Advertising Group Taking Note of Signals from State and FTC Enforcers

IAB is an advertising trade group with a mission that includes setting industry standards on policy issues like privacy. Among its members are Amazon Ads, Comcast, Disney, Discord, Meta, Fox, Google, Healthline Media, Microsoft, Samsung, Snapchat and TikTok.

IAB Executive Vice President & General Counsel Michael Hahn, in an interview, highlighted recent action against Honda, Healthline, Mobilewalla and Gravy Analytics. He also discussed IAB’s response to kids’ privacy bills like the Children and Teens’ Online Privacy Protection Act (COPPA 2.0) (see 2506250045) and DOJ’s data transfer rule (see 2507030050).

Enforcement signals to companies they “need to have their act together,” he said. “They need to monitor what they’re doing. They need to monitor what their partners are doing.”

He noted the California Privacy Protection Agency, in cases against Honda (see 2503120037) and Healthline (see 2507010074), showed the state is focused on companies complying with contractual requirements under the California Consumer Privacy Act. The CCPA requires companies to execute contracts with specific privacy protections when they sell data to third parties.

The California agency alleged Honda shared consumer data “with ad tech companies without producing contracts that contain the necessary terms to protect privacy.”

In the Healthline case, the CCPA alleged the company didn’t ensure its “advertising contracts contain privacy protections for readers’ data required by the CCPA. Instead, Healthline had assumed, but not verified, that the third parties had agreed to abide by an industry contractual framework.”

Both cases show that contractual requirements will be a focus for California enforcers, said Hahn.

The FTC’s cases against Mobilewalla and Gravy Analytics (see 2501140072) were “very significant” enforcement actions with novel use of the agency’s Section 5 authority, said Hahn. His comments echo what former Consumer Protection Bureau Director Samuel Levine told Privacy Daily in a June interview (see 2506240055). In the Mobilewalla case, the FTC argued the company’s bidding exchange practices violated their contracts, alleging it didn't “contractually require its suppliers to obtain consumer consent.”

“That was the first time seeing anything of that specificity being declared as an unfair practice,” said Hahn.

He noted how FTC Chairman Andrew Ferguson, then a commissioner, in his statements in both cases highlighted how a company needs to verify consent when compiling a large amount of data. Data brokers “that purchase sensitive information cannot avoid liability by turning a blind eye to the strong possibility that consumers did not consent to its collection and sale,” Ferguson said in his statement about the cases. “The sale of precise location data collected without the consumer’s consent poses a similarly unavoidable and substantial risk of injury to the consumer as does the sale of the non-anonymized data.”

Like the enforcement actions, DOJ’s data transfer rule and the FTC’s new authority under a law forcing ByteDance to divest TikTok (see 2506180071) signal to industry that companies need to perform a high level of due diligence in terms of understanding their data flows, he said.

Hahn mentioned how enforcers are particularly focused on geolocation data. IAB opposes legislation that doesn’t let consumers consent to the collection of such data, he said: “Consumers should have the ability to exercise meaningful choice.”

Likewise, parents should have the ability to consent to allowing companies to deliver targeted advertising to children, he said. COPPA 2.0 would ban targeted advertising for children up to the age of 16. IAB is “troubled” when legislation proposes blanket bans, he said: IAB’s position is that “parents should have the right to provide consent for their kids to receive targeted advertising that’s appropriate to them.”