The 7 legislative developments that will disrupt the global advertising ecosystem

While the world’s largest tech companies are making consumer-centric changes with an outsized impact – from Google’s deprecation of third-party cookies to Apple’s increasingly privacy-focused iOS changes – legislatures around the world are also making waves.

At this point, any developer, advertiser or publisher who believes that the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are the only privacy laws likely to impact their business is sorely unprepared for what’s to come.

Though many developments take years to materialize, a handful of recently proposed and enacted legislative changes pose new considerations, challenges and opportunities for players in the global advertising ecosystem.

Here are the latest developments and key movements to watch.

1. The EU’s new Digital Services Act forbids profiling with sensitive data

The Digital Services Act (DSA), which alongside the complementary Digital Markets Act aims to create more stringent rules for content on online platforms, received its final approval last week by the EU Council.

Now awaiting the signatures of the president of the European Parliament and the president of the EU Council – more formalities than obstacles – the DSA will apply to all marketplaces, online platforms and hosting services that service the EU, regardless of where they are headquartered.

The DSA is broader than a purely privacy-focused bill. It requires online platforms to publicly disclose specifics about their content moderation technologies and practices, establishes new legal criteria for platforms’ liability when it comes to disseminating illegal content and cracks down on deceptive or manipulative design features often referred to as ’dark patterns’. It also sets out new rules around due diligence and risk mitigation for the world’s biggest online platforms.

Though it’s primarily platforms under the gun of the DSA, advertisers won’t get away scot-free. “The DSA will have a very, very relevant impact and a broad impact on marketers,” says Gabriela Zanfir-Fortuna, vice-president for global privacy at the Future of Privacy Forum, a Washington, DC-based thinktank and data privacy advocacy group.

In particular, the DSA establishes two new requirements that will reshape ad targeting. Under the law, sensitive data – which may include categories of information such as bank details, passport numbers, medical records and race and religious affiliation – cannot be used to profile users and cannot be the basis of targeted advertising to individuals. Plus, under the DSA, children’s data cannot be used for profiling or targeted advertising.

The law will become effective 15 months after it is published in the Official Journal of the EU – which is expected to happen shortly.

And the DSA is just the first of a “new generation of data governance laws,” according to Zanfir-Fortuna. With more stringent rules around content moderation and transparency around content online, she predicts that other jurisdictions will soon adopt similar laws.

2. The UK ditches GDPR, promises to create a new ‘business-friendly’ bill

In a move that reflects the country’s current political landscape, Britain last week announced it is scrapping the EU’s comprehensive privacy framework in favor of a new, yet-to-be-determined policy that is likely to be more lax on businesses.

“We will be replacing GDPR with our own business- and consumer-friendly British data protection system,” said culture secretary Michelle Donelan in an address at the Conservative party’s annual conference. “I can promise ... that it will be simpler, it will be clearer for businesses to navigate. No longer will our businesses be shackled by lots of unnecessary red tape.”

The GDPR, which went into effect in 2018, has become something of a gold standard for other privacy legislation around the globe. It includes far-reaching protections for consumers and puts consumer consent at the heart of businesses’ data dealings.

For now, it’s unclear when a new UK privacy law will come down the pipes.

3. Indonesia establishes new protections for citizens living abroad

Indonesia’s parliament last month ratified a comprehensive data protection law. Per Zanfir-Fortuna, it’s a major development. “This was a very long journey for them. The bill was published years ago and they finally adopted it.”

The new law, dubbed the Personal Data Protection Act (PDP), establishes impressively strong protections for Indonesian consumers. In many ways, it looks very much like its muse in the EU: “It is very much in sync with the GDPR – it has a very broad scope of application, broad definitions of personal data and obligations for controllers,” says Zanfir-Fortuna.

However, it is meaningfully different – and farther-reaching – than the GDPR and other lookalikes in one critical way: it includes a broad extraterritorial provision that protects all Indonesian citizens living both in and outside the country. It will apply to all people, organizations and public bodies carrying out any legal action as delineated in the PDP.

