privacy regulations Archives - AdMonsters https://live-admonsters1.pantheonsite.io/tag/privacy-regulations/ Ad operations news, conferences, events, community Thu, 22 Aug 2024 18:15:25 +0000 en-US hourly 1 https://wordpress.org/?v=6.6.1 The Ad Tech Ecosystem was Never Built for Privacy https://www.admonsters.com/the-ad-tech-ecosystem-was-never-built-for-privacy/ Wed, 21 Aug 2024 19:10:26 +0000 https://www.admonsters.com/?p=659787 One thing that Jamie knows to be true is that "the landscape is changing rapidly, and those who fail to adapt will find themselves in precarious positions." By approaching compliance as a partnership between publishers, brands, and consumers, unique publishers can create a more bespoke advertising experience while upholding privacy principles.

The post The Ad Tech Ecosystem was Never Built for Privacy appeared first on AdMonsters.

]]>
As the ad tech industry integrates more advanced technology and automation, many diverse, small, and niche publishers are caught in the crosshairs of tightening regulatory requirements.

Navigating these complex challenges is essential for maintaining trust with consumers and brands.

Unique publishers (diverse, small, and niche) must navigate these complex waters to maintain their competitive edge in an industry where data privacy and transparency are under intense scrutiny. According to Jamie Barnard, CEO of Compliant, “The ad tech ecosystem was never built for privacy,” making it especially challenging to retrofit existing systems.

These smaller players are vulnerable, with privacy concerns mounting and regulations becoming stricter. They may not attract the same advertising spend as larger entities. Still, compliance with privacy laws is critical—not only for legal reasons but also for preserving their relationships with advertisers.

During our conversation with Jamie Barnard aboard a yacht in Cannes—over cheese and pepperoni—we discussed how brands and agencies can support unique publishers in navigating compliance challenges. He stressed the importance of adapting to the rapidly changing landscape. “Those who fail to adapt will find themselves in precarious positions,” Bernard warned. By approaching compliance as a collaborative effort between publishers, brands, and consumers, these publishers can create bespoke advertising experiences while upholding essential privacy principles.

Why Building Strong Compliance Models Matters More Than Ever 

Developing robust compliance models is no longer optional for unique publishers, it’s essential.  These models should go beyond merely responding to current regulations. They should be proactive frameworks anticipating future changes. Flexibility and adaptability are key to ensuring these publishers can withstand the inevitable shifts in the regulatory environment.

Creating a culture of compliance involves more than simply adhering to rules. It requires a deep understanding of privacy and data protection. This is particularly crucial given the widespread use of third-party tracking and data leakage — practices increasingly under scrutiny. As awareness of these issues grows, larger brands and consumers demand higher transparency and accountability from their partners.

“In our industry, where trust is everything, compliance is the foundation,” Bernard said. “When we approach compliance as not just a checklist, but a genuine commitment to our audience’s well-being, we unlock the potential for deeper connections and long-lasting loyalty.”

Publishers must go beyond compliance to educate their teams and stakeholders on this importance. By cultivating a culture of awareness and diligence, they can embed compliance into every facet of their operations. This shift will mitigate risks and bolster the publisher’s reputation in an industry where consumer trust is increasingly paramount.

Ad Tech’s Role in Adapting to Regulatory Changes

The ad tech industry’s transformation is largely driven by the need to comply with evolving privacy laws. While these changes may seem reactive, they present new opportunities for innovation in both technology and operational practices. With Google’s new 3PC consent framework, smaller publishers have a huge role in reshaping the industry standards moving forward. 

Smaller publishers should leverage technology as a compliance tool to take advantage of this shift. For example, artificial intelligence and machine learning can monitor data practices, identify potential compliance issues, and automate consent management processes. These technological advancements not only streamline operations but also enhance the precision and effectiveness of compliance efforts.

 As regulatory demands evolve, ongoing education and experimentation are crucial. Publishers should stay informed about the latest trends and changes, adapting their strategies as necessary. Abrupt changes brought about by decisions like Google’s back-and-forth dance with turning off third-party cookies, serve as a stark reminder of how quickly things can shift. 

Continuous learning should be embedded in the organizational culture, positioning compliance as not just a set of rules but as a dynamic practice driving industry evolution. With the U.S. regulatory environment beginning to catch up with the EU’s more stringent standards, the pressure to adapt has never been greater. As Bernard pointed out, education, transparency, and consumer empowerment must be top priorities for publishers moving forward.

The post The Ad Tech Ecosystem was Never Built for Privacy appeared first on AdMonsters.

]]>
What Is the American Privacy Rights Act (APRA) of 2024? https://www.admonsters.com/what-is-the-american-privacy-rights-act-apra-of-2024/ Wed, 17 Apr 2024 14:07:22 +0000 https://www.admonsters.com/?p=654996 On April 7, 2024, Chairs Cathy McMorris Rodgers (R-WA) and Maria Cantwell (D-WA) jointly introduced The American Privacy Rights Act (APRA.) If passed, this legislative proposal would establish a federal privacy framework that would disrupt the current fragmented data privacy framework. APRA strongly emphasizes empowering American consumers with greater control over their personal information.

The post What Is the American Privacy Rights Act (APRA) of 2024? appeared first on AdMonsters.

]]>
On this week’s docket, the US Legislature ponders the reality of passing a Federal data privacy law: The American Privacy Rights Act (APRA). We’ve seen this process play out before without much success, but will this new political dance be its final bow? 

On April 7, 2024, Chairs Cathy McMorris Rodgers (R-WA) and Maria Cantwell (D-WA) jointly introduced APRA. If passed, this legislative proposal would establish a federal privacy framework that would disrupt the current fragmented data privacy framework. 

