TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | No, seriously: What happens to ad tech post-GDPR? Related reading: Emerging trends in fintech privacy: 5 key areas to watch in 2024



Anyone paying attention to the ad tech space, particularly on Twitter, could easily tell you there's been a growing tension among its players on the future of the industry. 

The central issue seems to center around whether ad tech can continue to operate as it has before the EU shifted its legal landscape on data protection and privacy, or if it will have to shift to a new model in order to be compliant. And while the General Data Protection Regulation is the immediate concern given its loom, there's even more concern industry-wide with the to-be-finalized ePrivacy Regulation, which is still being negotiated by EU government, but which threatens to place an even heavier emphasis on consent for legal processing of personal data, casting a wider net than the GDPR. 

It essentially comes down to ad tech versus publishers.

The issue for both sides: There's been a whole lot of "implied consent" going on for some time now. That's because the online ad exchange system is flooded with players. There are not only the publishers, selling advertising space based on user's personal data to advertisers hungry to get in front of the right eyeballs, but there are all sorts of third parties in between, brokering deals between advertisers and publishers. And once the information on whose eyeballs are up for sale goes out into the ad exchange ecosystem, there's no way to control the leakage of that data to numerous other parties. Even the advertisers who don't win the bid for the advertising space available still have some amount of access to the data they were invited to bid on, otherwise, how would they know if they wanted to buy those "eyeballs"? And that data is then used to update user profiles in various databases across the industry. 

Julia Schullman of App Nexus knows well the problem, and that's the issue that the IAB's Transparency and Consent Framework looks to address. Released in April, it aims to provide industry a mechanism to achieve GDPR compliance as they process user data. Essentially, it allows for storage of user preferences on third-party access to data and contains a "global vendor list," which identifies third-party vendors deemed approved by publishers and their users to have access to consenting users' information via those publishers — for specified purposes. 

Schullman explains how industry got to this point and why it's been searching for a necessary solution:

"When we're operating in the ecosystem as diverse as ours is, the main challenge is transparency, there’s never been any kind of dynamic tool to be used to provide that transparency into the ecosystem for real. A lot that has been buried in privacy policies, so those in the ecosystem never really know who does or does not have access to personal data or users showing up on their sites. That is the main goal of the framework ... that it can provide insight and transparency into that ecosystem. And a byproduct of that could be a consent standard used throughout the ecosystem."

But there are those who don't feel the framework is the solution. 

As Johnny Ryan of Pagefair, which stands on the side of the publishers and promotes an advertising model based on context versus behavioral tracking, said in recent podcast for The Privacy Advisor, "It’s a big system built to share personal data as widely as possible, and it is built for a world without regulation. And you cannot put personal data into this system, you simply cannot do that, with any ability to enforce what happens to that data." 

OneTrust, however, feels differently. It recently announced its integration with the IAB's framework via privacy-management software. The software aims to allow adoptees to "pull vendor declarations from the IAB Europe Global Vendor List and provide necessary information about the approved vendors," allowing for the capture of user consent "before personal data is collected in accordance with the user's preferences."

Asked whether the IAB framework, and subsequently OneTrust's integration, can adequately address the rampant data leakage that's occured to date, OneTrust's Blake Brannon, VP of products, said, "IAB Europe has already released updates and continues to look to the market for feedback and we will continue to support them as they work to make the framework right for the market. A company should look for a consent management solution that can work across disparate technologies is a step in the right direction toward solving the consent interoperability issue." 

He echoed Schullman's comments that the problem, to date, has been the fragmented nature of the online consent market. 

"Publishers are working with various first- and third-party systems and all these different organizations have their own standards and best practices. It’s good to see IAB Europe develop a framework to help solve these issues by bringing together publishers, consent management providers and ad tech vendors to help simplify and standardize how consent details are transferred from first to third party systems but it is still early and needs widespread adoption."

Complicating matters further is that the ePrivacy Regulation will cover even non-personal data.

"We are thinking, 'Well, we thought it was all about personal data, but now we also have to think about data that is not personal data, oh my goodness what are we doing to do?' It’s a huge, huge huge problem," said Sachiko Scheuing of Acxiom. 

But you're privacy pros, you care about the personal data part.

 Scheuing explains the conundrum which eventually led to the new rules. 

"I say [to people], 'I’m in the ad tech industry,' and then they’ll say, 'Oh yeah, but advertisements are annoying. You visit one website, and next you see all the websites doing the same ads. If I search on a pair of sneakers, everything I see on the sidebars are all about sneakers.' On the one hand side, we do understand there is a certain sense of need from the consumer side that they want to know more about [online tracking], they want more transparency. And I think genuinely, it would be in all of our interest if we can somehow empower the consumer more so that they get to understand how things work, so the industry sees that need," she said. "And we’re really sensitive to it. At the end of the day, the thing is, you have to have a trusting relationship with your customer or they will never come back. Even if your product is brilliant, nobody will want to buy a product. Both antithetically and also practically, business is sensitive to the needs and wants of the consumers."

