Wanna hear something a little strange?
I attended two privacy-focused conferences in Washington, DC last week, and almost no one was talking about Google’s third-party cookie announcement.
To be fair, the news – that Google is scrapping plans to release a choice mechanism for third-party cookies in Chrome – didn’t break until midday on Tuesday, which was right in the middle of the IAB’s Public Policy and Legal Summit. People needed a little time to absorb.
But at the IAPP’s Global Privacy Summit on Wednesday and Thursday, barely a mention.
That’s less weird than it sounds, though.
State of mind
Ad tech folks hang on Google’s every pronouncement because they have to. Their businesses depend on it.
Now, five long years after Google announced plans to deprecate third-party cookies in Chrome, not only is that not happening, the opt-in prompt stuff feels like a head fake, too. Once the news sunk in, the industry’s reaction to Google’s latest reversal ranged from world-weary annoyance to frustration to straight-up fury.
But Google isn’t a regulator. From an attorney’s point of view, its decrees don’t carry the force of law, and that’s what lawyers are concerned with: the law.
Laws like the Oregon Consumer Privacy Act, the Colorado Privacy Act and the California Consumer Privacy Act – just three of the roughly 20 comprehensive US state privacy laws enacted over the past few years, with more on the way.
Why do I specifically call out Oregon, Colorado and California?
Well, regulators representing those states were on a panel together at the IAPP show last week, and they had a strong and cohesive message for the business community: Help us help you.
Oh, and “don’t play hide the ball,” said Kristen Hilton, a senior assistant attorney general in the civil enforcement division of the Oregon Department of Justice.
State of affairs
Businesses often get extremely defensive when a regulator contacts them with questions.
When people feel cornered or singled out, their tendency is to react emotionally to protect themselves. Businesses are no different. But it’s not the best look.
Nine times out of ten, regulators are reaching out because they want to open a dialogue, said Stevie DeGroff, first assistant attorney general in the technology and privacy protection unit of Colorado’s AG office.
“My father was a police officer for 37 years and I always hear him in my head saying, ‘If you lie, you make it worse,’” she said. “And I think that’s very true here.”
Being honest and direct and sharing information proactively is a recipe for a quick and likely positive resolution, DeGroff said, whereas delaying, obfuscating and playing games is a formula for failure – not to mention a fruitless endeavor. The regulatory agency making the inquiry will probably eventually find whatever it’s looking for anyway.
Because regulators aren’t only keen to enforce their shiny new state privacy laws; they’re also becoming quite technologically savvy.
AG offices in states with privacy laws are increasingly hiring full-time technologists – Colorado has one, Oregon has one, and California has a few – and they’re all more than willing to loan their experts to states that don’t have technologists of their own.
The week before last, a group of state regulators formed a bipartisan consortium to share expertise and resources and coordinate their efforts to investigate privacy violations.
Members include the California Privacy Protection Agency (CPPA) and state AGs from California, Colorado, Connecticut, Delaware, Indiana, New Jersey and Oregon.
“We’re going to see more and more collaboration across states … to really incentivize compliance nationwide,” said Michael Macko, the CPPA’s deputy director of enforcement. “That’s a trend.”
🙏 Thanks for reading! As always, feel free to drop me a line at [email protected] with any comments or feedback.
🎟️ I was on the road between April 11 and April 24, first in Florida for Passover and then in Washington, DC to hang with all the privacy wonks last week. When I walked in the door of my apartment on Friday, this was the look on my cat’s face. And that’ll be the look on my face, too, if I don’t see you at Programmatic IO: Innovate in Las Vegas, May 19-21. Get your ticket here so you don’t miss spot-on sessions, like one on how to recognize red flags when companies are flogging their supposedly “fully privacy safe” and “100% CCPA-compliant” solutions.