While it will place more legal obligations on US publishers, it will be a breath of fresh air to follow one privacy law instead of several state ones. 

APRA strongly emphasizes empowering American consumers with greater control over their personal information. This control extends to various aspects, including the management, correction, deletion, and restriction of the sale or transfer of their data. In essence, the bill seeks to democratize data governance by ensuring that individuals have a say in how corporations and other entities handle their information.

In layman’s terms, this bill would follow the EU’s lead of explicit consent. 

APRA’s Critical Features and Updates

One of the APRA’s notable features is its comprehensive approach to regulating data collection practices. Nowadays, companies amass vast amounts of data, often without clear justification or consent; the bill introduces measures to curtail such practices. It mandates that companies only collect data necessary for their services, thereby promoting data minimization.

Moreover, APRA introduces robust protections for sensitive information, encompassing a wide range of data, including but not limited to online activities and biometric data. By broadening the definition of sensitive information, the bill seeks to adapt to the evolving data privacy threats, where personal data is increasingly exploited for nefarious purposes.

A novel aspect of the APRA is its recognition of social media platforms’ growing influence in shaping the digital ecosystem. To this end, the bill introduces the concept of “high-impact social media companies,” defined as platforms meeting certain revenue generation and user engagement criteria. 

By singling out these entities for heightened scrutiny, the bill acknowledges their outsized role in mediating online interactions and shaping public discourse. In short, the walled gardens. 

In addition to regulating data practices, the APRA strongly emphasizes transparency and accountability. Covered entities are required to make their privacy policies readily accessible to consumers, providing clear information about data handling practices and giving individuals the ability to exercise their rights effectively. This transparency fosters trust between consumers and businesses and also serves as a deterrent against unethical data practices.

How Will Regulators Enforce APRA?

Enforcement mechanisms are critical to any privacy legislation, and the APRA is no exception. 

The bill empowers multiple stakeholders, including the Federal Trade Commission (FTC), state attorneys general, and individual consumers, to hold violators accountable. Importantly, it grants consumers the right to initiate private lawsuits against entities that infringe upon their privacy rights, thereby providing a potent deterrent against misconduct.

Furthermore, APRA adopts a preemptive approach towards state privacy laws, seeking to harmonize regulatory standards across the nation. While this preemption has drawn criticism from some quarters, proponents argue that it is necessary to avoid regulatory fragmentation and provide clarity for businesses operating in multiple states.

Is APRA’s Passing a Real Possibility?

Remember when we thought  ADPPA might pave the road towards a federal privacy regulation? Well, it didn’t pass the Senate. Advertising and privacy groups like Privacy for America called out the proposed bill, which became a major hindrance. For instance, Privacy for America did not believe the bill was comprehensive enough to distinguish between bad and healthy advertising practices. 

More specifically, the organization said, “Privacy legislation should distinguish between harmful practices that should be prohibited and responsible data practices like advertising that provide valuable information to consumers and are essential to innovation and economic growth.”

It seems APRA is facing the same issues. According to Jessica B. Lee, Chief Privacy & Security Partner at Loeb & Loeb LLP, this bill is unlikely to pass because several issues stand in the way of federal privacy: politics, preemption, and the private right of action.

“In terms of politics, we have already seen California’s enforcement agency come out strongly against the bill (and they worked hard to kill the last attempt at federal privacy) and its attempt to preempt certain state laws,” said Lee. “Likewise, Ted Cruz has raised concerns with the privacy right of action and potential expansion of power for the FTC. As we head into election season, it is unclear to me that there is enough alignment to push this through this year.” 

APRA’s Impact on Publishers

If the bill does pass, what do publishers have to consider?  

David Shonka, Partner at Redgrave LLP, said, “The 180-day lead time is very short for setting up any new processes and procedures that compliance will require.” From his perspective, there are three things publishers should consider:

  1. They should sit down with their lawyers and stakeholders to discuss what the law means and how it applies to them.  
  2. Gain a comprehensive understanding of their data, including its sources, storage, usage, sharing practices, and methods for tracking, storing, and safeguarding it.
  3. Build processes and procedures to meet the Act’s requirements.

APRA could significantly impact advertising. It defines sensitive data as “online activities over time and across third-party websites.” Collecting or sharing such data requires affirmative express consent. 

As Lee points out, while APRA allows opt-out for targeted advertising (excluding measurement, first-party, and contextual advertising), including online browsing data in the definition of sensitive information means targeted advertising data cannot be used without consent. Publishers with investments in first-party data for the post-third-party cookie era will benefit if ARPA passes. Nevertheless, shifting from opt-out to opt-in will cause substantial upheaval in an industry already facing significant changes.

The post What Is the American Privacy Rights Act (APRA) of 2024? appeared first on AdMonsters.

]]>
AdMonsters Ops Reveal: Keynote James Rosewell on Disrupting Digital Monopolies and the Future of Online Privacy https://www.admonsters.com/admonsters-ops-reveal-keynote-james-rosewell-on-disrupting-digital-monopolies-and-the-future-of-online-privacy/ Thu, 28 Mar 2024 12:00:12 +0000 https://www.admonsters.com/?p=654093 In our quest for the perfect keynote speakers for AdMonsters Ops, we wanted industry leaders who were not afraid to expose what's going on behind the curtains, and James Rosewell does just that. So, who is James Rosewell? He's the guy who caught the attention of the UK's Competition and Markets Authority (CMA) in January 2020 with his razor-sharp insights on digital markets.

The post AdMonsters Ops Reveal: Keynote James Rosewell on Disrupting Digital Monopolies and the Future of Online Privacy appeared first on AdMonsters.

