As discussed in my previous blog post, several of us at Boltive got the opportunity to travel to DC to attend IAPP’s Global Privacy Summit (GPS) at the beginning of April.

In reviewing my notes and thinking about what might be most interesting to those who couldn’t make it, I kept returning to the regulator sessions because I hear so many myths and misconceptions about regulators, regulations, and enforcement as I talk to people in the marketing and privacy worlds.

The sessions I attended featured regulators from across the world, including US regulators at both the state and federal levels. Even though there are differences and nuances across jurisdictions, a number of common themes emerged, and a lot of common myths were busted.

In my previous post – part 1 – I summed up what I heard regulators tell us they want us to know.

And in this post – part 2 – I will sum up what I heard them tell us they want us to do.
‍

Make a Good Faith Effort

A common theme among the sessions is that the regulators honestly understand that compliance is challenging.

As Michele Lucan (Connecticut) put it, “We are not looking for perfection, we are looking for proactivity, and your ability to show your homework.”

The regulators want us to read the regulations and engage with the guidance they are publishing (see my previous post for examples) to understand our obligations, and then take action. Yes, this means companies have to roll up their sleeves and invest some effort: get policies and procedures in place, make sure rights fulfillment mechanisms work, update vendor contracts and privacy notices, and so on.

It can be a lot of ground to cover while juggling all the other demands of a business environment whose pace seems to never stop accelerating, but there is no getting around it. And the longer a company waits to start, the riskier the bet. When a regulator sends a letter, a company typically has a short amount of time (ex. 30 days) to respond with all relevant documents.

And yes, building up your documentation over time is important. US and EU regulators have been saying publicly – for years now, not just at GPS – that companies get credit for making a good faith effort. Documents and paper trails that demonstrate that good faith effort matter.

If you start when you get the letter, it’s already too late.

‍Michael Macko, Deputy Director of Enforcement of the California Privacy Protection Agency, also underscored the importance of getting documentation in place – not just the documentation of your policies and processes, but also documentation of your own internal enforcement of those policies, such as records around staff training and disciplinary actions taken for lapses.

From the technology side, where I spend my days, I would build on that to suggest adding details about how you are enforcing data sharing clauses in your vendor contracts, how you are monitoring governance of your site technology, and how you handle lapses there, as well.
‍

Regulators’ Priorities for 2024

As with the regulations themselves, there are nuances across jurisdictions, but we heard broad alignment on key priorities this year:

1. Targeted advertising, especially related to kids and teens. 12 out of 13 US state privacy laws in effect or going into effect this year specifically call out targeted advertising as an area of particular concern. Whether or not you agree that advertising is a high risk activity, expect scrutiny in this area across the US and Europe.
2. Operationalization of core requirements. There are lots of nuances in regulation, but there are “gateway issues,” as Michael Macko (California) called them, that need to be firmly in place at this point across multiple jurisdictions and countries. These include things like proper privacy notice updates, timely fulfillment of consumer rights requests – including the right to opt out of Sale/targeted advertising – and avoidance of manipulative patterns in consumer privacy interfaces.
3. Facial recognition, AI, and automated decision making. This is a broad topic, but to start, companies need to dig deeper with vendors who are incorporating AI in their products, to ensure they understand what’s happening and where the risks are.

The panelists across all jurisdictions noted that priorities can shift based on media reports, consumer complaints, and legislative direction, as well as their ongoing cooperation and coordination with other regulators. Keep an eye out for press releases from the regulators where you do business.

In the meantime, consider where these priorities map to your current business practices. Do you have a blind spot around data sharing in your digital ad supply chain? Are you sure your opt-out mechanism for targeted advertising is effective? When was the last time you checked that your consumer rights request mechanisms are working as expected? Are your vendors adding AI features without informing you?


Digital, on the whole, is going through a rapid period of evolution as we adjust to the reality of new regulations and heightened consumer expectations. The technology can be hard to wrangle; business processes and organizational complexity harder still. As our industry works through these growing pains, and learns what this new regulated landscape means for companies, we should take the regulators at their word: get proactive, read the regs and guidance, make a good faith effort to comply.

Every day, Boltive helps companies work through these steps, as well as automate the monitoring of sites and offsite digital ad campaigns. To find out more about how we can help you, as well as get a complimentary scan of your site, please reach out!