Home
Legal Affairs Privacy
Public Policy

Navigating the Privacy Challenges in Digital Advertising: Key Takeaways from the IAB Privacy Compliance Salon

By Arlene Mu and Shaun Lichti
Navigating the Privacy Challenges in Digital Advertising: Key Takeaways from the IAB Privacy Compliance Salon

The IAB held its inaugural Privacy Compliance Salon on September 22, 2024, in downtown Los Angeles, California. The Privacy Compliance Salon is an intimate salon-style event that brings together cross-functional privacy leaders in the digital advertising industry for thought-provoking and practical discussions around today’s most challenging privacy compliance issues.

Conversations discussed digital advertising data flows, consent signals, and first-party data activation. Participants also had invigorated and spirited conversations on the privacy challenges relevant to data clean rooms. The day also covered trends, challenges, and practical tips in health-related digital advertising. In addition, with the rapid evolution of technologies like AI-driven advertising, it’s crucial for privacy practitioners to stay ahead of the curve. From all the deep-dive conversations, it is critical that privacy professionals should continue to ask probing questions to your technology partners and strengthen foundational data governance practices.

In this blog post, we will highlight some of the key takeaways from this year’s Salon, and of course, we hope to see you at the next one.

Health-Related Digital Advertising
The definition of health data is rapidly expanding under the existing and newly enacted privacy laws. Different statutes have different definitions, and the fine line of what’s in scope is often context dependent, especially for the digital advertising industry.

  • Context matters. When evaluating whether certain data constitutes health data, a myriad of factors should be considered, including why and how the data is collected, which statutory requirements are applicable, and how it is used. The devil is in the details, and one should dive deep to evaluate the risks fully: are the data points used for contextual advertising or off-site targeting? How is the data labeled in the backend? Are there any further health status inferences drawn? Is the use of the data consistent with consumers’ reasonable expectations? All these factors change the analysis.
  • Hashing doesn’t make personal data anonymous. When being told personal data is anonymous or de-identified, one should ask more questions to clarify whether the data is pseudonymized or can readily be re-identified. Encryption or hashing doesn’t make personal data anonymous, especially if the identifier is later used for retargeting. De-identification under one statute (e.g., HIPAA) may not satisfy other statutory requirements.
  • Think creatively. Businesses should begin examining creative ways of targeted advertising that don’t use health data points. For instance, look at areas with higher pollen counts rather than targeting people with allergies.

Data Clean Rooms
Data Clean Rooms (DCRs) have emerged as an important data collaboration tool. Although they offer many data minimization and security benefits, leveraging DCRs does not exempt companies from privacy compliance obligations. The attendees discussed the common myths, buzzwords, and hype surrounding DCRs while highlighting important ways that the digital advertising industry can maximize DCRs’ utility while reducing risk.

  • It is not a privacy compliance silver bullet. While DCRS reduce risk of data leakage and security, it is not a privacy compliance “silver bullet” because pseudonymized data is still considered “personal data” and is, therefore, subject to privacy compliance requirements.
  • Conduct a deep dive to take the proper privacy position. Companies need to conduct a deep dive into their DCR providers before structuring the relationship under applicable state privacy laws (e.g., service provider versus third party). For instance, they need to understand what exactly DCRs are used for (e.g., insights and targeted advertising planning, audience augmentation, data analytics, and measurements). In addition, not all the DCRs are set up the same, and companies should understand data flows, privacy enhancing technologies applied, data hosting infrastructure, and data access controls in order to apply privacy laws to the DCR use cases.

Digital Ad Data Flows
Understanding the common data flows in digital advertising is critical to operationalizing an effective data privacy program. This is a complex undertaking where personal data moves through pixels and tags, as well as in the bid stream and server-to-server transfers.