]]>
Gearing up for AdMonsters Ops, we spiced things up with a LinkedIn Live featuring keynote James Rosewell, the trailblazing Cofounder of Movement for an Open Web (MOW), who dished out his unique perspective on today’s tumultuous regulatory terrain.

In our quest for the perfect keynote speakers for AdMonsters Ops, we wanted industry leaders who were not afraid to expose what’s going on behind the curtains, and James Rosewell does just that. So, who is James Rosewell? He’s not your average entrepreneur. He’s the guy who caught the attention of the UK’s Competition and Markets Authority (CMA) in January 2020 with his razor-sharp insights on digital markets.

With one bold move, through his B2B data business, 51 Degrees, Rosewell’s submission to the CMA sparked a series of events leading to the formation of Movement for an Open Web (MOW). This not-for-profit aims to educate regulators, industry players, and standards bodies about the need for stable interoperability in the digital realm.

Our discussion with Rosewell was a whirlwind of wisdom and revelations. In a short amount of time, we covered a range of privacy concerns. Now, let’s unpack the key highlights.

Collaboration Among Regulators is Key: James discussed engaging with various regulatory bodies like the UK’s CMA, the European Commission, and the Department of Justice to address digital monopolies and the need for market regulation to ensure fair competition and innovation. 

Recent actions by the US Department of Justice and the EU signal a coordinated effort to address antitrust issues in the tech industry. With investigations into major players like Apple, Alphabet, and Meta, the focus is shifting toward ensuring fair competition and consumer protection. The road ahead may be complex, but the goal remains clear: to promote innovation while safeguarding user privacy.

The Future of Cookies: Our conversation dove into the regulatory whirlpool of challenges facing Google before it fully phases out third-party cookies. Rosewell suggested that based on the CMA’s findings and ongoing reports, the complete removal of third-party cookies by 2024 seems uncertain. 

The CMA’s most recent report highlighted concerns about Google’s practices, with at least 39 regulatory issues to address before third-party cookies can bid adieu. The timeline for the cookie’s demise is not set in stone, but regulatory bodies are closely monitoring Google’s proposed changes and their implications for privacy and market competition.

One key takeaway from our conversation was the importance of industry feedback in shaping regulatory decisions. The CMA encourages all businesses to voice their concerns and provide input on the impact of regulatory changes. Anonymity plays a significant role in this process, allowing businesses to share insights without fear of repercussions. 

Privacy Sandbox and Market Concerns: Diving into the heart of the concerns over Google’s Privacy Sandbox are as real as they get. It’s a scenario brimming with self-preferencing issues and the risk of technologies tipping the scale in Google’s favor, leaving other players in the digital dust. Rosewell advocates testing these technologies, especially in environments like YouTube, to ensure they are beneficial and fair to the market before broader implementation.

As we look towards the future, Rosewell emphasizes the need for competition to drive innovation for the best privacy solutions. Rather than relying solely on Google or Apple’s approaches, we need diverse solutions tailored to the entire ecosystem’s needs, making it a more equitable and dynamic open marketplace. As we navigate these complexities, collaboration, industry feedback, and a focus on competition is essential. The future of digital innovation hinges on our ability to adapt, evolve, and embrace new solutions that prioritize user privacy and drive technological progress.

The post AdMonsters Ops Reveal: Keynote James Rosewell on Disrupting Digital Monopolies and the Future of Online Privacy appeared first on AdMonsters.

]]>
What Is Iab Tech Lab’s Data Deletion Request Framework & How Will It Simplify Data Deletion? https://www.admonsters.com/what-is-iab-tech-labs-data-deletion-request-framework/ Fri, 26 Jan 2024 13:00:04 +0000 https://www.admonsters.com/?p=652430 There is currently no industry standard for completing data deletion requests. We caught up with Rowena Lam, IAB Tech Lab’s Senior Director of Privacy & Data, to see how they conducted this research, the findings, and the following steps to make a standard Data Deletion Request Framework a reality. 

The post What Is Iab Tech Lab’s Data Deletion Request Framework & How Will It Simplify Data Deletion? appeared first on AdMonsters.

]]>
Consumers who want to exercise their right to have their personal data deleted can do so by submitting a request to the company that has their data. These requests can be complicated since they involve deleting data from multiple places. The process can be daunting without an industry standard for handling these requests. IAB Tech Lab is working to reduce the complications by standardizing the process. 

Everyone in the ad tech industry seems to be talking about user privacy right now, from how to deal with new regulations to how we interact with consumers’ information online, which will change digital advertising. 

A regulation that began as part of the California Consumer Privacy Act, known as the “right to delete,” entitles consumers to ask companies to delete all of their digital data, with some exceptions. This regulation is becoming a privacy standard, necessitating expanding the way our industry addresses these requests. 

There is currently no industry standard for completing data deletion requests. To address this, IAB Tech Lab recently called for public opinions and comments to help develop an industry-wide data deletion standard. The comments will inform how IAB Tech Lab moves forward to create a new framework to simplify the process and ensure compliance with privacy laws. 

We caught up with Rowena Lam, IAB Tech Lab’s Senior Director of Privacy & Data, to see how they conducted this research, the findings, and the following steps to make a standard Data Deletion Request Framework a reality. 

Kacey Perinelli: Can you give me an overview of data deletion requests, what systems currently handle them, and how they fit into the privacy landscape? 

Rowena Lam: There isn’t a comprehensive framework to handle these requests throughout the digital ad media ecosystem. We’re seeing players in the ecosystem having to come up with very bespoke solutions because there is no framework to handle these requests. We have yet to finalize the data deletion request framework that we’ve proposed, but it creates a standardized approach to communicate deletion requests. This is particularly relevant as we’ve seen a lot of focus on consumer privacy rights globally. This is both from a consumer perspective and a regulatory standpoint. 

