GDPR Advertising IAB

Ad world flocks to Congress urging federal data privacy legislation

By Andrew Blustein, Reporter

February 26, 2019 | 4 min read

Leaders in advertising and consumer privacy have descended upon Washington, DC to push Congress to pass federal legislation on data protection that dodges the pitfalls of GDPR and avoids a patchwork of state-by-state laws.

Congress hears testimony on the future of consumer data protection

Congress hears testimony on the future of consumer data protection

Testifying in front of the House Committee on Energy and Commerce, IAB executive vice-president for public policy, Dave Grimaldi, said Europe’s GDPR and California’s Consumer Privacy Act (CCPA) are overly restrictive.

“While well-intentioned, their rigid frameworks impose significant burdens on consumers, such as rampant over-notification leading to consent fatigue in consumers and creating an indifference to important notices regarding their privacy.

“At the same time, these regimes fail to stop many practices that are truly harmful to consumers. These laws also display a misguided antagonism toward online advertising and fail to recognize the various ways in which digital advertising subsidizes the rich online content and services that consumers want,” said Grimaldi.

Without federal legislation, the fear is an amalgamation of state laws that present confusion and challenges for consumers and advertisers.

Since the enforcement of GDPR in Europe, programmatic advertising has dropped between 25% and 40% across exchanges, according to Grimaldi. Also, over 1,000 US-based publishers aren’t delivering content in Europe because of their inability to run ads at a profit.

Other testimonies came from individuals at Color of Change, American Enterprise Institute, Business Roundtable and the Center for Democracy and Technology.

Roslyn Layton, visiting scholar from the American Enterprise Institute, said GDPR allows for overreaching consumer privacy protections, and that any federal regulations in the US must stick with the country’s tradition of the public’s right to know.

“The law should make distinctions between personally identifiable information which deserves protection, but not require same high standard for public data, de-identified, and anonymized data which do not carry the same risks. Unlike the GDPR, the US policy should not make it more expensive to do business, reduce consumer freedom, or inhibit innovation,” said Layton.

She added that GDPR severely limits small- and medium-sized businesses, as the average 500-employee company must spend $3m to comply with GDPR. If a similar regulation were passed in the US, compliance would cost American companies up to $150bn.

Brandi Collins-Dexter, senior campaign director at Color of Change, said any coming federal regulation should require companies to be transparent about how their data collection informs automated decision-making as to protect against discriminatory uses of big data.

“The Federal Trade Commission currently has no power to enact privacy rules since they have no jurisdiction over internet service providers; their privacy framework is a non-binding set of recommendations that require industry self-regulation; and they have shown an unwillingness to forcefully exert what power they do have. What we need is clear, federal baseline legislation that does not preempt innovative state policy laws but ensures basic rights for everyone in the United States,” said Collins-Dexter.

Congress will hear more testimony tomorrow (27 February) on the issue.

Among others, IAB chief executive officer Randall Rothenberg will speak in front of the Senate Committee on Commerce, Science and Transportation.

In his pre-released prepared testimony, Rothenberg said CCPA’s lack of clarity allows unregulated third parties to access user data “in the guise of facilitating consumer requests,” and that federal legislation should learn from these missteps and create clear and flexible privacy protections.

Rothenberg said any new law should distinguish between threatening and non-threatening data practices rather than take a “broad-brush approach to all data collection,” and that the law should create stringent “safe harbor” processes that incentivize strong and universal compliance.

GDPR Advertising IAB

More from GDPR

View all


Industry insights

View all
Add your own content +