A Map or a Matrix? Identity Management Is More Complex By the Day

A newly published white paper on how advertisers and brands can recognize unique customers across marketing platforms underscores just how tough this important job is for data-driven marketers.

As technologists and policymakers weigh in themselves on the data universe – often without understanding the full ramifications of what they do (or worse, knowing so but proceeding anyway) – data flows on the Internet and on mobile platforms are being dammed, diverted, denuded, and divided.

In my opinion, these developments are not decidedly good for advertising – which relies on such data to deliver relevance in messaging, as well as attribution and measurement. There is a troubling anti-competition mood in the air. It needs to be reckoned with.

Consider these recent developments:

  • Last week, the European Court of Justice rendered a decision that overturned “Privacy Shield” – the safe harbor program that upward of 5,000 companies rely upon to move data securely between the European Union and the United States. Perhaps we can blame U.S. government surveillance practices made known by Edward Snowden, but the impact will undermine hugely practical, beneficial, and benign uses of data – including for such laudable aims as identity management, and associated advertising and marketing uses.
  • Apple announced it will mandate an “opt-in” for mobile identification data used for advertising and marketing beginning with iOS 14. Apple may report this is about privacy, but it is also a business decision to keep Apple user data from other large digital companies. How can effective cross-app advertising survive (and be measured) when opt-in rates are tiny? What about the long-tail and diversity of content that such advertising finances?
  • Google’s announcement that it plans to cease third-party cookies – as Safari and Mozilla have already done – in two years’ time (six months and ticking) is another erosion on data monetization used for advertising. At least Google is making a full-on attempt to work with industry stakeholders (Privacy Sandbox) to replace cookies with something else yet to be formulated. All the same, ad tech is getting nervous.
  • California’s Attorney General – in promulgating regulation in conjunction with the enforcement of the California Consumer Privacy Act (in itself an upset of a uniform national market for data flows, and an undermining of interstate commerce) – came forth with a new obligation that is absent from the law, but asked for by privacy advocates: Companies will be required to honor a browser’s global default signals for data collection used for advertising, potentially interfering with a consumer’s own choice in the matter. It’s the Do Not Track debate all over again, with a decision by fiat.

These external realities for identity are only part of the complexity. Mind you, I haven’t even explored here the volume, variety, and velocity of data that make data collection, integration, analysis, and application by advertisers both vital and difficult to do. As consumers engage with brands on a seemingly ever-widening number of media channels and data platforms, there’s nothing simple about it. No wonder Scott Brinker’s Mar Tech artwork is becoming more and more an exercise in pointillism.

Searching for a Post-Cookie Blueprint

So it is in this flurry (or fury) of policy developments that the Winterberry Group issued its most recent paper, “Identity Outlook 2020: The Evolution of Identity in a Privacy-First, Post-Cookie World.”

Its authors take a more positive view of recent trends – reflecting perhaps a resolve that the private sector will seize the moment:

“We believe that regulation and cookie deprecation are a positive for the future health and next stage of growth for the advertising and marketing industry as they are appropriate catalysts for change in an increasingly privacy-aware consumer environment,” write authors Bruce Biegel, Charles Ping, and Michael Harrison, all of whom are with the Winterberry Group.

The researchers report five emerging identity management processes, each with its own regulatory risk. Brands may pursue any one or combination of these methodologies:

  • “A proprietary ID based on authenticated first-party data where the brand or media owner has established a unique ID for use on their owned properties and for matching with partners either directly or through privacy safe environments (e.g.: Facebook, Google, Amazon).
  • “A common ID based on a first-party data match to a PII- [personally identifiable information] based reference data set in order to enable scale across media providers while maintaining high levels of accuracy.
  • “A common ID based on a first-party data match to a third-party, PII-based reference data set in order to enable scale across media providers while maintaining high levels of accuracy; leverages a deterministic approach, with probabilistic matching to increase reach.
  • “A second-party data environment based on clean environments with anonymous ID linking to allow privacy safe data partnerships to be created.
  • “A household ID based on IP address and geographic match.”

The authors offer a chart that highlights some of the regulatory risks with each approach.