Some of the industry understands, but not everyone understands how much of a challenge dealing with data deletion requests truly is. With no standard framework, everybody’s doing their own thing. In most cases, when a consumer requests the deletion of their personal data, it’s not just one organization affected. Organizations utilize service providers and have CDPs, so other systems need to be touched, and in some cases, this is a manual process. A framework like this helps the industry speak the same language and ensures everybody is implementing this in the same way, removing the challenge for them to properly delete the consumer’s data and do it promptly. 

KP: Why is it important to have an industry standard for these requests? How will standardization benefit both the ad tech industry and consumers? 

RL: There are a few crucial reasons the industry needs standardization for this. The overarching reason is that it provides a practical approach and implementation for handling these deletion requests, which are pretty sensitive because we’re talking about consumers’ personal data. Standardization ensures a consistent approach across the ecosystem, specifically for the ad tech industry; it simplifies their compliance with these privacy laws. The framework is regulation agnostic, which is an added benefit. 

This will ultimately help the ad tech industry continue to foster increased trust with consumers, which is an industry priority. This provides a consumer benefit even though this isn’t a consumer-facing mechanism, per se. It ensures the industry has a more efficient and reliable process for making sure that when the consumer reaches out and wants to exercise their data deletion rights, the deletion request can be communicated appropriately throughout the ecosystem. This ensures that the personal data they want deleted is actually deleted as required by law.

KP: Without revealing any names, can you tell me how many and what types of companies contributed their insight to creating the standardized framework? 

RL: A diverse range of global businesses participated in the original drafting of the data deletion request framework. As we entered a public comment period, we received feedback from a diverse range of organizations, from startups to major industry players, spanning the entire supply chain. That active involvement from these different companies highlights the engagement in shaping this deletion framework. 

KP: How did IAB Tech Lab work to incorporate the many suggestions it received in a way that will be universally applicable?

RL: When we released this, it started with a 30-day public comment period, where we looked for contributions from the perspective of organizations of all sizes. The feedback that we received was mostly positive and sat in a couple of key thematic areas. It touched on subjects like data elements, communication, protocols, signatures, key encryption, acknowledgment of requests, and identifiers. We’re currently working on incorporating these comments to ensure that the framework is universally applicable and that none of these specific vital thematic areas are overly complicated. This guarantees that smaller players, for example, can also utilize the framework. 

KP: You noted four thematic areas that IAB Tech Lab is focusing on as it proceeds to create this standardized framework. Going in, did you know if these would be the key areas to focus on?

RL: These themes were already in our minds during the drafting process, and some of the areas are specific to the Object Parameters and API fields: signature keys and encryption, validation, acknowledgment of the requests, and identifiers. The feedback from the public comment period is informing the details of how they could work. That’s helping expedite the finalization of this standard and help us ensure that when we finalize the framework, it addresses the use cases we’re looking to address. 

KP: What is the next step to creating the standardization and ensuring it works universally? 

RL: The next step for us is to incorporate these specific pieces of feedback in those four thematic areas that I mentioned directly back into the specification. Then, working with the framework’s “working group,” which includes industry representatives, we will reach a final specification that the entire industry can adopt.

We will release a final version once we incorporate all this feedback into the specification. I anticipate that folks will start to adopt, which they can do as soon as we release that final version.

It is very, very exciting. There’s been plenty of engagement. This is a huge positive because it indicates real alignment, at least around the topic. There might be disagreements about the details and specifics of how we view some of it, but there’s a general alignment on the framework itself.

The post What Is Iab Tech Lab’s Data Deletion Request Framework & How Will It Simplify Data Deletion? appeared first on AdMonsters.

]]>
Addressing the Future: Publisher Perspectives on Data, Privacy, and the Road Ahead https://www.admonsters.com/addressing-the-future-publisher-perspectives-on-data-privacy-and-the-road-ahead/ Wed, 29 Nov 2023 13:58:00 +0000 https://www.admonsters.com/?p=650433 During a panel titled "The Future of Addressability: The Portfolio View," Anthony Katsur, CEO of IAB Tech Lab, sat down with Shobha Doshi, SVP of Programmatic Strategy & Operations at Raptive, Ryan McConville EVP of Ad Platforms & Operations at NBCUniversal, and Mike Nuzzo, SVP of Hearst Data Solutions at Hearst Magazines. Each panelist outlined how they are approaching addressability today.

The post Addressing the Future: Publisher Perspectives on Data, Privacy, and the Road Ahead appeared first on AdMonsters.

]]>
There’s been tons of chatter in the industry at large about signal loss, but what does signal loss mean to the ecosystem, specifically publishers? 

For better or worse, Publishers are always left bearing the brunt of industry shifts. With addressability shifting into something different, many wonder how we will continue to target and reach our audiences.

The cookie phase-out process is here, and word on the street is that Chrome will be obfuscating the IP address (the cookie of CTV) real soon.

During a panel titled “The Future of Addressability: The Portfolio View,” Anthony Katsur, CEO of IAB Tech Lab, sat down with Shobha Doshi, SVP of Programmatic Strategy & Operations at Raptive, Ryan McConville EVP of Ad Platforms & Operations at NBCUniversal, and Mike Nuzzo, SVP of Hearst Data Solutions at Hearst Magazines. Each panelist outlined how they are approaching addressability today.

One thing we all know to be true is that there is no one solution; publishers should instead consider the “patchwork quilt” of solutions that are at their fingertips. With a catalog of over 5,000 publishers, Doshi highlighted that Raptive is currently in the test iterative stage. She encourages publishers to continue testing and exploring to see what works and what doesn’t.

