By Lou Mastria
Big Idea: DAA, DAAC and EDAA each maintain distinct interpretations of self-regulatory Principles for their respective markets. Rubicon Project offers its perspective on how the global ad supply chain may adapt the DAA framework to domestic expectations.
“We’re going global, so I hope you’ve got your data passports ready,” said Peter Kosmala, senior vice president, government affairs, 4A’s, who moderated a Digital Advertising Alliance Summit 2016 Panel, “Global Exchange Around Relevance.” “These are particularly exciting times to be in interest-based advertising, not just in the U.S., but in Canada, and most certainly in Europe where there are significant changes coming very soon.” Kosmala was referencing the EU-U.S. Privacy Shield recently agreed upon and approved by the European Union (EU) and the United States. Privacy Shield will enable transatlantic data flow under the condition that necessary safeguards and transparency are upheld by the U.S. government, therefore assuring protection of European citizens.
Photo: Moderator, Peter Kosmala, Senior Vice President, Government Affairs, 4A’s
Julie Ford, executive director, Digital Advertising Alliance of Canada, spoke about the accomplishments and current state of the DAA program there. A study conducted by The Office of the Privacy Commissioner of Canada (OPC) found that notice and opt-out options were given to web users 96 percent of the time in Canada – showing penetration and practice of a key tenet embodied in DAA Principles, the Consumer Control Principle.
Although Canadian regulation differs from that of the U.S., 90 percent of DAAC’s 70 participants are U.S.-based companies. “We’re seeing a lot of traction from U.S. participants,” Ford said. In order for a U.S. company to participate, all they must do is sign an addendum [offered by DAA].
Kelly DeMarchis, counsel, Venable LLP, stated that Europe has been rapidly developing privacy regulations over the past few months. “(The) European environment really is made challenging by some fundamental tenets within their law. It starts with the premise that any data that’s linked to, or linkable to, an identified individual is considered to be personal information,” said DeMarchis. Identifiers such as IP addresses are therefore considered identifiable information – a distinct difference from the United States.
In Europe, privacy is seen as a fundamental right that is attached to individual data, regardless of where it travels to, according to the panel. The General Data Protection Regulation (GDPR) is extraterritorial and applies to EU consumers on the internet. U.S. companies with online advertisements on European sites are subject to such regulations. Penalties for breaking the law under the GDPR, set to take effect in 2018, are up to four percent of a company’s worldwide revenue.
Mathilde Fiquet, vice chair, European Interactive Digital Advertising Alliance, and EU affairs manager, The Federation of European Direct and Interactive Marketing, speaking of the EDAA, stated, “We want our program to stay relevant in that new [GDPR] environment, in that new legal framework. She noted that EDAA has worked with many countries, embarking on consumer education initiatives in several nations over the past year, and currently has more than 115 participating companies [as of May 2016].
Photo: (Left) Julie Ford, Executive Director, Digital Advertising Alliance of Canada and (Right) Kelly DeMarchis, Counsel, Venable LLP
Testimonial for Joint Effort between Canada, Europe, U.S.
Despite more stringent European data law, U.S. companies are still able to operate in Europe. According to DeMarchis, they will be subject to a host of new regulatory requirements and obligations.
Vivek Narayanadas, senior counsel and data protection officer, Rubicon Project, said, “We’re a participant in both DAAC and the EDAA [as well as DAA in the United States]. They’ve been absolutely instrumental in allowing us to operate outside of the U.S.” Since Rubicon Project is a U.S.-based company, Narayanadas explained that its participation in DAAC and EDAA gives the company credibility when doing business with larger, foreign companies. He also added, “They serve to give us peace of mind... Knowing that we comply with the EDAA rules gives us peace of mind.”
Photo: (Left) Mathilde Fiquet, Vice Chair, EDAA, and EU Affairs Manager, The Federation of European Direct and Interactive Marketing and (Right) Vivek Narayanadas, Senior Counsel and Data Protection Officer, Rubicon Project
Outside of the U.S., Canada and Europe
Lou Mastria, CIPP, CISSP, executive director, DAA, posed a question regarding how cross-device developments may have an impact on forthcoming privacy regulations. Narayanadas explained how evolving technology requires companies to track privacy jurisdictions and developments. For regions with less sophisticated jurisdictions, however, there may not be clear or updated regulations. As a result, Narayanadas stated, “We’re in the situation where we often have to predict what’s going to happen in other jurisdictions where they may not have a sophisticated entity like the EDAA or the DAAC. So, oftentimes we find ourselves applying the DAA’s U.S.-based Principles globally, just because we need some type of baseline to operate on.”
The DAA, DAAC, and EDAA allow for collaboration, international commerce and cultural exchange. Because of a strong foundation of privacy self-regulation within the three organizations, DAA Principles are spreading elsewhere, confirmed Vivek Narayanadas. Increased privacy education is leading to better self-regulation and industry and consumer awareness.