Articles
Industry news
IAPP and IAB 2024 events: Notes and takeaways from Washington D.C.
Industry news
new

IAPP and IAB 2024 events: Notes and takeaways from Washington D.C.

Published  

4/19/2024

by 

Thomas Adhumeau

5
min read

Published  

April 19, 2024

by 

Thomas Adhumeau

10 min read
Summary

Last week, I had the opportunity to attend two major industry events in Washington, D.C., along with our CEO Romain Gauthier and our Vice President of Product Development Jeff Wheeler: The IAB 2024 Public Policy and Legal Summit and the IAPP Global Privacy Summit 2024

 

In this post, I share some of my notes and comments about both events and draw some conclusions and takeaways regarding what our industry has in store for the year, as well as what trends you can expect in the coming months.

 

IAB 2024 Public Policy and Legal Summit

 

This year’s Public Policy and Legal Summit was a great opportunity to interact with fellow industry players about the intricacies of privacy law in the U.S. and its implications for the advertising industry. 

 

A lot of talk took place regarding the difficulty of dealing with the patchwork of privacy laws in the United States. These concerns are heightened by the confusion caused by the lack of standardization in privacy regulations, especially around Global Privacy Control (GPC), which was criticized during a panel for not being user-friendly and potentially misleading due to its state-specific nature.

 

Some of the other most interesting topics and discussions included:

 

  • Sensitive Personal Information (SPI): State Privacy Compliance panelists examined the compliance challenges with SPI opt-in requirements, especially for geolocation data, emphasizing the complexity of aligning with diverse state laws and the need for explicit user consent mechanisms. This was reinforced by statements from Michael Hahn, EVP & General Counsel at IAB, who touched on the complex nature of SPI, noting how its sensitivity can vary based on context, complicating compliance efforts.
  • Artificial intelligence: Lartease Tiffith, Executive Vice President of Public Policy at IAB, discussed AI’s profound future impact on advertising, suggesting significant changes in ad personalization and industry efficiency. An FTC panel also explored the agency’s initiatives in the area, including the tension between minimizing data for AI training and using more data to reduce AI biases, highlighting the need for a balanced approach.
  • Cookie-related litigation trends: This panel focused on the legal scrutiny over the use of Meta’s pixels in videos and the broader implications of wiretapping claims, which argue that cookies and trackers interfere with communications between a publisher and website users.
  • Consent banners: The debate around consent banners as a solution to legal challenges with cookies and trackers stressed the necessity for clear, informed user consent through standardized, user-friendly interfaces.
  • Vendor assessment: Some speakers identified vendor assessment as a critical step towards compliance for managing privacy risks associated with third-party vendors.
  • Children’s privacy: The Federal Trade Commission (FTC) is set to exercise its rule-making power regarding COPPA enhancements, specifically around requiring double consent for children’s data use and third-party sharing. This topic stood out for its optimistic view on bipartisan support for stronger privacy protections for children in the U.S.

 

One of the most interesting slices of information from the event came from Michael S. Macko, Deputy Director of Enforcement at the California Privacy Protection Agency (CPPA), who discussed during a panel upcoming documents detailing privacy concerns and advisories and mentioned the agency’s workforce expansion to enhance enforcement capabilities. He metaphorically indicated that the “seeds planted” by the CPPA are expected to “harvest” soon, hinting at upcoming regulatory actions.

 

IAPP Global Privacy Summit 2024

 

This year’s IAPP Global Privacy Summit’s discussions were mostly the same as last year’s event, mostly due to the lack of enforcement in the U.S. 

 

However, we have reasons to believe enforcement will increase significantly, among other things, due to the appointment of an enforcement team, declarations from the California Privacy Protection Agency, and statements from CPPA representatives during the event. 

 

Ashkan Soltani, the agency’s Executive Director, hosted a session discussing the unique advantages of operating as an independent agency and emphasizing the CPPA’s ability to emulate European Data Protection Authorities (DPAs) in addressing privacy challenges with agility. His observations provided a valuable blueprint for navigating regulatory complexities with innovative and flexible approaches.

 

The Summit started with a panel of representatives from various regulatory bodies highlighting regulators' evolving priorities, including the criticality of age verification through credit card checks, the surge in guidance around AI technologies, the increasing importance of cybersecurity in the wake of rising data breaches, and the concerted effort to implement the EU legislative package. 

 

Artificial intelligence was, of course, a big topic, although less of a buzzword than during last year’s event. Conversations were more practical, tackling what it actually means in the privacy space. While it was discussed a lot, no major breakthrough seemed to emerge. One interesting piece of AI news was that some U.S. regulators were considering packaging AI and privacy regulations for a more holistic approach to a digital piece of legislation. It remains to be determined whether this would actually emerge.

 

On the topic of consent and sensitive data, the Federal Trade Commission (FT) confirmed its firm stance on health and localization data, as evidenced by recent sanctions. The agency has enacted a total ban on certain companies disclosing health and geolocation data, a move that, irrespective of consent, marks a significant pivot in privacy enforcement, showcasing the FTC’s unwavering commitment to safeguarding personal information in all its forms.

 

Finally, standardization efforts from the IAB and its TechLab are proving to be foundational in shaping the U.S. privacy landscape, from initiatives around the DSAR protocol to personal information taxonomy and accountability platforms. These are crucial steps towards harmonizing practices and language in our industry, which not only helps with compliance but also fosters a shared understanding and approach to privacy and data protection challenges.

 

Surprise Legislative Development Following the IAPP Summit

 

Just two days after the conclusion of the IAPP Summit in Washington, an unexpected legislative twist occurred: a new federal bill gained bipartisan support and is set to be discussed in Congress this year, with a strong likelihood of passage. This development came as a surprise to many, as privacy was not expected to be a key focus at the federal level in the United States for 2024, especially given that the previous bill was considered dead. 

 

Suddenly and without prior indication, this new proposal surfaced. 

 

At first glance, it closely resembles the previous one but with adjustments likely to appeal, particularly in California, where the earlier version had faced opposition. This bill extensively incorporates and protects American citizens just as much as it does under the CCPA, as amended by the CPRA in California. Notably, it includes options to opt out of behavioral advertising, and geolocation data are categorized as sensitive personal information, highlighting a significant step towards privacy.

 

Conclusions and takeaways from Washington, D.C.

 

Our visit to Washington, D.C., has been very insightful. It has provided insights into where the market is heading and what organizations must keep in mind over the next few months:

 

  • Data protection enforcement will likely increase in California in 2024 following statements from the state’s data protection agency.
  • Our multi-regulation Consent Management Platform (CMP) offering will be key for U.S. organizations in approaching data privacy requirements
  • New players entering the market are confirming our conviction that our expertise will be needed going forward
  • Artificial intelligence will remain a talking point but will need concrete use cases and applications to truly impact the industry.
  • Privacy standards are needed and will emerge as a major topic over the next few months.

 

We will continue participating in industry events and engage in these important conversations to bring you more insights as the year progresses. In the meantime, to discuss how Didomi can help with your compliance challenges, book a call with the team:

{{talk-to-an-expert}}