Digital Media & Ad Tech Firms Are Handling Stronger Privacy Regulations
Article

How Digital Media & Ad Tech Firms Are Handling Stronger Privacy Regulations

by Jonathan LaMantia, Mirena Taskova, Brian Petersen
May 07, 2021

With growing consumer concern and recent regulatory changes restricting the use of personally identifiable consumer data, privacy is becoming more important and increasingly being blended with cybersecurity efforts for companies across the web.

Advertising technology (ad tech) and digital media firms and consumer brands are reacting to significant regulatory and industry-driven changes to methods by which customers are identified and tracked online.

Within the ad tech and digital media sectors, companies realize that as they obtain consumer data, they gain a corresponding need to protect that data and to demonstrate compliance with all applicable regulations. Doing so is crucial to maintaining consumer and brand trust, both of which are vital to the success of the online advertising ecosystem.

Changes to Digital Media Platforms

Google announced in March 2021 it would phase out the ability of websites to track users, after saying in 2020 it would stop supporting third-party cookies (which log the sites users visit) in its market-leading Chrome browser. The company will also stop selling web ads targeted to individual users’ browser histories.

Instead, Google is advocating the use of browser data to group web users into broad categories based on their interests, and for advertisers to target those interests instead of individual consumers. (The company will continue to track individual users across Google-owned sites including its search engine, Gmail and YouTube.)

Apple released App Tracking Transparency in late April 2021 as part of an iOS update. The feature requires developers to get affirmative permission from users to track app and web usage on their devices, and to collect and share iPhone data. Leading online platforms including Facebook say this change will hinder their ability to serve relevant ads to consumers.

These tech industry changes come in the wake of existing and new regulations including the General Data Protection Regulation (GDPR) enacted in 2018 by the European Union, and the California Consumer Privacy Act (CCPA), which took effect in 2020 and will be amended in 2023.

Similarly, the Brazilian General Data Protection Law, which also came into effect in 2020, creates a legal framework for the use of personal data of individuals in Brazil — regardless of where the data processor is located.

Brazil’s law, closely modeled after the GDPR, provides data subjects with specific rights about how their data is used, provides a legal definition of personal data, and creates guidelines for processing personal data lawfully.

In broad terms, these laws place restrictions on the ability of companies to collect and share consumer data without having a proper legal ground (e.g., consent), and they’ve greatly increased attention on the use of data collected online and a need for companies to safeguard consumer data and protect user privacy.

Compliance Frameworks

In response to regulatory and market changes, a growing number of companies are using external frameworks including ISO 27001 and ISO 27701, the NIST Privacy Framework, the NIST Cybersecurity Framework, and SOC 2 to demonstrate compliance and a commitment to security and privacy.

More companies are seeking some form of assurance their business partners adhere to the most recent privacy and cybersecurity practices, and ad tech and digital media firms are increasingly seeking such mechanisms to highlight their privacy and security capabilities.

The NIST Privacy/Cybersecurity and ISO 27001 and 27701 frameworks establish requirements for managing the privacy practices of the organization and the security of the data a company holds, including consumer information, data entrusted to the company by a third party (such as a business partner), and other categories of data.

ISO 27701 outlines requirements for creating a Privacy Information Management System (PIMS). A PIMS blends policies and procedures with privacy management technology and employee training to help a company manage, store and share personally identifiable information (PII) within regulatory requirements. 

ISO 27001 is a prerequisite for 27701, so companies have to achieve both standards to demonstrate GDPR compliance.

Similarly, a SOC 2 review provides standards for evaluating how well a company’s information protection controls operate. The evaluation assesses an organization’s controls relevant to, among other aspects, processing and storing customer data securely and maintaining data privacy.

These frameworks demonstrate a company’s ability to protect the confidentiality, integrity and availability of sensitive information, and they can serve as demonstrable proof of a company’s ability to protect customer personal data while helping the organization ensures privacy and cybersecurity compliance.

Where to Start

For a company in the ad tech/digital media sector, an important early step in adjusting to these industry and regulatory changes is conducting privacy and cybersecurity audits/assessments to evaluate its current data collection and user privacy practices, and its cybersecurity posture.

These audits/assessments compare your practices to current regulatory and consumer expectations, help identify key data privacy and cybersecurity risks and controls, and provide guidance about addressing privacy and cybersecurity-related risks and potential compliance gaps.

As hard costs are not income when reimbursed, they should not be included in the gross receipt amounts reported for these renewals. Many law firms are likely overpaying their business license fees due to this incorrect treatment.

If you have questions or want to learn more about how to protect your data and maintain regulatory compliance, contact our data privacy experts.

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Authors
Mirena Taskova - Managing Director, Privacy & Cybersecurity - San Jose CA | Armanino
Managing Director, Head of Privacy and Cybersecurity
Resources
Related News and Insights
Law Firm Client Expenses: Is Your Firm Using the Correct Tax Treatment?
Article
You may be able to deduct certain expenses, but don’t ignore phantom income and cash flow issues.

May 04, 2021
Law Firm Services Webinar – Data & Analytics
Webinar
The struggle is real – law firms, large & small, aren’t getting good information when they need it.

April 1, 2021 | 10:00 AM - 11:00 AM PT
Webinars
Webinar
Learn how to digitize and automate your operations without breaking the bank.

January 21, 2021 | 10:00 AM - 11:00 AM PST