At NBCU, they are rebuilding their signaling around first-party identity. With Peacock and their other digital endpoints totaling around 300, they had to find a way to coordinate those varying identities across everything. Having recently launched the NBC Unified identity platform, their strategy is to elevate it to live primarily on first-party identity signals.

When asked how Hearst thinks about the future of addressability, Nuzzo kept it simple. “We’re doing a lot of testing, learning, and just making sure we’re following the law,” he shared. From his perspective, the onus has been on publishers to solve for innovation. Innovation and identity are increasingly challenging because, again, there is no one solution.

Future-Proofing Alongside Hefty Privacy Constraints

Privacy regulations are evolving in Europe, and while a handful of states with state-led privacy regulations are already in place, three more states will be enforcing privacy sanctions next year: Montana, Oregon, and Texas. India also just passed a privacy law. 

What alternative solutions are publishers seeking to maintain an addressable ecosystem while complying with privacy regulations? 

“I think it’s hard, and that’s why I said the legal piece earlier,” Nuzzo explained. “Consent management platforms are in a good place right now, we need them contextually.” At Hearst, the focus is on understanding common taxonomies and how they apply that to their audiences algorithmically. Gen AI is also something they are pushing towards. 

For McConvile and NBCU, the product team is essential to maneuvering the privacy landmine. Media and entertainment companies have privacy product managers who enforce all privacy regulations. Rather than creating nuances for each state’s privacy laws, they look to the states with the most conservative ones and use those as a baseline.

Privacy and big tech are the two big bad wolves of the industry, but which one is scarier? 

It’s no surprise that Nuzzo from Hearst says it’s the legal side. No publisher wants to come out of pocket and pay off the government for not having the right privacy policy. McConnvile went with big tech, considering the different platform policies that publishers must abide by. 

“Operating system policies like Apple’s override our terms and conditions, so if you sign up for Peacock on an Apple device and agree to NBCU’s terms and then opt out of Apple, it overrides our terms and conditions completely. I don’t think users actually understand that they’re making that choice,” McConvile explained. 

The IP Address Is the Cookie of CTV

While CTV doesn’t operate on cookies, it does use IP addresses for audience targeting. This makes IP addresses the cookies of CTV. One or both will put a velvet rope around the web and obfuscate the IP address.

What will happen next as the IP address becomes effectively deprecated by big tech?

Doshi, SVP of Programmatic Strategy & Operations at Raptive, thinks the IP address signal loss would reduce graph strength for everyone. “It makes regulatory compliance hard, especially if there are different state-by-state regulations that may conflict,” she explained. “There are no good solutions right away, and solutions will differ per environment since regulations differ per environment. We may see some advantages on desktop, but the long road ahead is to figure out how to make it work.”

Nuzzo had an opposite opinion, “I think the IP address for us opens up an opportunity that we haven’t explored as publishers,” he said. Also, stating that there are actually a lot of good use cases for the deprecation of the IP address that we haven’t thought of. “I hope the industry allows us to explore that before they cut off at the knees,” he said. 

The IP address powers a lot of how performance TV works since viewers don’t click on their televisions to buy something. The IP address connects the devices in your household. “You have a smart TV that lives on an IP address, and you have a mobile phone that lives on that IP address,” McConville explained. “So if you see an ad on Peacock on your smart TV, you can buy the sneakers from that ad on your mobile phone.”

The industry will have many holes to fill if the IP address is deprecated because, aside from targeting, the IP address is crucial for cross-device measurement. There is also some interesting work on an Internet service provider level to future-proof the ability to tie IP signals to a deterministic household in a privacy-compliant way.

From a fraud vector perspective, the IP address is used for many fraud detection and data security issues as you start to proxy through a single IP address or VPN on the web. This opens up many fraud and data security issues for advertising and health, tech, finance, and national defense implications. 

In short, IP addresses have many uses in the advertising ecosystem beyond targeting. Many publishers will have to think through and plan for the many implications.

Is First-Party Data the New Oil in Our Industry?

When it comes to first-party data, we are somewhat in a world of the haves and have-nots. The walled gardens have had identity for many years, but everyone outside of them had an alternative architecture through cookies they could function on. 

 Publishers and brands have to create a value exchange to get the data. There are tons of data-rich companies, like Amazon, for example. You are unable to use any Amazon entity without logging in. Publishers need to make sure that their consumer product teams are creating a system for authenticating users and communicating the value exchange to garner more logins. 

Now is the time, more than ever, for companies that have not traditionally collected first-party identity signals to figure out smart ways of doing it. “On the cohorting side over at NBCUniversal, they have done some really interesting tests with seed data using AI and content. 

“We fed our content into an AI engine, scanned all the contextual metadata for all the content, and then created lookalike models using that more granular data set. By using this AI deep contextual metadata, which is also our first-party data, we found that the segments performed much better,” said McConville. 

At Hearst, there are tiers of data assets at their disposal, so it doesn’t have to be explicit logins. They collect 4 trillion data points on their users monthly, which is precious data. Recently, they conducted a study and saw a 140% increase in click-through rate when they applied both contextual and behavioral into one segment for the advertiser. 

“We’ve lived on this behavioral journey for so long, where the mentality was just follow the consumer around, and they’ll buy my shoes,” Nuzzo said. “This may be true, but when you serve 5000 impressions to them versus if you serve them the right content, you’ll have to do far less of that, and the interaction rate will improve.”

Where Do We Go From Here?

As an industry, we have a nasty habit of waiting until the last minute before we react to changes. We have built a solid muscle on the third-party cookie, so is there a sense of urgency in Q1 of 2024? Probably not. 