“As a result of the diversity of requirements across the three ecosystems (personalization, programmatic and ATV [advanced television]) the conclusion that Winterberry Group draws from the market is that multiple identity solutions will be required and continue to evolve in parallel. To achieve the goals of consumer engagement and customer acquisition marketers will seek to apply a blend of approaches based on the availability of privacy-compliant identifiers and the suitability of the approach for specific channels and touchpoints.”

A blend of approaches? Looks like I’ll need a navigator as well as the map. As one of the six key takeaways, the report authors write:

“Talent gaps, not tech gaps: One of the issues holding the market back is the lack of focus in the brand/agency model that is dedicated to understanding the variety of privacy-compliant identity options. We expect that the increased market complexity in identity will require Chief Data Officers to expand their roles and place themselves at the center of efforts to reduce the media silos that separate paid, earned and owned use cases. The development of talent that overlaps marketing/advertising strategy, data/data science and data privacy will be more critical in the post-cookie, privacy-regulated market than ever before.”

There’s much more in the research to explore than one blog post – so do your data prowess a favor and download the full report here.

And let’s keep the competition concerns open and continuing. There’s more at stake here than simply a broken customer identity or the receipt of an irrelevant ad.

The Intersection of Personalization & Privacy: How to Communicate with Consumers

Consumers expect to get whatever they want, whenever they want it, delivered how they want it. You can credit (or blame) Amazon for setting expectations so high, but those same expectations extend to online publishing and marketing.

[Editor’s note: While this is geared toward the publishing audience in language, there are numerous valuable takeaways for marketers.]

Consumers expect to get whatever they want, whenever they want it, delivered how they want it. You can credit (or blame) Amazon for setting expectations so high, but those same expectations extend to online publishing.

Increasingly, publishers must personalize to thrive — a mission that can be at odds with new privacy mandates.

What Exactly Do Consumers Expect?

Virtually every publisher now promises customized content, but that promise can mean a few different things. On the one hand, it’s a promise to deliver a certain type of content that’s tailored to your reader’s individual interests. But it also means a promise to deliver content according to that person’s consumption preferences for device/channel (desktop, mobile, or tablet/website, social, or email).

Publishers deliver on these promises through a variety of features. Notifications that push to a consumer’s preferred device are one popular way to meet audiences on the most personal level. Likewise, social integration (both as commenting platforms and logins) is now seen as essential because it not only customizes the experience, but also makes it friction-less.

But, as publishers are well aware, building these features and executing personalization strategies takes significant resources that aren’t necessarily part of the core business.

Brands Are Doing the Same Thing with More Resources

While brands and publishers typically sit on opposite sides of the media ecosystem, their challenge is the same when it comes to personalization. Publishers and advertisers must both deliver the right message to the right person, at the right time. Tellingly, brands and publishers have tackled this challenge in different ways.

By and large, brands and bigger media companies have taken this kind of work in-house. But most small and medium-sized publishers have gone in the opposite direction, turning to agencies and vendors to navigate the complexities of data analytics, personalization, and monetization.

These are technical and costly undertakings. Small publishers may struggle because of limited expertise, but even big publishers may prefer to invest in content rather than building in-house technology. And just finding, vetting, and holding vendors accountable is a challenge for many publishers.

But regardless of how publishers solve for personalization, the brand context is important because well-resourced brands are setting the bar for consumer expectations here. As privacy compliance adds layers of complexity to personalization, brands and publishers will have to adapt to perform the same mission, albeit with varying levels of resources.

Personalization Is the Crucible of Privacy Chaos

To understand how personalization and privacy intersect, start with a fundamental question: How do I personalize something for you if I don’t know anything about you?

The question illustrates the tension between personalization and privacy. The more consumers share, the greater the level of personalization. Of course, the opposite is also true. If you don’t want to share anything personal, be prepared to accept the generic experience.

While that may sound like common sense, the reality is that publishers are stuck in a bind. You must reconcile the chaos that comes from a patchwork of state-mandated privacy laws — including California’s CCPA, plus laws in 10 other states — with consumer expectations that value privacy on the one hand and expect seamless, personalized experiences on the other. To be clear, there’s no “right answer,” in part because just as personalization preferences vary by individual, so, too, do our feelings about privacy.