While no one is outwardly arguing that customers don't deserve some level of control and transparency, the merits of ad tech to both the consumer and the global economy sometimes go overlooked, Scheuing said.

Take, for example, a consumer searching for a blender. They start Googling around, and from that moment forward, they start getting recommendations for other products that are similar. One of those ads is for a mom-and-pop shop, who in days old couldn't have afforded to participate in the advertising ecosystem in traditional spaces like TV or newspapers. 

"But because we have ad tech today," she said, "even those people are able to promote their shop and their product because everything is internet and with internet you can reach people. So I think it has brought something, it's really helped our economy, in particular to help the small- and medium-sized company, just like this company selling blenders, it's helped them a lot, and I believe that the digital single market, which is the package of law that the European Commission is putting together to ensure digital economic growth of Europe among other things, was actually suggesting to come up with legal certainty in terms of data protection, because they noticed that the lack of legal certainty is a big hindrance for particularly small- and medium-sized companies." 

But with new regulations, and in particular the forthcoming ePrivacy regulation, Scheuing fears there will be a monopoly in the advertisement space on the internet, given that 99 percent of the digital ecosystem doesn't have a direct user interface, and are instead third-parties relying on their ability to capture eyeballs via the first parties who do. 

"That is the support mechanism. And if the support mechanism is made illegal, only a handful of players will be able to provide advertisements in a compliant way, and therefore obviously, with this market reality, one would be able to increase the price of advertising services, so mom-and-pop shops would have no chance," Scheuing said. 

But Fatemah Katibloo of Forrester Research says the change that's coming has been a long time in the making, and, given the GDPR, there will have to be a shift in the kind of behavioral tracking that's happened to date. 

"Some of the ad tech stuff still works [under the GDPR]," she said. "I think there’s elements of it where a consumer has opted in to, or consented on the publisher side, to behavioral tracking and personalization that works to a degree. Where it doesn’t work is where you go downstream to things like [ad] exchanges where there’s like three or four levels deep of data leakage, and, 'Where did I ever get this consent from and how did it turn up?' 

And the vendors are saying we are joint data controllers with advertisers and publishers, then we are okay to keep doing this retargeting." 

Schullman sees that, too. 

"The dividing line among parties is about whether they believe they are a control or processor, in terms of how they process that data," she said. "It really comes down to exactly what you’re doing. It comes down to how your cookies and identifiers work: how you are collecting data and processing it. And it’s highly nuanced."

For a long time, she said, most companies wanted to be seen as a processor, but now, under the GDPR, "there is a lot more soul searching and diligence being done by companies on what they're really doing. There's a real tension between companies and their clients about where they are on that controller and processor spectrum. Different companies have different opinions. Even various lawyers. If you survey all big privacy lawyers in Europe ... you'll get vastly different opinions across different top lawyers at top firms and companies given their interoperation and opinions."

And that's just the way it's going to be for now, it seems. Maybe at least until those first GDPR fines start coming down, and the lines become suddenly much more clear.  

"We shouldn’t pretend there’s great answers, recognizing we’re left in a very tough position because it’s such a nuanced industry," Schullman said. 

So, what is a publisher to do? 

First, said Pagefair's Ryan, publishers need to limit the personal data they're sending out into the ad tech ecosystem. "Stop including any personal data in bid requests," he said. "There is no legal way to continue to send personal data in to the programmatic advertising system, as currently operated. The current situation is analogous to Facebook's Graph API v.1 sending personal data to Cambridge Analytica, without any control over where the data ends up and what is done with it."

Ryan also recommends, for the time being, that publishers prevent ads from rendering directly in their users' browsers; that they remove social sharing buttons from their sites, unless they truly understand where the data is traveling, and that they focus on guidance from the Article 29 Working Party and, soon, the European Data Protection Board. "Their guidance," he said, "and opinion documents over the last 15 years are the only reliable guide for how to comply."

Katibloo leans towards Ryan's view of things. She's not optimistic about the kind of framework developed by the IAB and recently endorsed by OneTrust. She sides more with Ryan's view that advertising has to turn to personalization of content and context as opposed to behavioral tracking. 

"That's kind of where we started,  we knew what page of the website you were clicking on and what articles you were clicking on in this session, and that's how we did ad targeting," she said. She sees industry moving back to the earlier days of the web "where there was less ad fraud. I think what remains to be seen is that publishers are really on the teat of the advertising dollar, and they have really not figured out subscription models that work, and so it’s going to take some investing in that, and it's probably going to hurt a little in the short term because they are going to have to give up some revenue to turn the tide."

photo credit: markus spiske Test Bild via photopin (license)


If you want to comment on this post, you need to login.