Data Privacy Regulation: What Comes After CCPA?

By Gerald Smith / 7 minutes

← Resource Center Home

Published: 12/18/2019

We sat down with Shane Wiley, Cuebiq’s Chief Privacy Officer, to discuss the regulatory changes marketers should be on the lookout for and what they can do to prepare for the next few years.

As we look to 2020, which new privacy regulations should marketers be preparing for?

First and foremost, all marketers should be preparing for CCPA, which goes into effect on January 1, 2020. While enforcement of CCPA won’t begin until July 2020, enforcement can be applied retroactively on activities that have taken place from January 1 onward. 

After January, marketers should be prepared for additional state laws to come out in 2020. Some feel that there are as many as eight states that have made meaningful progress toward privacy legislation in 2019 but can’t possibly cross the finish line until 2020. However, given the upcoming presidential election cycle, federal privacy legislation isn’t expected in the United States in 2020. More likely, it will come to fruition in 2021, with strong drafts such as The Consumer Online Privacy Rights Act (COPRA) coming out in the closing weeks of 2019.

How have changes in consent management affected companies who collect precise  location data?

The biggest shift that we will see in 2020 is that the Network Advertisers Initiative (NAI) code of conduct will require an independent, explicit consent event for a third party to collect and use a user’s precise location data. To be more specific, the default operating system consent will not suffice. While Cuebiq implemented a consent event outside the operating system in 2018 for GDPR, this code of conduct may have significant effects on location-centric companies that, unlike Cuebiq, do not currently have a consent model that is independent of the operating system. Adhering to this code of conduct will prove even more complex for companies that don’t have direct first-party relationships with users like Cuebiq and instead rely on third-party location data from highly questionable data sources like real-time bidding transactions in which user consent for use of the data is not easily demonstrated. 

How is user consent tracked currently and how does consent tracking affect marketers?

Today, consent management is a “trust us” proposition. Typically, a company says that they have a user’s consent, and you are supposed to trust that they are being honest. Clearly, this is not a reliable consent management method. This past year, Cuebiq took steps to make consent verifiable, launching a Consent Management and Data Providence (CMDP) platform in partnership with the NASDAQ in June 2019. 

The CMDP offers organizations the option for consent to be recorded in a blockchain ledger and then confirmed, viewed, and validated by a third party. This allows marketers to verify that they are only using data that has been gathered in a way that is compliant with current and future regulation.

What can marketers do to prepare themselves for future privacy regulation?

Every business must decide if they are going to be reactive to each state’s privacy laws or if they are going to attempt to get in front of the rapidly evolving situation. What Cuebiq has done, and we encourage marketers to do as well, is to look at the trajectory of where privacy regulation is going and start to build their privacy program to meet those needs today. 

Be proactive instead of reactive. You can do this by putting your end user at the center of your privacy management policy. Once you orient your data handling approach around the concept that the user is part owner of their information in your system, it moves you into a consent-based paradigm that naturally supports user privacy rights such as access and erasure. 

For those marketers who don’t have the ability or bandwidth to shift their entire approach just yet, we’ve compiled five things to focus on:

  1. Be legally compliant at the federal level — Study the past 20 years of FTC Consent Decrees, COPPA, and other laws that may affect your specific business vertical.
  2. Be legally compliant at the state level — California, Nevada, and Vermont all have regulations with which you should become familiar.
  3. Look to self-regulation groups for guidance — such as the NAI, MMA, IAB, and DAA
  4. Iterate and evolve your approach as new laws come forward — Even a future-looking program may require “tweaking” as new laws emerge with highly prescriptive elements such as links that specifically say “Do Not Sell My Personal Information.”
  5. Require partners to not only prove compliance, but also maintain forward-looking privacy policies — Leverage third-party audits to help you manage partner risk exposure.

How can marketers ensure that their partners will continue to be compliant in 2020 and beyond?

There are four key areas that marketers should look to their partners for when it comes to a privacy approach that goes beyond bare-bones compliance. 

  1. Consent — Does the partner have a digital consent record on every single device that they are collecting data from, with the language for which that consent was given? Does that language name all parties that may be receiving the user’s data, have clear directions on how to retract consent, and allow the user to access the partner’s privacy policy prior to giving consent?
  2. Transparency — Does the partner have a privacy center that explains privacy concepts to end users in nonlegal terms? Does the partner require its partners to be equally transparent through user interactions and their privacy policy?
  3. Control — Does the partner provide users with an easy path to opt out? Do they honor not only direct opt-outs but also those communicated through the operating system or web browser? Do they allow access to, portability of, and erasure of user data upon request?
  4. Accountability — Does the partner subject themselves to and successfully pass third-party audits? Do they require their partners to do the same? Are they members in good standing with vertically relevant self-regulatory groups?

About Shane Wiley

With almost 30 years of experience in software engineering, product management, and policy-related responsibilities, Shane is a recognized leader in developing sound policy solutions to cutting-edge technology challenges. As Chief Privacy Officer, Shane advances Cuebiq’s commitment to their “gold standard” of privacy, including applying a GDPR-like framework for user information and consent across all app partnerships. Shane also spearheads Cuebiq’s privacy technology project, leveraging blockchain to create an open data marketplace to bring economic value not just to data companies and their clients, but to end users as well.

Prior to joining Cuebiq, Shane was Vice President of Privacy at Oath and also led the Privacy and Data Governance team at Yahoo supporting over 1.4 billion users across hundreds of products, services, and platforms in over 80 markets in 40+ languages operating across PC, mobile devices, and cutting-edge consumer electronics. 


For more Cuebiq blogs, subscribe to our newsletter to receive all our latest content.

About the Author

Gerald Smith, VP, Privacy

Gerald has been building and leading global privacy and risk-management programs in the financial, automotive, and tech sectors for over a decade. He received his bachelor’s in Economics from the University of North Carolina and his law degree from Chapman University. He is an IAPP Fellow of Information Privacy.