Publishers, perhaps better than any other stakeholder, are uniquely positioned to lead this conversation. After all, consumers seek out publishers because they are trusted sources. But when it comes to explaining the tradeoffs between personalization and privacy, publishers usually fall back on their lawyers. That can be a mistake. Instead of relying fully on lawyers, publishers should communicate with their consumers in a clear, authentic voice. Here are some suggestions:

  • Speak in your brand’s voice. Typically, conversations that touch on the tradeoff between personalization and privacy get off to a bad start because privacy policies are written in a foreign language called legalese. Using your brand voice is more effective because it’s authentic. If your brand is edgy or sarcastic, talk about privacy with an edgy or sarcastic tone. Two examples: 1) Fitbit’s privacy policy is written in easy to navigate bullet points for users who may not have the time to take a deep-dive into the brand’s Terms of Service; 2) Apple’s privacy, which is quite in-depth, is written in the same easy-to-understand language Apple uses for its product copy.
  • Tell people what information you want and why you need it. A concept like “personally identifiable information” means a lot to lawyers, but it’s not something consumers think about in their daily lives. Instead, make specific asks for email, social media, or cookies and then explain why you need that information. Be clear that your product might not work as advertised unless the user shares some private information. The key is context. If you want movie screening times “near you,” for example, we need to know your location. Instead of just asking for a user’s location, say something like, “Tell us where you are so we can find a movie near you.”
  • Explain how the consumer benefits in concrete terms. If you’re using language like “so we can best serve you…” you’re being too vague. Instead, state the value proposition directly. Explain how you want to serve the consumer by telling them what they can expect — content tailored to their interests, timely notifications, etc. When you do that, you empower the consumer to make their own informed choices about the tradeoffs between privacy and personalization.
  • If you plan to share someone’s information with a third-party, be upfront about it. Reserving the right to share consumer data with third-party partners sounds like legalese, but it also sounds like you’re hiding something. There are valid reasons to share data with others. Tell consumers why you’re sharing their data, who you’re sharing it with, and how the opt-out works.

Navigating these delicate waters will be challenging, but putting the time and energy into incorporating your brand identity into privacy compliance will pay for itself in the long run. Your users will appreciate the effort and better personalization, and you will (hopefully) have stronger user connections and fewer people opting out.

Data Love Story in the USA With a Few Spats, Too

You might call this time of year, Jan. 15 to March 15, marketing data’s “high season,” based on all of the goings-on. There’s a lot of data love out there — and, like all relationships that are precious, they demand a huge amount of attention, respect, and honor — and celebration.

I’ve been enjoying Alliant’s “Data and the Marketer: A Timeless Love Story” postings this month, leading up to Valentine’s Day.

You might call this time of year, Jan. 15 to March 15, marketing data’s “high season,” based on all of the goings-on:

The Alliant infographic download got me thinking of some other “key” dates that might also be recognized on the Data Love calendar, reflecting other aspects of the love story. Not all love affairs are perfect — are there any? Sometimes there’s a quarrel and spats happen, without any abandonment of a full-on love affair.

