Lawmakers and regulators are growing weary of the ad-tech industry as the novel coronavirus pandemic has shined a light on the space’s seedy underbelly.
Penny-pinching companies have ratcheted up scrutiny of ad tech’s unloved middlemen since the outbreak, as the squeeze on ad spend means vendors are more likely to make late payments and marketers are less willing to pay nontransparent rates.
Now lawmakers and regulators are on board. Ten senators and members of Congress signed a July 31 letter to the Federal Trade Commission asking the regulatory agency to investigate “widespread privacy violations by companies in the advertising technology industry that are selling private data about millions of Americans, collected without their knowledge or consent.”
Lawmakers are concerned about the use of bidstream data, information gathered during an online ad auction that’s sold and used for targeting and audience profiling. Specifically, lawmakers called out the ability to match location data from the bidstream with other data sets to build profiles of people who attended places of worship or Black Lives Matter rallies.
“It’s now clear that shady data brokers are exploiting loopholes in federal privacy law to compile massive databases of Americans’ personal information, which they are selling to anyone with a credit card. These irresponsible bad actors are not just violating Americans’ privacy, but they are putting at risk advertising jobs reliant on the responsible use of data,” said Sen. Ron Wyden, D-Ore., who spearheaded the initiative.
FCC commissioner Geoffrey Starks raised similar concerns in an Aug. 5 letter to Verizon and AT&T, which own ad-tech companies Verizon Media and Xandr, respectively. The letter asked about each company’s aggregation and monetization of “sensitive consumer data” for advertising purposes as well as their “policies and procedures to prohibit or minimize tracking of Americans to protests, including the Black Lives Matter protests, and other sensitive locations, including places of worship and medical providers.”
Verizon Media declined to comment. An AT&T spokesperson said the company is reviewing the letter and will respond appropriately.
How taking data from the bidstream happens
In the milliseconds it takes for a webpage or an app to load, a publisher sends out a signal for an ad request. Using industry standards for real-time bidding, demand-side platforms, which represent marketers, bid for that ad, and a supply-side platform helps place the winning bid.
Ad-tech companies that participate in that ad request can see a slate of information: basic data around ad type and website name, and more granular data like the end user’s IP address, location and device type. Users typically need to provide consent in order for this granular information to be shared with third parties.
When an ad auction occurs, third parties can gather information, like location data, without even bidding on an ad. Publishers have already called out the practice of harvesting data from the bidstream, since it allows vendors to create data offerings that compete directly with publishers’ business.
Lawmakers and regulators aren’t concerned about data provided by users with their with consent being passed back and forth for advertising purposes. The concern is around misuse of personal data, like profiling against race and religion, by unknown third parties and bad actors.
“Anyone with a … connection to the exchange can then go and listen out for those device IDs and those [locations] on a huge scale,” said Mark Slade, CEO of Location Sciences, who explained that vendors bring data from the bidstream into their own platform to build audience segments, which vendors ultimately sell.