Patrick McCann, SVP of Research at Raptive, also led a main-stage discussion highlighting how more publishers need to start testing the Privacy Sandbox. Raptive hopes that we will discuss how the buy side is ingesting and understanding some of that data next year. 

Clean rooms were also discussed, and McConville predicts that we will see some real commercial action coming out of Clean Room integrations because there was a long time when they weren’t being utilized. With Amazon and Google PAIR, we see real commercial examples of bringing first-party data service into these data clouds.

Nuzzo thinks we will talk about gen AI in the spring of 2024 and finally have some real learnings from it. We will finally have some metrics to see what works, and what doesn’t work. 

The post Addressing the Future: Publisher Perspectives on Data, Privacy, and the Road Ahead appeared first on AdMonsters.

]]>
Privacy Experts Convene on the Need for Federal Legislation at RampUp https://www.admonsters.com/privacy-experts-convene-on-the-need-for-federal-legislation-at-rampup/ Tue, 07 Mar 2023 21:32:20 +0000 https://www.admonsters.com/?p=641952 At RampUp 2023, "Stay on the Forefront of Privacy Legislation" was a session where Washington D.C.-based ad tech counsel and a VP at the U.S. Chamber of Commerce shared their perspectives on what's happening right now and what the industry can do to streamline the process. One common denominator among the three session participants was that now was the time for one federal privacy law. 

The post Privacy Experts Convene on the Need for Federal Legislation at RampUp appeared first on AdMonsters.

]]>
The state of privacy and data in America is in shambles. 

Recently, President Biden signaled how important privacy legislation is by addressing it at the State of the Union for the first time. We all recognize that state privacy laws are here, with many more to come. At this point, we desperately need universal privacy legislation that supersedes state laws to create a level playing field for credibility, stability, and protection for consumers and businesses. 

At RampUp 2023, “Stay on the Forefront of Privacy Legislation” was a session where Washington D.C.-based ad tech counsel and a VP at the U.S. Chamber of Commerce shared their perspectives on what’s happening right now and what the industry can do to streamline the process. One common denominator among the three session participants was that now was the time for one federal privacy law. 

The Time Is Now

Data is highly regarded because it helps to deliver impactful services to consumers and customers. It unlocks the potential of the information economy to communities and helps ensure that consumers have access to important and useful information for free. It makes the open web a lot like the public library. Also, with the right data, consumers can access personalized apps and services that make life easier.

And, for the ad tech ecosystem, it powers the pipeline, bringing the right message to the right consumer at the right time. However, this all goes out the window if we do not establish a reasonable and well-thought-through national policy for data.

In a study conducted by Privacy for America, we learned that consumers enjoy over $30,000 a year in subsidized content and services online. A law restricting that flow of data availability could increase what we consider an online tax by over $30,000. 

We must ensure we continue to provide consumers with this same access. This isn’t just an ad tech issue. With six state data privacy laws already on the books and many different bills under consideration, delivering the impactful information and services consumers expect grows harder and harder.

“Without a preemptive national standard, we risk that the policy, and how we can engage with consumers and build audiences, will be left to just a handful of companies,” explained Michael Signorella, co-chair of the Technology and Innovation Group at Venable law firm. “They will decide how we can address media to consumers online, think of ATT.”

The Tragedy Associated With State-led Privacy Legislations 

According to a recent U.S. Chamber of Commerce report, 80% of small businesses stated that tech platforms, ads, and payment apps enabled them to compete with larger corporations. So limiting access to data and the ability to use data will constrict their business operations. 

“There are currently about 20 states that have introduced bills being considered now,” said Jordan Crenshaw, VP at the U.S. Chamber of Commerce. “The problem is that we’re seeing multiple models emerge, and even when we have very similar models, they are still somewhat different. If you’re a food truck with about 270 customers daily, complying across state lines would be nearly impossible.”

The California Consumer Privacy Act was the first comprehensive law in the U.S. to go into effect. It gives consumers the right to delete data, opt out of data sales, and know what data companies hold about them. Nonetheless, the private right of action associated with this act could be problematic when it comes to data breaches. 

Virginia’s Consumer Data Protection Act, which went into effect in January, gives consumers the right to opt out of data sales and targeted advertising. Like California, Virginia consumers can also delete data, but they also can correct data and opt-in for sensitive data. There is no private right of action in Virginia, which is good because it leaves enforcement up to the state’s attorney general. It also doesn’t allow for broad rulemaking authority to any agencies in the state, keeping the terms and conditions concrete. 

When it comes to federal privacy, the Chamber of Commerce currently sees states embracing the American Data Privacy and Protection Act (ADPPA) and opt-in frameworks where businesses have to get consent to use data outright, like in Oklahoma. All these differences are a huge red flag for compliance for small businesses. 

Where Are We Seeing Specific Privacy Regulations?

Health Data: Since the Roe v Wade decision, there has been a call to create privacy protections around abortion data or data that might lead to that. The problem is that now that issue has worked into massive health bills creating an even larger issue. In Washington, the state has a bill in review that would require consumers to opt-in for data usage, thus harming data flows for things like health research, clinical trials, for example. That bill also has a private right of action.

Children’s Data: States are proposing updates to the Children’s Online Privacy Protection Act (COPPA). Utah even has a social media bill that would shut off social media usage after 10 pm, substituting the role of a parent with a private right of action and age verification.

Biometric Data: An example of this is facial recognition technology. States like Illinois already passed laws related to biometrics, whereas a company could be subject to private lawsuits if it failed to get consent to use biometric data. 

Convos on Capitol Hill

As Principal at Emergent Strategies, a Democratic government affairs firm in Washington, DC, Michael Claunch spends much time on Capitol Hill. While conversing with Congress, he knows they are working to solve many of these privacy issues, whether conflated purposefully or unintentionally. 