  • The increasingly costly state-by-state approach. The state-by-state approach to privacy compliance is becoming increasingly costly as more states enact comprehensive privacy laws. Companies are increasingly taking a “national approach,” which itself has several types.
  • GPC adoption beyond the state privacy law mandate. A majority of businesses seem to be honoring GPC signals in states where it is not explicitly required by law.
  • Users can override GPC Signals. While honoring GPC signals is required in certain states and will be required in more starting in 2025, users may take action to override the privacy preferences transmitted by GPC, such as through a preference center tool.

AI and Data Governance in Digital Advertising
Artificial intelligence continues revolutionizing the digital advertising industry, from ad creatives to campaign planning and inferences. Robust data governance is foundational as companies mature their AI programs.

  • Bad data makes bad AI. Solid data governance is essential for AI model development to address potential risks such as bias, drifting, and overfitting. Effective data governance requires continuous data inventory and mapping to track data provenance and lineage. As companies mature their AI programs, they should continue to look into tools such as algorithmic personal data finders, master data management software, and algorithmic impact assessment tools.
  • AI governance. Organizations should maintain an inventory of their AI models and training data sets. They should conduct internal audits on their own AI usage and third-party assessments both upstream and downstream. AI management should be integrated into their software development lifecycle, incorporating privacy, security, and ethics by design.

Regulators’ Perspective
IAB’s EVP and General Counsel, Michael Hahn, spoke with Esther Chavez, Senior Counsel for the Privacy, Data Security, and Technology team in the Consumer Protection Division Office of the Texas Attorney General.

  • Enforcement actions will be on the rise. The Texas AG’s office has many regulatory tools, including the Texas Data Privacy and Security Act, and it continues to staff up its privacy enforcement arm. Enforcement priorities are also driven by consumer complaints, market news, and staff members’ own observations. The Texas AG’s office received over 500 complaints this year, of which 32% pertained to the Texas Data Privacy and Security Act.
  • Consider the consumer’s reasonable expectation. Using personal data for purposes broader than the purpose for which data was originally collected must still meet consumers’ reasonable expectations and consider potential harm to consumers.
  • Third-party due diligence is expected. Companies are expected to adequately manage third-party privacy risks. They should have a documented and demonstrable compliance program that includes robust due diligence of their processors and third parties. For instance, companies should be prepared to answer questions such as how vendors are onboarded, how to confirm the vendors adhere to their privacy and security commitments, how risk assessments inform the level of diligence needed, and whether the risk assessment considers the potential harm to consumers.

Final thoughts
At the end of the day, Transcend’s Shaun Lichti tied together the day’s threads with Arlene Mu, IAB’s Assistant General Counsel. The main takeaway is that privacy professionals should be able to zoom in and ask specific questions about personal data collection, use, and sharing practices, as well as zoom out to see the bigger picture: consumer trust.

In order to maintain consumer trust, privacy professionals should think about explainability so they can provide consumers with adequate information in plain English, so consumers can make informed choices and provide consent.

Lastly, as companies continue to mature on their privacy journey, solid data governance, robust consent management, and scalable risk assessment processes are essential to spearhead new technology adoption.

Through insightful panel discussions and thought-provoking breakout sessions, the Privacy Compliance Salon enabled privacy experts to conduct deep dives into key privacy issues and benchmark the best practices. We hope to see you at more IAB Legal Affairs Council events.

Related Content

Authors

Author
Arlene Mu
Assistant General Counsel
at IAB
Show Bio
Hide Bio
Author
Shaun Lichti
Head of Consent & Preference Solutions
at Transcend
Show Bio
Hide Bio

Related Content

Cross-Channel Measurement: Implementation Playbook + Best Practices Guide
Menu

Cross-Channel Measurement: Implementation Playbook + Best Practices Guide

2025 IAB Public Policy & Legal Summit
Menu

2025 IAB Public Policy & Legal Summit

2025 IAB PlayFronts
Menu

2025 IAB PlayFronts

IAB Challenges FTC’s New Subscription Rules In Federal Lawsuit
Menu

IAB Challenges FTC’s New Subscription Rules In Federal Lawsuit