Regulators Look Beyond Privacy Policies in Reviews, ANA Panelists Say

Versant Chief Privacy Officer Chris Tarbell has seen “a lot of regulators reviewing things beyond just the privacy policy,” he said. They also look at agency websites, including marketing pages about internal services, and even news articles in Ad Age, to check what companies are “saying about what they can do.”

Wilson Sonsini privacy attorney Maneesha Mithal agreed. When Mithal worked at the FTC, the lawyer encountered a myth that “if you don’t say it in the privacy policy, then the regulator can’t go after you,” she said. But the regulator looked at additional things, including the user interface (UI), privacy settings, blog posts and CEO statements to shareholders, she said. If a business tells a regulator it “can’t figure out this opt-out for technology reasons, and then the regulator sees [later] that you’re touting your ability to figure out this technology to unlock ad revenue, that’s going to look really bad.”

This investigative method used by regulators may also help companies defend their practices, noted Tarbell. “In cases that I have worked on that were not announced,” he said, “pointing to things beyond the privacy policy is very effective” in demonstrating customers’ expectations. Those materials may include what’s in the UI, welcome emails and frequently asked questions webpages, said the CPO: Citing such “alternative locations” for communicating ad practices with customers can go “a long way … in helping to defend your practices.”

Mithal listed many state and federal privacy rules and laws coming into effect soon, including three states’ comprehensive laws on Jan. 1 and a variety of sector-specific bills passed earlier this year in California and elsewhere. Asked which recent development gives him the most concern, Tarbell replied, “All of the above.”

The Versant CPO noted that what he often hears from businesspeople across industry is that they “don’t understand how these things really impact them.” For example, many people who have been involved with health care ads for a long time need an explanation about how Washington state’s My Health My Data privacy law applies to them, he said.

Also, many businesspeople consider privacy a “cost center” because of litigation risk and the price of compliance, he said. “I'm sympathetic to that,” he said. “But what can privacy teams -- or advertising legal teams along with their privacy counterparts -- do to show the value that privacy compliance comes with?”

Neil Johnson, United Airlines privacy counsel, agreed. “Cookie banners, consent language [and] all of that needs to be communicated and educated with your teams on that value.” With age verification, for example, it’s important to communicate that “this is a value to the consumer and protection of their child -- and that’s what the regulators are concerned about.”

Many in the industry are still considering deprecating third-party cookies, the panel said. “Google chickened out” by recently deciding not to phase out cookies in its Chrome browser, noted Johnson. However, “deprecation of third-party cookies is still a thing that is being considered by a number of businesses because of the concern by regulators.”

While privacy enhancing technologies (PETs) have emerged as a potential replacement for cookies, with the promise that they can allow for targeted advertising without sharing data, Johnson said it’s important to “dig under the hood.”

“At the end of the day, the company that is using it is going to be responsible,” he said. “Privacy enhancing does not mean privacy-compliant, or … removal of your privacy obligations.”