Last month, the Global Advertising Lawyers Alliance (GALA), in collaboration with the International Advertising Association (IAA), released the first-ever book on how privacy laws affect marketing and advertising around the world. I had the privilege of working with IAA and GALA members from around the world to develop the book, and would like to share with you a sneak peak of the book before the virtual reveal.
Below is a copy of the book’s Foreword on behalf of GALA. I hope you enjoy!
Advertising has changed dramatically over the past decade. Rapid developments in technology, the proliferation of social media, and increased access to consumer data have allowed publishers, brands, agencies, and other players in the advertising ecosystem to better understand consumers and deliver more relevant content. Consumer data is incredibly valuable and can be used for purposes such as research and analysis, calculating attribution for campaigns, email and text marketing, delivering personalized advertising, and finding prospective customers in ways not previously possible. For example, a brand can upload its customer list to a social media platform, and serve advertising on the platform to both customers on that list as well as segments of customers identified by the platform as similar to the brand’s customers and likely to purchase the brand’s products.
The increased reliance on consumer data has led to inevitable questions about the need for regulation over consumer privacy. While privacy is not a new concept, privacy exploded on a global scale in 2018 due to a combination of factors. Most significantly, the European Union began enforcing its robust data protection law, the General Data Protection Regulation (GDPR), which gave regulators the ability to issue dramatic penalties against companies for improperly processing data about individuals located in Europe. Concerned about the ease of data flows across borders and the growing importance of international markets, companies around the world took measures to address the obligations of the GPDR. At the same time, the world learned about the Facebook-Cambridge Analytica incident, which created heightened awareness of the power of data and the potential for misuse.
Privacy compliance has shifted from a business best practice to a business necessity. Since 2018, numerous jurisdictions have updated their privacy laws to bring them closer to GDPR standards. For instance, California and Brazil both passed GDPR-like privacy laws, effective in 2020. While many of the new laws share similarities to the GDPR, they differ in key aspects and require independent analysis. Companies must now understand the nuances between privacy obligations in their home jurisdictions and those elsewhere, and implement procedures and systems to harmonize compliance.
This book, developed by the Global Advertising Alliance (GALA), in cooperation with the International Advertising Association (IAA), is the first, to our knowledge, designed specifically to address global privacy laws in the context of the advertising ecosystem. GALA members across 70 countries with expertise in privacy in their respective jurisdictions helped develop the content for the book. Each chapter covers a specific country, giving a background on the privacy framework for that country, detailing key issues in relation to advertising, and concluding with opinions from the author of that chapter as to the state of privacy in that country. To improve readability of the book, GALA divided the book into two parts. Part one focuses on countries outside the European Union, while part two starts with an overview of the GDPR and then focuses on countries within the European Union that are subject to the GDPR. The digital version of the book includes both parts.
While there are great differences in the ways that privacy is addressed around the world, there are certainly some key trends across jurisdictions:
- Countries are more focused than ever before on privacy, and many are developing robust laws with harsh penalties. However, compliance can be difficult because laws often are not technologically agnostic and struggle to fit advancements in technology.
- The types of consumer data considered to be personally identifiable have broadened substantially. Information previously treated by the advertising ecosystem as “de-identified” or “anonymous,” such as IP addresses and Ad IDs, could fall within scope of privacy laws.
- Transparency and choice are becoming universal concepts. Privacy laws around the world accept the notion that consumers have the right to know what information is being collected from them and the purposes for which it is being collected. They also frequently give consumers the right to limit use of their information for marketing purposes. Depending on the jurisdiction and other factors, choice may require opt-in or opt-out consent.
- Practices that are not specifically prohibited by law could still violate the law or create public relations issues if those practices do not meet the reasonable expectations of consumers. Providing better notice to consumers and avoiding “creepy” practices can help address potential issues.
- In response to globalization, some countries have instituted strict data localization requirements. Cross-border data flows require additional consideration.
- Global data security and breach response obligations have dramatically evolved over the past decade, playing catch up to those already found under U.S. law. Violations often carry harsh penalties.
- Privacy regulation comes not just from lawmakers, but also from the platforms and browsers from which data is collected. Changes to their policies and technology have a fundamental impact on the advertising ecosystem and privacy compliance efforts.
- Profiling and automated decision-making carry increased scrutiny. Many jurisdictions impose specific obligations, such as internal assessments, around related data processing.
- Jurisdictions do not always align on balancing privacy, surveillance, and freedom of speech. Companies should aim to understand local belief systems and practices when processing data about consumers related to that jurisdiction.
It is important to note that this book reflects a snapshot in time and was developed prior to the COVID-19 pandemic of 2020. As such, the content does not address the impact of COVID-19 on privacy law. Countries around the world have taken measures to combat COVID-19, including through development of apps designed to trace the spread of COVID-19 that rely on the processing of vast amounts of consumer data. These measures may have a short term impact on privacy rights and expectations, and could ultimately result in long term increased privacy regulation as consumers become more concerned about how their data is used. We reserve discussion of the impact of COVID-19 for the next edition of this book.
A big thank you to all of the GALA members around the world who contributed to this book. Special thanks to Stacy Bess (Executive Director of GALA), Jeff Greenbaum (Chairman of GALA), and Soren Pietzcker (who helped coordinate guidance related to the EU). We also want to thank the GALA members who served on the organizing committee to help think through the topics to cover in the book, including Georg Huber, Lyric Kaplan, Lixia Lin, Bryony Long, Jamie Mantilla, Alejandro Massot, Alexander Milner, Denise Miranda, Oscar Molina, and Justina Zhang. And thank you to IAA for its collaboration efforts, especially Srinivasan Swamy (Chairman & World President of IAA), Carla Michelotti (Global VP of Government Affairs of IAA), and Dagmara Szulce (Managing Director of IAA). This book would not be possible without all their hard work.
On behalf of GALA, we appreciate you choosing to read our book, and hope you find it to be a valuable resource.
Frankfurt Kurnit Klein & Selz, PC
May 15, 2020