Lawmakers and regulators are growing weary of the ad-tech industry as the novel coronavirus pandemic has shined a light on the space’s seedy underbelly.
Penny-pinching companies have ratcheted up scrutiny of ad tech’s unloved middlemen since the outbreak, as the squeeze on ad spend means vendors are more likely to make late payments and marketers are less willing to pay nontransparent rates.
Now lawmakers and regulators are on board. Ten senators and members of Congress signed a July 31 letter to the Federal Trade Commission asking the regulatory agency to investigate “widespread privacy violations by companies in the advertising technology industry that are selling private data about millions of Americans, collected without their knowledge or consent.”
Lawmakers are concerned about the use of bidstream data, information gathered during an online ad auction that’s sold and used for targeting and audience profiling. Specifically, lawmakers called out the ability to match location data from the bidstream with other data sets to build profiles of people who attended places of worship or Black Lives Matter rallies.
“It’s now clear that shady data brokers are exploiting loopholes in federal privacy law to compile massive databases of Americans’ personal information, which they are selling to anyone with a credit card. These irresponsible bad actors are not just violating Americans’ privacy, but they are putting at risk advertising jobs reliant on the responsible use of data,” said Sen. Ron Wyden, D-Ore., who spearheaded the initiative.
FCC commissioner Geoffrey Starks raised similar concerns in an Aug. 5 letter to Verizon and AT&T, which own ad-tech companies Verizon Media and Xandr, respectively. The letter asked about each company’s aggregation and monetization of “sensitive consumer data” for advertising purposes as well as their “policies and procedures to prohibit or minimize tracking of Americans to protests, including the Black Lives Matter protests, and other sensitive locations, including places of worship and medical providers.”
Verizon Media declined to comment. An AT&T spokesperson said the company is reviewing the letter and will respond appropriately.
How taking data from the bidstream happens
In the milliseconds it takes for a webpage or an app to load, a publisher sends out a signal for an ad request. Using industry standards for real-time bidding, demand-side platforms, which represent marketers, bid for that ad, and a supply-side platform helps place the winning bid.
Ad-tech companies that participate in that ad request can see a slate of information: basic data around ad type and website name, and more granular data like the end user’s IP address, location and device type. Users typically need to provide consent in order for this granular information to be shared with third parties.
When an ad auction occurs, third parties can gather information, like location data, without even bidding on an ad. Publishers have already called out the practice of harvesting data from the bidstream, since it allows vendors to create data offerings that compete directly with publishers’ business.
Lawmakers and regulators aren’t concerned about data provided by users with their with consent being passed back and forth for advertising purposes. The concern is around misuse of personal data, like profiling against race and religion, by unknown third parties and bad actors.
“Anyone with a … connection to the exchange can then go and listen out for those device IDs and those [locations] on a huge scale,” said Mark Slade, CEO of Location Sciences, who explained that vendors bring data from the bidstream into their own platform to build audience segments, which vendors ultimately sell.
Those audience segments can ultimately wind up in the hands of marketers looking to enrich their data sets and reach new customers. However, The Wall Street Journal has found instances where location data is sold to government agencies for immigration enforcement.
“Where we think is the greatest concern for people … is that whatever data is being collected by anybody, and whatever data is being used by anybody, is not being collected or used in ways that are going to be harmful,” said Dan Jaffe, group evp of government relations for the Association of National Advertisers.
Jason Smith, chief business officer of Location Sciences, said bidstream data accounts for a “notable size” of the location data industry, but marketers aren’t always aware of that.
“It’s not that a brand is necessarily erroneously profiling someone or using the data with any malicious intent. What does likely happen is that they’re combining their own data, which they have a lot of control over a lot of insight, with these other data sets that are provided to them by the [third-party] companies, but they’re not able to understand what’s in that data set that they’re licensing or working with from these third parties,” Smith said.
The lawmakers’ letter to the FTC references an earlier letter (which Adweek signed) from media auditor BPA Worldwide calling out the practice of siphoning data from the bidstream.
BPA Worldwide president and CEO Glenn Hansen that while the group has not taken a position to influence public policy, it does believe all parties should comply with government regulations around privacy laws.
“We welcome attention on this issue from the congressional leaders, and we are happy to work with anyone interested in addressing data leakage,” Hansen told Adweek.
Calls to clean up ad tech also come ahead of November’s general election, where digital is set to be a major campaigning arena. The last thing the industry wants is another Cambridge Analytica scandal.
The FTC acknowledged receipt of the letter but declined to comment further. FTC investigations are typically an opaque process, and it’s unclear how the regulatory body proceeds, if at all, with investigations after lawmakers raise concerns, according to a source with knowledge of such investigations.
While the California Consumer Privacy Act has recently become enforceable, there’s still no federal privacy law to oversee digital advertising and protect user data. A handful of other states are working on their own laws, and Jaffe expects these states to ramp up efforts in the early part of 2021 once legislatures are back in session.