Europe set the bar with GDPR. Washington, California, New York, Nevada and Maine are each on the road to regulating the use of consumer data as well—at least within their own jurisdictions.
National cyber privacy law is coming; versions of one are being passed around in the Senate and in Congress. We just don’t know when. How can ad tech ready itself for an uncertain regulatory future?
Recognize the core concept behind privacy regulations
With any legislation, it’s easy to get lost in the weeds. Attorneys will certainly parse the details on behalf of their clients, but we need to accept the paradigm shift that is involved. We’re moving to a consumer consent model where permission is the prerequisite for use of any and all data in consumer outreach. That shift will be a radical one for the larger digital marketing community. It’s especially alarming for firms that rely on third-party data, which by definition doesn’t come from the individual consumer and therefore cannot be given with permission.
Consider the compliance challenge of how we continue to do what we do without running afoul of the law. We like to think of marketing and the ad-tech industry as a transparent marketplace where consumers come to the table knowing that their data is exchanged for a clear benefit. But like email marketers who confronted the arrival of CAN-SPAM more than a decade ago, our business practices going forward will be driven by securing permission from consumers (by any means necessary) to be marketed to in the future.
Ironically, in spite of being the primary target of legislators on the privacy issue, Facebook, Google, Amazon, Apple and your ISP will have all the leverage in trading services for permission.
Write your privacy policy in plain English, and keep it short
If the core value of privacy legislation is that those who use consumer data must do so with permission, then we need to be clear about the permissions we seek. Recently, The New York Times tracked the evolution of Google’s first privacy policy of about 600 words to its current version of 4,000 words. The standard for a good privacy policy can’t be “it passes muster with legal” (although it must). Instead, the standard needs to be whether an average person can comprehend it quickly, which is certainly a challenge.
Look for first-party data partnerships
Third-party data is at risk of being a thing of the past in a permission-based world. This will be an obstacle for all forms of direct marketers, ranging from the carpet store that drops postcards to folks in town who have owned homes for seven to 10 years to the new clinic therapy practice opening up in town. Direct-to-consumer (DTC) brands for everything from fashion to culinary specialties won’t have the third-party data they need to prospect. Ad-tech vendors, charged with opening up market opportunities for countless entrepreneurs, will be blocked from the intelligence that makes ROI possible. After all, it’s tough to secure someone’s permission to use their data if you have no legal right to market to them.
Other than simply conceding to the legal rocket fuel that will be handed to the monopolistic walled gardens through most of the privacy laws currently proposed, one (suboptimal) path forward is the further consolidation of ad-tech vendors. Another mirrors a long-running practice in direct mail, the creation of co-ops to create vertical market solutions that allow advertisers to pool their permissions and opt-ins.
Ad tech already anonymizes the targeting of qualified third-party data audiences, and through the same techniques, they can support anonymizing transacted data, almost like a digital media escrow company. The challenge will be securing consumer permission to share their transactions. Of course, our collective ineffectiveness in helping consumers understand how permissions they granted while receiving services led to retargeting and offers from other advertisers is part of how we got to this point.
Engage with policymakers
Last year, Google was a no-show at a Senate hearing to investigate election interference. Predictably, the Senate turned the empty chair into a prop for political theater. Out of it came discussions of breaking up big tech and scare tactics to conflate it with the privacy issue to create a bogeyman for the benefit of 2020 poll numbers. If previous legislative hearings are any indication, lawmakers have a lot to learn about how the internet works.
To be fair, legislators need the benefit of full context on the potential impact of a national privacy policy. As an industry, we need to step up and ask to brief our local congressional and senate representation. They need to know how customer acquisition and consumer outreach actually works for the countless startups and entrepreneurial ventures that they applaud in their stump speeches.
Cutting off access to customers by putting third-party data out of reach solidifies Facebook, Amazon and Google as the gateways to the internet and, increasingly, the gateways to free-enterprise. The consequence of a one-size-fits-all privacy policy to small- and medium-sized enterprises will have them sitting on the sideline because they are too scared of class-action lawsuits and too smart to throw marketing dollars at unqualified targets.
This is an actual problem that our legislators need to be aware of. The issue of privacy is far too complex and impactful to the economy to cede the conversation to an empty chair.
