In the evolving domain of data-driven marketing, the phrase “Data is the new oil” may be catchy. However, it understates the potential dangers that lurk when handling sensitive data. Much like crude oil refining, the process of managing high-risk data demands a very cautious approach. While it might not be a perfect metaphor, the legal landscape is making sure that companies who mishandle sensitive data are held accountable.
State privacy laws classify the processing of sensitive data, including biometrics, geolocation and personal attributes, as “high-risk.” States like Connecticut, Virginia and Colorado require comprehensive privacy impact assessments. California mandates two assessments. One is for cybersecurity and another is for assessing potential “significant risk” to consumers in personal data processing.
The specific requirements for conducting these assessments remain unfinished. The California Privacy Protection Agency (CPPA) has drafted cybersecurity and risk assessment regulations. and discussed them during a recent board meeting in early September. While the preliminary comment period has closed, the CPPA is still gathering feedback as these regulations circulate.
What do ad tech companies need to know about these risk assessment rules? Julie Rubash, Chief Privacy Officer and General Counsel at data privacy software company Sourcepoint, points out that while it is important to follow these requirements, they should not come as a surprise to companies already familiar with GDPR or compliance with other US regulations.
He believes that conducting risk assessments can be beneficial in laying the foundation for a comprehensive privacy compliance program. However, businesses must remain aware of the differences between various data privacy regulations.
Enforcement authorities tend to prioritize substantive violations over technical issues when companies make genuine compliance efforts. Expectations for enforcement under the California Privacy Rights Act align with this approach. However, the evolving landscape means past practices may not predict future behavior. Regardless, ensuring compliance with privacy regulations remains a top priority for ad tech companies grappling with high-risk data.