  • 1960 — The Direct Marketing Association (then, DMAA) develops its first self-regulatory ethics code for data and lists, in an early industry initiative to separate the good from bad players. It becomes the basis for practically every data protection (and consumer rights) framework since.
  • 1971 — The Mail Preference Service is launched (today DMAChoice) the first marketing industry opt-out control program for consumers — the essential framework for every consumer choice tool in marketing (in-house and industry-wide) since.
  • 1973 — The U.S. Department of Health, Education, and Welfare introduces and adopts eight Fair Information Principles. In 1980, the Organization of Economic Co-operation and Development adopts these principles for trans-border data flows. In 1995, The European Union, among other governments, enact variation and interpretation of these formally into law, eventually adopting the EU General Data Protection Regulation in 2018.
  • 1991 — Jennifer Barret is named Acxiom’s privacy leader — among the first enterprises to name what essentially would become a “chief privacy officer.” In 2000, Trevor Hughes launches the International Association of Privacy Professionals. A nascent cottage industry evolves into a huge professional education and development organization that today includes tens of thousands of members.
  • 1992 — A nonprofit and privacy advocacy organization, the Privacy Rights Clearinghouse, is formed, and soon thereafter begins tracking data security breaches, both public and private sector. Its breach list since 2005 is posted here. Data privacy and data security, as evidenced in Fair Information Practice Principles, go hand-in-hand.
  • 1994 — The first online display ad appears on the Internet, by AT&T. (And the first commercial email perhaps the same year.) So marked the humble beginnings of Internet marketing — “direct marketing on steroids.” I thought Jeff Bezos used this term in Amazon (formed 1994) early days during a DMA conference – but alas, I’m having a hard time sourcing that one. Perhaps this quote was related to Google (formed 1998) and the real-time relevance of search!
  • 1995-96 — Subscriber Ram Avrahami asserts a property right to his name in a lawsuit against S. News and World Report. Because he thwarted the spelling of his name on the magazine’s list – in a bid to discover who else the magazine rents its subscriber list to – the court ultimately rejects his challenge. The case, however, introduces a novel concept and set of questions:Is the value of any list or database tied to the presence of any one individual name on that list, a penny a name in this case?  Or, is its value because of the sweat of the brow of the list/database creator (a business, nonprofit group, or other entity) that built a common attribute to which a list may derive commercial value?The “walled gardens” of today’s Digital Giants largely were built on such data collection. These two questions recognize that a “data-for-value” exchange must be perceived as mutually beneficial, or else consumer trust is eroded. “Who owns the data?” (a 20th Century assertion) might be better substituted today as “Who has a shared interest in the value and protection of data?” (a 21st Century proposition).
  • 2006 — Facebook is formed, among the first companies that created a “social network.” (I’m sure the adult content sector preceded it, as it often points us the way.) In one industry after another, digital disruption reorders supply chains, consumer-brand relationships, shopping practices, and name-your-own-business here. The Great Recession, and venture capital, serves to speed the quest for data-defined efficiency and transformation.
  • 2017 — Equifax, one of the United States three leading credit and information bureaus on Americans, experiences a breach of epic proportions. While the nation was fascinated with subsequent public hearings about Facebook, its data deals, and its (ahem, beneficial) targeted advertising practices, a potentially much more egregious purveyor of harm – sponsored government hacking of the highest order – largely gets a ho-hum from the general public, at least until this past week.
  • 2020 — California fragments online privacy protection in the United States – only underscoring the need for the federal government to act sooner than later. Support Privacy for America.

So, yes, there’s a lot of Data Love out there — and, like all relationships that are precious, they demand a huge amount of attention, respect, and honor — and celebration. See you soon in Orlando!

 

 

Marketers Caroling to CCPA: ‘Winter Wonderland’

Marketers caroling may not be what immediately comes to mind to get you in the holiday spirit, but here’s a little ditty about how useful data is to marketers. Sing it along to the melody of “Winter Wonderland.”

To all my many friends who are marketers in the field — the California Privacy Protection Act, new data privacy laws in Maine and Nevada, and who’s next? — this, too, we will endure. All the same, we shall all find new paths to prosper in the New Year, and the consumer will be better for it.

And yes, we should all be looking — shouting from the rooftops — for a single standard law from Congress sooner than later. Americans deserve better!

Is this working for you? I accept, I accept, I accept, I accept, I accept, I accept. Opt-out. Opt-Out. Opt-Out. Opt-Out, infinitum. In your face on every site you visit, and on every app you use?  I want to control data flows about me — not with a browser, not with a default that fails the financing of relevant content — but this is too much. Better for all to have acceptable uses discerned from unacceptable ones — defined by benefits and harms, respectively — legislate THAT, and let innovations flow.

So please join me in my sing-along:

“There’s a tale, are you listening?
Data flails, for the christening.
A new law in sight.
About to take flight,
Drownin’ in a regulated land.

Gone away is the long tail …
Within the walls, a new prevail.
Competition, insights,
Strategies in plight,
Drownin’ in a regulated land.

On the home page we can place an opt-out
Make it clear that data’s not for sale

Another referendum will get plopped out
‘I accept’ and the Internet will fail.

Innovation, on a vacay…
As a patchwork, takes a mainstay
Know better than us
Who can we trust?
Drownin’ in a regulated land

In the filings we can set it all right
Consumer trust is all that we care
They’ll say, ‘are you kidding, you get no rights
Except for private actions in the air.’