For advertisers, the PDP creates the added challenge of ensuring that all data collection and data transactions that involve Indonesian citizens – no matter where they are located – are in compliance with the law.

Plus, Indonesia will impose sanctions for the mishandling of personal data under the law, which may include prison terms of up to six years for falsifying personal data for personal gain.

The PDP will go into effect on a date determined by the Minister of State Secretariat and businesses will have two years to come into compliance with the new regulations.

4. The ePrivacy Regulation looms

The ePrivacy Regulation, meant to replace the ePrivacy Directive of 2002, is a proposed bill that would more strictly regulate privacy in both telecommunications and online communications.

The bill, as it is currently formulated, would create more user-friendly rules for cookies, establish new rules around email- and telephone-based direct marketing, require many types of metadata to be anonymized or deleted if consumers do not provide express consent and apply to a broader range of players in the ecosystem. If passed, it will complement and help regulators interpret GDPR.

Though it was proposed in 2017 with the intent of going into full effect in 2018, the bill has stagnated in recent years as regulators struggle to reach common ground.

“There is a significant amount of disagreement between the European Parliament’s position on it and the EU Council’s position,” explains Zanfir-Fortuna. “The Parliament has a very, very pro-consumer, pro-individual rights stance on specific requirements in the privacy regulation. The Council has more of a balanced approach … perhaps even pro-business. It’s very difficult for them to meet in the middle.”

Getting the ePrivacy Regulation back on course has been so difficult, in fact, that Zanfir-Fortuna says there “have been some rumors” that the Commission may withdraw the proposal altogether and come back with a new from-scratch version – an extremely rare occurrence in EU lawmaking.

Some are more optimistic that the bill is well on its way to being adopted. “The GDPR also took years to negotiate. The process has taken longer than expected, but it seems to be moving,” says Austin Mooney, a global privacy and cybersecurity associate at international law firm McDermott Will & Emery.

At the same time, he’s not confident that the ePrivacy Regulation, if signed into law, will help alleviate the pains of navigating a patchwork of privacy laws in the EU. “Marketers in Europe face the triple jeopardy of GDPR, the ePrivacy Directive and other country-specific laws, each of which establish different and sometimes conflicting requirements,” he says. “Although there are hopes that the ePrivacy Regulation will smooth out some of these edges, current drafts still leave significant decisions up to EU member states and may only add to the complexities facing marketers in Europe.” In particular, he says, things could look especially tricky for B2B players, who may have to comply with an additional layer of consent frameworks around B2B marketing.

For now, there is little information available about the proposal’s outlook or timeline, but players in the communications and digital ecosystems remain on alert.

5. The US prepares to enact five new state privacy laws as a federal bill is debated

Across the pond, the US is gearing up to enact five new state-level data privacy bills, in California, Colorado, Utah, Virginia and Connecticut.

They each differ in their details but look similar to CCPA, which was the US’s first GDPR-like comprehensive privacy bill. All five laws, which will go into effect in 2023, include data minimization clauses that require businesses to cut down on the amount of consumer data they collect and store. They also allow consumers to opt-out of profiling, data sales and targeted advertising. Each law has its own specific applicability language.

In the backdrop, the US is closer than it has been in decades to passing a sweeping federal privacy bill in the American Data Privacy and Protection Act (ADPPA), which in July was voted out of the House Energy and Commerce Committee and advanced to the full House of Representatives.

Industry stakeholders say the ADPPA, in its current version, goes too far. “The initial draft … [received] a lot of feedback,” says Lartease Tiffith, executive vice-president for public policy at the Interactive Advertising Bureau (IAB) and a former public policy manager at Amazon and senior counsel to then-Senator Kamala Harris. The bill’s sponsors took feedback from industry players including the IAB, Tiffith says, which resulted in a proposal that, “we didn’t love, but we didn’t hate.” Then, he says, when the full Committee assembled, sponsors “introduced a whole new bill basically 24 hours before the markup [that] removed a lot of the things that we had negotiated.” The outcome? According to Tiffith, “a bill that would wreck our industry,” with harsh restrictions on the use of third-party data and even first-party data.

