As the California Consumer Privacy Act prepares to go into effect in January, the Mobile Marketing Association and Network Advertising Initiative are briefing their constituencies on how to share consumers’ location data.
This includes efforts from some of the industry’s biggest names—Facebook and Google among them—to more clearly articulate to the public the online ad industry’s methods of monetizing their location data.
Elsewhere, the NAI is encouraging members to raise the age of consent of addressable audiences from 13 to 16 as it seeks to implement a new Code of Conduct in 2020 given the likelihood of patchwork state-by-state data privacy regulations rolling out.
However, on an almost weekly basis, more and more data laws are being debated state by state, a scenario that is generating ad-tech intermediaries’ demand for legal guidance.
The MMA recently raised funds among its members to establish a new initiative called the Location Privacy Alliance with the aim of developing self-regulatory guidelines for companies whose business models rely on such practices.
The trade body now counts a host of senior marketers from household brands such as Calvin Klein, Hilton and Uber among its board membership, with the CMOs from the panel requesting such an intervention, according to Greg Stuart, CEO and president of the MMA.
“The reason we’ve stepped into location privacy guidelines is that the marketers want us to protect that opportunity for them,” Stuart told Adweek.
Tech platforms taking the lead at marketers’ behest
Online companies participating in these efforts include Facebook, Foursquare, Google, GroundTruth, IBM, PlaceIQ and Verizon Media, with more specific guidelines expected to be formalized and made public by the close of 2020.
“There are another eight to 10 major marketers who’ve also assigned people to be involved, and that includes Walmart, Unilever, Miller Coors, Coca-Cola,” Stuart said, while the MMA is still adding more companies to the efforts.
At press time, the working group has only met twice but thus far, it has identified 10 to 14 issues to address when it comes to responsibly sharing of consumer location data, according to Leo Scullin, vp of industry programs at the MMA.
Specifically, the Location Privacy Alliance wants to address a location data consent framework, including a means of informing the public how the entire advertising ecosystem collects, analyzes and monetizes such information.
Other areas of data management to address include establishing a consensus on the definition of “precise location,” differential privacy and methods of achieving them in a way that satisfies various regulatory regimes, including GDPR and CCPA
“We’re not going to get into advocacy per se or set up an arm in Washington [D.C.],” Scullin said, adding that “the aim is for a self-regulatory framework that is both good for citizens and good for business.”
He continued, “Some members of our group want to do policy thinking and strategizing … but what we really want to do is put a real line in the sand that we can point to and that everyone can move up to.”
NAI’s 2020 Code of Conduct
The NAI recently updated its guidance to members with its 2020 Code of Conduct to better reflect the sterner regulatory climate to come, with the body on course to conduct an annual review of its 100-plus members and policies as regards location data collection.
For instance, members must use “opt-in consent for precise location ad delivery or reporting.” This means NAI members cannot just take publishers at their word when it comes to consent. Rather, they must put technical measures in place to ensure it.
Additionally, the NAI will require members, the majority of whom can be categorized as ad tech, to raise the age of addressable audiences from 10 to 13 and adopt fully opted-in consent for data collected by sensors such as cameras and microphones.
Other tenets include offering the public the ability to opt out of being targeted with ads based on personally identifiable information, including disclosure on what PII they harbor.
David LeDuc, vp of public policy at the NAI, told Adweek the trade body generally encouraged members to use data that is tied to pseudonymous identifiers like using a device ID as opposed to PII.
“With the 2020 code, we’re making a significant change whereby previously companies could rely on a platform [for opt-in permission],” LeDuc said. “But for the new code, we’re requiring some type of interstitial notice where there will be more detailed, clear information about the collection and use of location data before they get consent.”
A federal consensus
Companies on every tier of the digital advertising spectrum are concerned about the likelihood of a state-by-state patchwork of differing data privacy laws, and some have been lobbying federal lawmakers to draft preeminent laws that would apply to their practice.
Anthony Matyjaszewski, vp of compliance and membership at the NAI, told Adweek it is conceivable that companies may be able to apply national policies and guidelines that are compliant with 50 separate laws, although that may not be easy to achieve.
“More importantly, it’s not good for consumers to have different levels of privacy in different states,” Matyjaszewski said, adding that the “industry and lawmakers are in agreement on this point.”
“We’ve had extensive discussions with members of Congress [both in the House and the Senate] and the Federal Trade Commission. The good news is there’s strong support for a federal standard,” he said.
However, the likelihood of such a law coming on the books is small, at best. In the interim, multiple sources spoke of developing a “Hippocratic oath” that sets out clear principles that all location specialist companies can adhere to. This is something the MMA wants to push ahead with.
A proponent of this is Jeff Glueck, CEO of Foursquare, a company that recently raised $150 million and purchased Placed from Snap to offer advertisers an attribution service. Glueck emphasizes that companies should “do no harm.”
A moving target still open for interpretation
Celine Guillou, a California-based counsel at Hopkins & Carley, explained to Adweek some of the complications that exist given the wording of CCPA, drawing a comparison between it and GDPR.
Under the European legislation, companies can be classified as “data controllers” or “data processors” with public-facing companies holding first-party data widely regarded as the former and b-to-b ad-tech companies commonly deemed the latter.
“I know that in the ad-tech industry, there’s a lot of debate as to whether certain players in the ecosystem are controllers or processors and then, of course, you have the cookie consent mechanisms that come into play,” Guillou said.
“But with California, there’s a bit of a challenge … as those roles are not very well defined and the thing for ad tech is figuring out for the various players where they stand,” Guillou said, adding that several proposed amendments to CCPA are still under consideration.
In particular, CCPA provides California-based consumers the right to opt out of allowing businesses to sell their personal information to third parties.
Ad tech has attempted a number of CCPA exemptions, including the “service provider exception,” which is still open for interpretation but would effectively mean that such intermediaries–or “data processors”—would not have to obtain a consumers’ opt in.
For example, a favorable interpretation would effectively classify a publisher passing audience data to a third party in an ad auction as a service to the media owner, not the resale of that data to an intermediary.
“So, the question here is whether there any players in ad tech and, in particular, intermediaries could possibly fall under that exception,” Guillou said.
However, Gary Kibel, a New York-based partner at Davis & Gilbert, described to Adweek how some ad-tech companies may have difficulty categorizing themselves as service providers under CCPA, as many hold on to data that is passed to them in order to improve their future targeting capabilities.
As new laws across the union pop up on a regular basis, Kibel advised ad-tech companies to truly interrogate how their platforms operate. “Everyone’s head has to be on a swivel as you’ve got states like New York that have a few proposed bills,” he said. “Ad-tech companies need to look at how they collect and use data to determine where they fall within these definitions [from state to state] because it’s going to significantly drive their compliance obligations.”