And so we toil, we perspire
As the relevance gets retired
They say privacy!
We know it’s not free,
Drownin’ in a regulated land.

[And the big ending…]

Did you say $55 billion?

[Oh, yes] Drownin’ in a regulated land.

Happy Holidays, everyone!

Eliminating Vendor Risk Is a Critical Step to Win Back Consumer Trust

You don’t have to work in ad tech to know there’s growing distrust around how personal information is being collected, used, or misused. With the GDPR in effect and the CCPA on its way, publishers should consider what third-party partners are doing with their data and take steps to eliminate vendor risk.

Editor’s Note: While originally written for the publishing audience, marketers face a similar situation, as they work with vendors and must be compliant with GDPR and eventually CCPA.

You don’t have to work in ad tech (or even advertising at all) to know that there’s a growing sense of distrust around how people’s personal information is being collected, used, or misused by the various content, commerce, and online service providers they interact with every day. But publishers have a front-row seat to the drama as it all unfolds – and an added layer of responsibility, given the direct relationship between users and their content.

With the General Data Protection Regulation (GDPR) in effect and with a look ahead to the California Consumer Privacy Act (CCPA), it’s important for publishers to consider a potential consumer trust issue of their own: what third-party partners and vendors are doing with their data.

You’re Only as Safe as Your Partners Are

To be clear, many publishers have already stepped up their privacy game. Whether it’s to stay compliant with new regulations or actively regain public trust, legacy and digital-first publishers have raised the bar on internal privacy standards, moved toward restricting access to their user data, and worked to secure their systems against breaches and attacks.

Unfortunately, implementing these changes alone is not enough. Not when publishers rely on a host of third-party partners to help keep everything – from video players, to content personalization tools, to programmatic ad deals – functioning effectively.

Each of these partners has its own approach to data collection and usage that needs to be added to the publisher’s overall privacy equation.

Since cutting ties with all third parties isn’t exactly a simple (or realistic) solution for most publishers, partnering with service providers on a privacy action plan – one with overarching standards, but with enough modularity to work across multiple vendors – is a straightforward way to help eliminate that risk.

1. Standardize the Vendor Selection Process

Keeping consumer data sacred starts with being highly selective about whom you work with. Rather than asking ad-hoc privacy and data usage questions, develop standardized questionnaires as part of your vendor selection process. Ask prospective partners pointed questions such as:

  • What data will you collect from us?
  • What is the purpose for collecting this data?
  • What controls and safeguards do you have in place to ensure data is handled properly?
  • Will you share our data with other third parties? If so, with whom and why?

Furthermore, only work with vendors that have received industry certifications from trusted third-party auditors. And of course, put a process in place to revisit each vendor’s data management approach on an annual basis and as regulations change.

2. Get Technical and Business Leaders on the Same Page

Obviously, technical subject matter experts such as the CTO and CPO, and regulatory experts like Legal should play a significant role in managing vendors’ data privacy compliance. But the responsibility shouldn’t stop there. Protecting user data and preventing leakage requires input from key stakeholders in disciplines like sales, marketing, and even platform support.

Business leaders often own the day-to-day relationship with the vendor, and thus have an on-the-ground perspective that the technical experts may not. As a result, they can be more aware of the intricacies of the relationship than the technical experts alone.

Similarly, platform support and sales leaders may have an understanding of site glitches that could be compromising user data, and examples of how, when, and why privacy shortcuts might have been taken in the past.

Privacy and trust are far too important to be relegated to technical leads only, so keep business leaders looped in from the beginning to ensure full coverage and alignment.

3. Plan and Communicate

Trust, of course, is built on communication.

Be transparent with customers about the partners you work with, the data they use, and how you’re working with partners to keep everyone’s data safe. Ideally, this info comes as part of a broader education campaign about how you’re putting customer privacy first in your data initiatives.

Meanwhile, the sheer volume of consumer data in play means that missteps are unfortunately inevitable. This makes having clear emergency protocols and plans for handling worst-case scenarios – including how to communicate details to customers – a critical step in the process.

Throughout these communications, be sure you’re conveying information in simple English, not technical jargon or legalese. To see how it’s done right, learn from some of the brands noted for doing it best.

