‘Careful What You Wish For,’ Ad-Tech Firms Respond to Privacy Mandate

Not even a month old, CCPA is already having unintended consequences

the state of california outlined in front of an eye
Similar to GDPR, Big Tech is expected to benefit from CCPA. Photo Illustration: Dianna McDougall; Sources: Getty Images
Headshot of Ronan Shields

Key insights:

Today, if you can believe it, is the 14th annual international Data Privacy Day, and as the ad-tech industry marks off Jan. 28 on the calendar, companies are reflecting on the early impact of the California Consumer Privacy Act.

Public awareness about how personal data is used as a transactional currency is rising, and a survey released today by FormAssembly shows businesses are still grappling with how to move forward. Speaking recently with Adweek, one publisher spoke of how media companies were lately “operating in the dark” since CCPA—a law affecting companies around the world that possess data on the Golden State’s nearly 40 million residents—came into effect on Jan. 1, and that the challenges were likely to get steeper.

For ad-tech companies, foundational questions of existence are part of every conversation, but so is trying to navigate some of the unintended consequences of the legislation.

Eric Shih, vp of business development at Teads (an ad-tech company that helps publishers improve ad yield), recently told Adweek that while there has been “low but increasing” adoption of the IAB’s CCPA framework, lots of publishers still had to address their ad stack accordingly.

“There’s certain types of legwork that has to be done with certain types of integrations,” Shih said. “For instance, there are header bidding publishers that need to upgrade their wrapper because it’s not compliant, or in the app space there are SDK updates that need to be done—it’s all a significant integration challenge.”

Some early CCPA opt-out rate data

Shih explained that CCPA opt-out rates—how often California residents choose the Do Not Sell My Data option on a publisher’s website—were in the range of 0.3% of total traffic, according to Teads’ log data.

Unable to comment on the overall impact CCPA has had on average CPMs, Shih did note that there is an average 50% reduction in bidding activity when the buy-side of the industry sees an opt-out. But he attributes this to early caution, given the relatively short time demand-side platforms had to implement the CCPA consent framework before Jan. 1.

Still no firm direction from authorities

Speaking with Adweek before the enforcement of CCPA, Celine Guillou, a California-based partner at Silicon Valley law firm Hopkins & Barley, pointed out how many in the sector are adopting a comparatively relaxed attitude as “full enforcement” by the Office of the Attorney General is not expected until July 2020.

In contrast, further studies demonstrate that the public wants to know exactly which companies have access to their data, with Gary Kibel, an attorney at the law firm Davis & Gilbert, noting discernable caution, particularly in ad tech following CCPA enactment.

For example, 85% of businesses want data privacy regulation at a federal level, while less than half (49%) have a documented means of allowing customers to access and delete their information, a core principle of U.S. privacy statutes, as well as General Data Protection Regulations in the EU.

Both Guillou and Kibel argue that CCPA guidance from the California AG’s office has been muddled at best.

“When CCPA first came out, a lot of companies in the ad-tech ecosystem looked at them and said, ‘I don’t know how to avail consumers of these rights.’ … So the IAB framework has been a good attempt at establishing processes to do this,” Kibel said.

According to Kibel, many companies, both consumer-facing and business-to-business, have had to devise whole new processes for handling data, with outfits such as DSPs and supply-side platforms facing fundamental challenges.

Fundamental questions to be asked

“I am seeing companies have to redesign their bidding process to deal with IAB signals and opt-outs and the preferences of their publisher partners,” Kibel added. “It’s changing the way the retargeting market is working.”

Such legislation, along with policy changes by the industry’s key stakeholders, will fundamentally alter how ad tech has operated since its inception, such as lookalike modeling and device graph construction.

Gareth Davies, co-founder and president of TruthSet, also told Adweek that many in the ecosystem are still evaluating what their businesses look like through the lens of CCPA. The key question is whether or not they “sell” data.

“Unsurprisingly, some publishers and vendors—Facebook included—do not consider the act of ad targeting and optimization a sale,” Davies said. “Time will tell if regulators choose to agree.”

Should regulators determine that targeting is tantamount to a data sale, Californians could opt out en masse from the sale of their data courtesy of the prominent “do not sell my personal information” buttons that have become ubiquitous, he added.

Unforeseen consequences

Privacy laws such as CCPA and GDPR were drafted to curtail the excesses and market dominance of Big Tech, most notably Google and Facebook, but in the media business it has led some advertisers to seek refuge in the walled gardens.

For the most part, this is because platforms such as Amazon, Facebook and Google have vast swaths of (privacy-compliant) first-party data, though CCPA rules about what constitutes privacy compliant data collection have yet to be clarified.

Elsewhere, the rollout of such privacy laws resulted in unintended consequences, according to some who assert that such laws are also prompting nefarious activity.

Henry Lau, a co-founder of Privolta, told Adweek that a recent study by his company found that walled garden providers such as Amazon and Google placed far more obstacles to consumer opt-outs compared to premium publisher sites.

For instance, it requires 17 clicks to opt out of Google’s ad targeting under GDPR terms, according to the study, whereas the website of leading U.K. publisher The Daily Mail requires three. He echoed other sources’ claims that uncertainty was causing nerves among the buy-side of the industry, adding that DSPs are unwilling to bid on inventory without consent strings.

‘Manufactured consent’ and more malware

“One of the consequences of this decision is that European inventory without GDPR consent strings has effectively become near valueless and usually gets pushed to Google for monetization,” added Lau, noting that the search engine has its own ideas on how to comply with GDPR.

As a result, some players are incentivized to “manufacture consent,” with some consent management platforms introducing so much friction to the opt-out process that they are not in keeping with the spirit of such regulation, according to Lau.

Additionally, The Media Trust’s head of global marketplace innovation Cory Schnurr noted a surge in malware since Jan. 1, a phenomenon commonly associated with a dip in CPM value among publishers.

Schnurr told Adweek how his outfit observed a 600% increase in malware that steals IP data—known as ICEPick-3PC or eGobbler in industry circles—between December 2019 and January 2020. The opening month of any year typically sees an increase in instances of eGobbler, primarily because of lower bidding activity leading to reduced average CPM rates, which in turn lets bad actors into the ecosystem.

“This could be related to publishers purging user cookies for CCPA, and quality demand for unidentified users being lower; although many other variable factors may be at play,” added Schnurr. “It’s crucial to have a solution in place to scan ads continuously for, and block, malware, as increasing floors alone does not inherently stop the malware from delivering.”

So, while the public demands greater and greater data privacy, some of those in ad tech are responding by saying, “Be careful what you’re asking for.”

@ronan_shields ronan.shields@adweek.com Ronan Shields is a programmatic reporter at Adweek, focusing on ad-tech.