On the Hill, they are working on complex issues like privacy, whether online markets are competitive enough, and Section 230 reform. Members of Congress feel extremely passionate about these issues, but if they try to address each silo, they will affect the other; privacy is a great example. 

“When I interact with Congress, I’m very consistent in my message that a federal privacy law will be the competition law for the next decade,” Claunch explained. “There will be winners and losers as some entities will have better access to more rich data and be able to use it. Market impacts need to be taken into consideration.”

Why Not the ADPPA?

While the ADPPA is an admirable attempt, it’s just not it for many reasons. Experts see many weaknesses regarding its impact on competition and the fact that it has an overly broad definition of sensitive data. It can eliminate the ability for brands and third parties to use data to get a complete look at the consumer and target them across the web. 

The ADPPA presents unequal treatment between first and third-party marketers; as we know, if a company has a first-party relationship with a consumer, it’s way easier for them to get opt-in consent on that sensitive data.

Currently, the way the ADPPA is written, third parties are at a significant competitive disadvantage compared to first parties. Thankfully the three legal professionals on this session — Jordan Crenshaw, Vice President, U.S. Chamber of Commerce; Michael Signorelli, Partner, Venable LLP; and Michael Claunch, Principal, Emergent Strategies — are working to change that. With a new Congress in place, it presents an opportunity to reset and build up the good work regulators have done. It also gives them ideas to ensure that a federal privacy law considers all stakeholders.

The post Privacy Experts Convene on the Need for Federal Legislation at RampUp appeared first on AdMonsters.

]]>
What is IAB’s Multi-State Privacy Agreement (MSPA)? https://www.admonsters.com/what-is-iabs-multi-state-privacy-agreement-mspa/ Fri, 14 Oct 2022 17:03:28 +0000 https://www.admonsters.com/?p=638732 Another day, another way for the ad tech alphabet soup plot to thicken. But this time, it seems to be a step in the right direction towards unifying compliance across state privacy laws called the Multi-State Privacy Agreement (MSPA). As of late, IAB and the IAB Tech Lab is committed to encouraging the advertising ecosystem to put […]

The post What is IAB’s Multi-State Privacy Agreement (MSPA)? appeared first on AdMonsters.

]]>
Another day, another way for the ad tech alphabet soup plot to thicken.

But this time, it seems to be a step in the right direction towards unifying compliance across state privacy laws called the Multi-State Privacy Agreement (MSPA).

As of late, IAB and the IAB Tech Lab is committed to encouraging the advertising ecosystem to put consumer privacy first. Along with that goal, they updated their privacy protocols and agreements to support publishers, advertisers, and ad tech companies. For months, we’ve speculated there would be just one contractual framework to ensure privacy compliance across all the current state-led privacy legislations, and this may be it.

“The patchwork of state regulations creates an increasingly complicated compliance landscape for the digital advertising industry,” said Michael Hahn, EVP, General Counsel, IAB, and IAB Tech Lab. “The IAB Legal Affairs Council has been focused on meeting this challenge for the past year. We believe the MSPA – the product of collaboration from stakeholders across the industry – is a crucial tool to solve this challenge.”

The Multi-State Privacy Agreement (MSPA) supplies a refurbished framework to ensure privacy compliance across five new state privacy laws. It works alongside the IAB Tech Lab’s US State Signals initiative, also recently released as an extension of the Global Privacy Platform (GPP). Both are available for public comment until October 27, 2022.

How Will the MSPA Help Streamline Privacy Concerns?

Think of the MSPA as the big brother of the Limited Services Provider Agreement (LSPA), which was initiated to guarantee compliance with the California Consumer Privacy Act (CCPA). 

The great thing about this agreement is it serves as a watchdog over all privacy legislations. The CCPA, the California Privacy Rights Act (CPRA, coming January 2023), and all the others going into effect in 2023; the Colorado Privacy Act (CoPA), Connecticut Data Privacy Act (CDPA), Utah Consumer Privacy Act (UCPA), and Virginia’s Consumer Data Protection Act (VCDPA).

This agreement and its partner in crime, IAB Tech Lab’s GPP, including its state-level signaling, will assist member companies in handling the ever-so-complex global privacy compliance landscape and managing the different consent signals from multiple jurisdictions.

“The MSPA does four things. First, it provides a scaled way of incorporating terms in the service provider contracts and agreements covering third-party “sales” of personal information,” Hahn explains. 

“Second, it covers contractual gaps in the digital advertising distribution chain where parties will need contracts covering “sales” of personal information. However, no such contract type presently exists between industry participants. Third, it provides a legal framework for service providers to measure ads and set a frequency cap. Fourth, it provides an optional “national approach” to find the highest common denominator in the privacy requirements across the five new state laws.”

Will Implementing the MSPA Serve As a Gift or a Curse to Publishers?

Only time will tell if MSPA will serve as a gift or a curse to publishers. As we all know, a few IAB-initiated privacy measures have fumbled, but everything is trial and error in this industry. 

We know this is the first privacy agreement we are seeing that kind of puts all the new state laws under one umbrella to simplify things seemingly. 

Still, there’s reason to pause. None of us can forget how the Belgian Data Protection Authority (BDPA) went after IAB Europe’s Transparency and Consent Framework (TCF) for breaching GDPR rules.

And some ad tech experts have a profound uneasiness about the Tech Lab’s GPP about a month ago, implying that it causes more harm than it will help the ecosystem. In particular, Washington Post Engineering Lead, Aram Zucker-Scharff, is concerned that “GPP fails to provide any real change over TCF, besides this bolt-on of new string encoding methods.”

