Privacy professionals are finding themselves immersed more than ever in the advertising technology ecosystem, and that arena was front and center during a half-day workshop at the IAPP's Privacy. Security. Risk. 2018 conference: "AdTech 101: Ad Interactive Analysis of Online Advertising and Privacy."

Ad tech can be a complicated area to navigate, and its continued growth has allowed it to become intertwined with many of the privacy issues professionals currently face. Of course, it all starts with targeted advertising, which has raised concerns for the better part of a decade. But this session reminded everyone why companies do it in the first place.

The session's speakers — National Advertising Initiative Technology & Policy Analyst William Lee, CIPP/US, AppNexus Product Manager Grant Nelson, CIPP/US, and OwnerIQ Counsel and Chief Privacy Officer Tara Powell, CIPP/US, — ran through a scenario where a small pizza chain wanted to find the best way to reach individuals within a five-mile radius.

The presenters were able to obtain quotes for other methods of advertising. A one-time flyer mailing would cost $37,000. Running an ad for 48 weeks in The Washington Post would cost $6,000. Online targeted advertising would only cost the pizza place $20 a month. That's why organizations are going to be asking privacy pros to figure out ad tech. 

When you are in the weeds of the privacy industry, you hear a lot about the dangers of targeted advertising. It is helpful to have tangible examples, however, to be reminded that these methods are not going anywhere and that privacy professionals will have to find a balance between the benefits and risks of these practices.

And those benefits can be quantified. Targeted advertising can show businesses tangible results, and consumers can see ads aligned with their interests, rather than a bunch of lousy ads promising "local singles near you."

This lead to one attendee asking about the "noise around opting out." By listing out the benefits of targeted advertising, the attendee wondered about why someone would decide to opt out of the service. Mind you, we hadn't reached the GDPR just yet.

Nelson noted the ability to opt out was mainly for those privacy-focused individuals who do not want their information tracked. The question offers a reminder, though, that consumers are willing to exchange their data for benefits, and that not everyone, even attendees of a privacy conference, has those privacy implications top of mind.

Plus, the marketing industry knows there's a balance between getting your attention and making you upset. 

"The ad tech industry came to the realization a few years back that most ads are annoying to users. It’s in everyone’s best interest that ads aren’t super flashy," said Nelson. "There’s been huge effort to clean up the ad tech industry, especially with things like GDPR in effect."

Speaking of the GDPR, the legislation has forced the ad tech industry to emphasize gathering consent.

Right now it’s all very new, and we are still very concerned about what compliance looks like. - Grant Nelson, AppNexus

Working groups are currently looking to develop methods to prevent malicious actors from tampering with consent and finding the best methods to avoid the "privacy fatigue" that would result from requiring individuals to give their consent for every single website they visit. 

"Right now it’s all very new, and [industry is] still very concerned about what compliance looks like," said Nelson of AppNexus. "We have bent over backwards and have spent thousands of dollar to rebuild our systems. Right now, we're locking things down and waiting to see what comes next."

Attendees formed groups during the session to examine privacy concerns within eight different scenarios involving targeted advertising. 

One group's scenario was a pharmaceutical company that wanted to send targeted drug product ads for consumers in need of them. The attendees determined the advertiser's profile on a cancer patient or someone with a rare disease could lead to genetic discrimination and elevated drug and insurance prices. Another scenario focused on sending targeted advertisements to the LGBTQ community, but companies would need to comply with Article 9 of the GDPR

Another scenario centered around an advertiser asking an ad tech company for transactional data to create a report on online advertising. The group questioned the definition of "transactional data," and found these issues could be resolved by using data minimization techniques and ensuring their third party vendors abide by data use limitations.

The privacy issues are real, but they're identifiable and manageable if you ask the right questions and understand where the privacy conflicts might arise. By the workshop's conclusion, attendees clearly had a headstart on understanding where they might be needed.