and as fast as we can. There is nothing more important that we are working on than privacy and data security issues.
A very large proportion of companies will say the same thing. And the situation is only going to get more difficult because there are 22 more states that seriously considered privacy legislation in 2019.
Unlike data security, where disparate laws still deal with a limited set of issues and, if you are complying with those requirements, you are likely complying with most data-security laws, this isn’t the case with privacy. It has a large range of issues over billions and billions of transactions and an enormous number of parties from first parties to third parties to data suppliers to data trackers to publishers.
MCN: So the answer is national legislation.
DJ: Yes, and for the first time the industry is not split on that. I don’t hear anybody say, “Oh, we don’t need national legislation.”
One more thing, and this I think is a grenade that has been thrown into the process. Before the law takes effect and even before the attorney general has finished his rulemaking, Alastair Mactaggart [the California resident who pushed for the initial ballot initiative] is putting forward a new ballot initiative that will completely alter and add to the existing [CCPA]. We are in a never-ending compliance race. To use a legal term: It’s a mess, and it’s likely to get messier.