Remember That You Don’t Need to Go at It Alone

Use trusted vendors as a resource for best practices and as trusted privacy guides. At a minimum, they’ll be able to help you better secure data through their own systems. They may also give you fresh perspectives on how to choose other vendors wisely, and can provide critical support in driving better data standards industry-wide.

With the right approach to partnerships, publishers can leverage vendors as allies (as opposed to bearing with them as potential risks) in the fight to win back customer trust.

2019 to 2022: The Evolution of Consumer Consent and How to Adapt

By opening a dialogue with audiences about data collection and processing, as well as empowering them to decide how their data is used, marketers and publishers can enhance their relationships with consumers.

Editor’s Note: While this piece was originally written for the publishing audience, privacy legislation and consumer consent are still very important topics for marketers to navigate.

The EU’s General Data Protection Regulation (GDPR) laid the foundation for privacy legislation in 2018. One of its key aims was to give consumers more control over their personal information and make users understand they have a choice when it comes to providing consent to data collection and processing.

In the US, initial responses to the GDPR ranged from criticism to pay walls or completely blocking EU visitors from accessing content. While many companies made sure their legal teams were up to speed with the newly introduced regulation, multiple factors are now making US publishers sit up and further address data privacy, associated regulations, and the importance of consumer consent.

Google’s €50 million fine — issued by French regulator CNIL, for lack of valid consent in ad personalization — was one of the first to grab attention. Fines for data breaches might not have been as frequent as some expected, but regulators have had time to build cases and more large fines are expected to come, according to The Wall Street Journal.

In addition, US states are working to implement their own regulations. California’s Privacy Act (CCPA) is due to come into force in January 2020, Vermont’s new legislation is already in place, and a consumer privacy bill has been proposed in New York. The exact requirements of each regulation may differ from the GDPR — the CCPA relies on the user opting out rather than opting in, whereas opt-in is expected as part of the New York Privacy bill development. There may even be a federal regulation requiring opt-in on the horizon, with privacy advocates such as Apple CEO Tim Cook, as well as members of the Federal Trade Commission, calling for a stricter national privacy law.

Collecting user consent may not yet be a legal obligation, but publishers are realizing that it makes good business sense as consumers demand more control over their personal data. According to GlobalWebIndex, more than 70% of US consumers say they are both more aware of, and more concerned about how companies use their information than they were 12 months ago, while less than half feel they are in control of their personal data online.

By opening a dialogue with audiences about data collection and processing, as well as empowering them to decide how their data is used, publishers can enhance their relationship with consumers. Demonstrating transparency and responsible data use builds trust, but also educates users via one-to-one communications about the necessity of data to their business models and the inherent value exchange.

Publishers that go beyond the one-size-fits-all approach to create meaningful consent experiences right now will reap the rewards in the long term. The next two years will be critical for consent and there are a number of practical considerations to take into account when implementing consent programs.

Ensure Usability

The consent interface is often the first point of contact between publisher and consumer, so care needs to be taken in its design and functionality. Consent requests need to achieve the perfect balance between giving the user the details they need to make an informed choice and not alienating them with complex jargon they won’t understand or unnecessarily disrupting their user experience – all while ensuring legal compliance. Consent requests should be highly explicit, giving users the power to opt in or out of data collection for specific purposes or by particular companies. Ideally, publishers should test a variety of messaging formats to deliver the best possible experience.

Execute Consent Seamlessly

Once a user submits their consent preferences, publishers need to make sure they are integrated across the advertising supply chain. The IAB released its Transparency and Consent Framework (TCF) as a tool to help publishers and other participants in the digital advertising ecosystem comply with their obligations. The updated second version of the TCF increases the importance of consent by enabling users to object to data collection under legitimate interest, an alternative legal basis for data processing. It’s also important that consent preferences can be communicated across non-IAB vendors.  

Apply Preferences Across Devices

With consumers frequently switching between laptops, smartphones and TVs to consume content, it is best practice for publishers to share choices across multiple devices. The ability to connect user preferences to an authenticated profile and apply these everywhere the user interacts with a publisher’s content saves the user from having to supply consent every time they log in through a different device. An authenticated profile is a tool that allows users to manage their preferences across site, browser, and devices, and allows publishers to collect consent signals based on identity rather than cookies.