And although the bill initially garnered bipartisan support and appeared to have decent prospects in the House, the ADPPA has hit some stumbling blocks of late. Last month, House Speaker Nancy Pelosi said she would not hold a House vote on the bill in its current version. She promised to work with Committee Chair Frank Pallone on the proposal, but did not indicate her intentions – whether to improve or to axe the bill.

Tiffith, for his part, is losing faith that a comprehensive federal privacy bill will come to fruition in the immediate future. But it may be on the horizon. “I’m a little pessimistic at this point. I was very optimistic at the beginning of the year,” he says. “We’d love to see federal privacy done. But unfortunately, I think we’re going to have to wait until the next Congress … it’s going to depend on the election, who’s in power next year and so forth.”

6. India proposes internet bill that could green-light China levels of state surveillance

Just a month after India scrapped a personal data protection bill that had been in the works for a half-decade, the country in September proposed a replacement to its colonial-era communications law, the Indian Telegraph Act. The new proposal – the Indian Telecommunication Bill – is aggressive in its aims to cement a surveillance regime.

If the bill becomes law, Indian citizens would lose a handful of critical data privacy and security rights. The law would force major communications platforms like Gmail and FaceTime to grant the government the power to “unequivocally identify” specific customers.

Perhaps most shockingly, the bill seeks to give Indian authorities the OK to bypass encrypted messages – a move that would strip regular consumers of key privacy rights and also pose particular dangers to whistleblowers and dissidents.

“These provisions essentially strip away the user’s right to stay anonymous,” the Internet Freedom Foundation, a New Delhi-based thinktank, told the Washington Post. “Such a broad and excessive requirement, in the absence of a data protection law, fails to prioritize user safety and security.”

At this time, experts believe it’s unlikely that India will replace the privacy bill it recently ditched with any EU-like protections for consumers. Zanfir-Fortuna notes that “we might see something like a package of data governance-type laws [that are] DSA-like,” but the future of consumer data rights remains unclear in India.

7. Biden signs executive order on EU-US data transfers

Last Friday, October 7, US President Joe Biden signed an executive order establishing new rules on cross-border data transfers.

Though not executed via the US’s legislative branch, executive orders are mandatory requirements out of the executive branch that have, in essence, the same effect as federal law.

The highly anticipated order serves as a replacement of the EU-US Privacy Shield, a legal framework that in 2016 created rules dictating the transfer of personal data between the two jurisdictions.

In particular, the executive order addresses concerns over the privacy and security practices of US intelligence agencies. Under the new order, US intelligence agencies will be required to update their policies and procedures to meet new privacy requirements. Agencies will also be subject to annual audits by the independent Privacy and Civil Liberties Oversight Board.

“The EU-US Data Privacy Framework includes robust commitment to strengthen the privacy and civil liberties safeguards for signals intelligence, which will ensure the privacy of EU personal data,” said Commerce Secretary Gina Raimondo to members of the press on October 6.

The news has been well-received by tech players – whose businesses require frequent international data transfers. “We welcome this update to US law which will help to preserve the open internet and keep families, businesses and communities connected, wherever they are in the world,” tweeted Meta’s president of global affairs Nick Clegg.

The EU will assess the executive order before it reinstates data transfer mechanisms.

Presuming that the new version of the Privacy Shield is approved, organizations will be able to access data on consumers in both the EU and the US – an especially valuable right for advertisers and publishers.

The topic of cross-border data transfers is an increasingly hot one in the advertising ecosystem, says IAB’s Tiffith. “How we go about getting and processing data that’s being used in the EU and outside the EU is important [for the US advertising world]. That’s a really, really tough issue,” he says. “That’s something that a lot of companies … are paying attention to.”

For more on what marketers and their partners need to do to succeed on a global level, check out The Drum’s Globalization Deep Dive.