“GPP does not represent a significant technical change from TCF, and it is hard to see how it could meet the basic objections from EU courts,” he tweeted last month. He also questioned the IAB’s push towards vendor list specification and the potential fingerprinting risk it opens up. And he doesn’t seem to be alone in his worries. 

Crawling before walking might be the mantra here.

The post What is IAB’s Multi-State Privacy Agreement (MSPA)? appeared first on AdMonsters.

]]>
The Trouble with Consumer Choice https://www.admonsters.com/trouble-with-consumer-choice/ Wed, 26 Aug 2020 13:00:06 +0000 https://www.admonsters.com/?p=480691 Shifting our mindset from notice and choice will not be easy and will require agreement in an ecosystem of competing interests. However, in the long term, both consumers and businesses may benefit from this change. Privacy expert, Jessica B, Lee breaks down the alternative to the failing notice and choice framework.

The post The Trouble with Consumer Choice appeared first on AdMonsters.

]]>
Consumer choice is one of the pillars of our approach to privacy in the U.S.

A privacy policy gives consumers “notice” about how their personal information will be collected, used, and shared and then tells the consumer what “choices” they have. Websites present checkboxes and buttons labeled “Agree,” all designed to give consumers options for how they participate online.

As the digital landscape has evolved, however, it has become apparent that this notice and choice approach may fail to protect individual privacy. Instead, it puts the burden of privacy protection on the consumer. Consumers are asked to understand unclear concepts (“what IS a sale”?) and are then presented with a  false choice—agree or don’t use the website.

The focus on consumer choice fails, in part, because consumers often don’t understand how information is collected and used online (and how they may benefit or be harmed by that use).

There are also practical limitations to the choices provided, and consumers ultimately don’t want to make these complicated decisions every time they visit a website. Consent-fatigue hits even the most vigilant consumer, and at some point, it’s just easier to click accept so you can read that article and move on with your life.

The Failure of “Notice”

Website publishers are expected to create privacy policies that are both short and easy to read, but that disclose in detail the data that is collected, used, and shared by the site.

Having written countless policies addressing the myriad of privacy regulations, I can attest to the difficulty of this task.

Privacy policies aren’t 20 pages long because companies want them to be. They are that long because that is the space required to disclose all of the information regulators expect to see.

These requirements rarely consider or emphasize what is meaningful to the consumer and what would help the consumer make a (quick) decision about how to engage with that website.

For example, one of the regulations issued under the California Consumer Privacy Act is a requirement to disclose metrics about the number of individual rights requests a company has received.  How is this information at all useful to the consumer? It’s not. Instead, it adds more length to the policy, more text for the consumer to parse through, and ultimately little value.

The Reality of Consent Fatigue

There have been several studies examining the impact of “decision fatigue” – the mental impact of having to make too many decisions. As one study noted, “people who lack choices seem to want them and often will fight for them”; yet at the same time, “people find that making many choices can be [psychologically] aversive.”

Similarly, requiring consumers to accept or agree to the cookie or privacy policy on every website they visit, to understand and make decisions about whether to opt-out of “sales,” is draining.

The same fatigue that sets in after someone is asked to make decisions throughout the day sets in when consumers are asked about exercising their choices online, and it’s not clear how meaningful these choices are.

What’s the Alternative?

If the notice and choice framework is failing us, then we have to find a better way. Here’s what I suggest:

  1. Invest in consumer education – Consumers should understand what to expect online: what activities are routine and (relatively) harmless, what activities are out of the ordinary, and why. Ideally, this would be a “just the facts” delivery of information, without the spin or rhetoric from either side.
  2. Adopt a one-page, easy to read privacy notice – The concept of a “privacy nutrition label” has been discussed for over a decade, but has never been widely adopted. The time has come. We should identify the most important questions a consumer may have based on the platform (website, app, etc.) and answer them with a yes or no (“Do you give my email address to third parties to send me marketing messages? Yes/No”…” Does this app track my location for advertising purposes” Yes/No). The details can be included on a longer notice for those who want to read it and for regulators who will still demand to have it.
  3. Adopt a white list of advertising activities – There are some advertising activities that we should collectively agree are ok, they are business activities that will not cause the consumer harm. Website analytics, measurement, and attribution come to mind. These activities are critical to digital advertising and should be permitted.
  4. Adopt a white list of advertising partners – Privacy laws are requiring companies to disclose more detail about the third parties they share information with or allow to collect information on their site. Consumers can take advantage of certain frameworks that allow them to opt-out of data collection from these companies, but most consumers don’t have enough information to know who they are or whether they should opt-out. Instead, if a company signs on to a set of data governance principles, then websites should only have to disclose if they work with partners outside of that framework. Rather than requiring consumers to make decisions about a company’s practices, the industry should agree to a collective set of data practices, communicate those practices to consumers (see #1), and then notify the consumer when a company or its partner is acting outside of that framework.

Shifting our mindset from notice and choice will not be easy and will require agreement in an ecosystem of competing interests. However, in the long term, both consumers and businesses may benefit from this change.

This article is the third written in a series by Jessica B. Lee, Partner, Co-Chair, Privacy, Security & Data Innovations at Loeb & Loeb:

  1. California in Chaos: 3 Things You Need to Know to Stay on Top of CCPA
  2. The Value of Talking About the Value of Consumer Data
  3. The Trouble with Consumer Choice

Lee will lead a session—Are You Ready For CCPA 2.0?—of privacy experts explaining CCPA and CCPA 2.0, as well as what digital media companies need to do to stay ahead of privacy regulations at AdMonsters Publisher Forum Virtual, AUG 26, 2020.

The post The Trouble with Consumer Choice appeared first on AdMonsters.

]]>