As Privacy Concerns Make the Internet More Opaque, Can Ad Tech Keep Its Promise?

Regulations like GDPR hit at the heart of the programmatic advertising industry, which relies on personal information to make good on its main value proposition: “the right ad to the right person at the right time.”

In response to the growing public unease with how consumers’ data is being collected and used, the tools long used by the ad-tech industry are becoming less useful. The major platforms by which ads are served—browsers and social networks—are becoming more opaque with their users’ data.

Public sentiment is even turning on cookies, the small bits of code almost as old as the internet itself that track a website visitor across the internet in order to tailor the ads shown to them.

The Interactive Advertising Bureau’s Tech Lab is doing its part as the ad-tech industry’s governing body, proposing several new ideas in the hopes of easing concerns over how firms collect and use personal data. But not everyone believes the agency is going far enough, while others see the policies as unnecessary hurdles.

So, what’s an industry to do?

Complying—and coping—with new regulations

Enacted in May 2018, the General Data Protection Regulation (GDPR) has challenged the core tenets of ad tech across the European Union, with regulators there issuing increasingly stern warnings to publishers and advertisers—not to mention fines.

This was underlined recently by the U.K. Information Commissioner’s Office, which conducted an investigation into ad tech companies’ use of personal data and in particular real-time bidding (RTB), the process by which ads are auctioned in the milliseconds during which a website loads.

In its assessment, the ICO echoed concerns expressed by privacy advocates, including the internet browser maker Brave, over how RTB lets thousands of ad tech companies access the personal details of individuals without their prior consent. “RTB is an innovative means of ad delivery, but one that lacks data protection maturity in its current implementation,” the report states.

Speaking recently at an ad-tech conference in London, ICO head of technology policy Ali Shah struck a more conciliatory tone, although he did underline that under GDPR, the regulator reserves the right to issue fines of up to 20 million euros (about $22 million), or up to 4% of annual global revenues, should it continue to see shortcomings.

Banning RTB would deal a heavy blow to ad tech in the region and bring intense scrutiny on advertisers’ use of data to personalize both the content and placement of ads, according to Brave.

U.S. ad tech prepares for harsher climes

All this takes place against a backdrop of proposed privacy laws either being drafted or proposed across the U.S., beginning with the California Consumer Privacy Act (CCPA). Set to come into effect in January 2020, CCPA will be the first major privacy overhaul ad tech will have to face in the industry’s largest media market.

Additionally, while the industry lobbies for a federal privacy law, state-level politicians across the country are drafting their own laws that could leave data brokers navigating a potential minefield of disparate regulations.

Gary Kibel, a partner specializing in technology and privacy at law firm Davis & Gilbert, described CCPA as a “moving target” for ad tech, with the industry currently awaiting guidance from California’s attorney general.

“Meanwhile, the proposed industry tries to address a process for opt-outs where none currently exists,” Kibel said, adding that the law will force ad-tech intermediaries to interrogate how they collect and store data.

Eager to head off potential regulatory intervention in the form of heavy fines—as well as placate public sentiment—the major platform providers including Apple, Facebook and Google are choking off third-party access to data.

Earlier this year, Google confirmed earlier reports of planned restrictions in its market-leading Chrome browser, including offering consumers the ability to specifically dump third-party cookies.

Meanwhile, 2019 also saw Firefox maker Mozilla begin to implement a version of intelligent tracking prevention, following in Apple’s footsteps: The company announced additional tracking restrictions in an upcoming version of iOS.

Who’s responsible for accountability?

These developments have hit the $129 billion-a-year industry hard. To preserve its future, the IAB Tech Lab has proposed several measures to ensure adequate data protection. These included an encrypted, revocable token; a shared accountability system; and the introduction of a standardized, controlled container to better protect personally identifiable information.

The ideas were unveiled at an IAB Tech Lab conference last week in front of various industry stakeholders. Multiple sources told Adweek that ad-tech companies would be better served by articulating how they use data, as well as articulating to users the value they receive (like free online content) in exchange for allowing their data to be used.

David Kohl, CEO and president of premium publisher collective TrustX, told Adweek, “The IAB TechLab’s proposal is among many that are part of our industry’s journey to restore that trust. Certainly, granting consumers more control and holding the industry more accountable are critical if this journey is to be meaningful.”

Omer Tene, vice president and chief knowledge officer at the International Association of Privacy Professionals, reminded Adweek that regulators in France have expressed doubt over the legitimacy of IAB Europe’s latest Transparency Consent Framework—a shared accountability system not unlike the measures recently proposed by the IAB Tech Lab–under GDPR requirements.

“It remains to be seen whether businesses will buy into the new system and how regulators will assess it,” Tene said.

A new way forward?

Joe Root, CEO of data-management platform Permutive, told Adweek the regulatory forces prompting such conversations were indicative of the fact that “ID is broken” for ad targeting.

The restrictive measures taken by Apple and Mozilla have forced a rethink by the industry, according to Root, which he called “a good thing.” He also pointed out how the IAB Tech Lab’s proposed measures would require trust—an oftentimes rare commodity in ad tech.

“The question we should be asking is, ‘How can we solve this problem in a privacy-compliant way with no identity?’ I believe that there is a much more elegant way in which advertising can be traded today, without IDs and without having to recreate the entire advertising ecosystem,” he added.

Similar to the ad-targeting techniques used by Brave, Root advocated a means of delivering ads using an ID and data that never leaves a user’s device and also doesn’t rely on the use of third-party data.

“In this scenario, publishers would not be selling an individual user. They would be selling an audience, based on a common taxonomy, something that the entire industry can do today because we have a common taxonomy in the Data Transparency Standards,” he explained. “In this scenario, publishers are the most reliable and trusted source to find an audience.”

Currently, IAB Tech Lab is soliciting input from stakeholders on the proposed measures. And while none of the major platform providers have issued a formal response to them, sources indicate they are inspecting the wares with interest.

While many question marks continue to hang over the ad-tech industry—as well as the potential for new means of ad targeting—what remains clear is the need to seriously re-evaluate how it both identifies users and uses their personal information.