Publishers in the US who aren’t yet legally obliged to implement a consent program yet might be hesitant, with the fear it will be disruptive to their business or they will lose advertising revenue if their audiences fail to give permission. However, they need to consider that across the EU, the publishers that experienced the least disruption were those that adapted early and gave themselves plenty of time to get the consent process right.

By 2021, with GDPR well established, the CCPA in force, and other regulations underway, consent will be a user expectation if not a legal obligation. Publishers should start implementing consent programs now to build trusting relationships with their audiences, increase transparency around data processes, and put themselves in a good position to deal with the regulatory changes ahead.

Data Privacy Policymaking Words of Warning of Europe

Two weeks back, two hearings in Congress were held about a possible forthcoming new federal data privacy law for the United States. Some of the testimony included fascinating insight.

Two weeks back, two hearings in Congress were held about a possible forthcoming new federal data privacy law for the United States. Some of the testimony included fascinating insight.

It’s been nearly nine months since the European Union’s (EU) General Data Protection Regulation (GDPR) took effect with its tentacle effects worldwide – and it is helpful to look at what has transcribed, and to avoid making GDPR’s mistakes. That’s what one of the witnesses, Roslyn Layton, visiting scholar, American Enterprise Institute, had to say to the House Committee on Energy and Commerce, Subcommittee on Consumer Protection and Commerce, in her statement titled “How the US Can Leapfrog the EU.”

GDPR’s Early Impacts Are Foreboding

From Dr. Layton’s testimony, I found these excerpts (footnotes removed) to be particularly insightful – and somewhat frightful, though some of it predictable. She examined GDPR’s early deleterious effects which we, in the United States and elsewhere, would be wise to reject:

GDPR Is Not about Privacy  It’s About Data Flows

“A popular misconception about the GDPR is that it protects privacy; it does not. In fact, the word ‘privacy’ does not even appear in the final text of the GDPR, except in a footnote. Rather, the GDPR is about data protection or, more correctly, data governance. Data privacy is about the use of data by people who are allowed to have it. Data protection, on the other hand, refers to technical systems that keep data out of the hands of people who should not have it. By its very name, the GDPR regulates the processing of personal data, not privacy.”

GDPR Has Only Concentrated Big Digital Since Taking Effect

“To analyze a policy like the GDPR, we must set aside the political pronouncements and evaluate its real-world effects. Since the implementation of the GDPR, Google, Facebook and Amazon have increased their market share in the EU.”

GDPR Has Decimated Small- and Mid-Sized Ad Tech

“One study suggests that small- and medium-sized ad tech competitors have lost up to one-third of their market position since the GDPR took effect. The GDPR does not bode well for cutting-edge firms, as scientists describe it as fundamentally incompatible with artificial intelligence and big data. This is indeed a perverse outcome for a regulation that promised to level the playing field.”

GDPR Raises Costs, Prohibitively Acting as a Trade Barrier

“To do business in the EU today, the average firm of 500 employees must spend about $3 million to comply with the GDPR. Thousands of US firms have decided it is not worthwhile and have exited. No longer visible in the EU are the Chicago Tribune and the hundreds of outlets from Tribune Publishing. This is concerning because the EU is the destination of about two-thirds of America’s exports of digital media, goods and services. Indeed, the GDPR can be examined as a trade barrier to keep small American firms out so that small European firms can get a foothold.”

GDPR Denies Valuable Content to European Citizens

“Of course, $3 million, or even $300 million, is nothing for Google, Facebook and Amazon (The Fortune 500 firms have reportedly earmarked $8 billion for GDPR upgrades.), but it would bankrupt many online enterprises in the US. Indeed, less than half of eligible firms are fully compliant with the GDPR; one-fifth say that full compliance is impossible. The direct welfare loss is estimated be about €260 per European citizen.”

What if the US Enacted GDPR Here … Oh, the Costs

“If a similar regulation were enacted in the US, total GDPR compliance costs for US firms alone would reach $150 billion; twice what the US spend on broadband network investment and one-third of annual e-commerce revenue in the US.”

Dr. Layton, in her testimony, also questioned the California Consumer Privacy Act, which may create even more enterprise requirements then GDPR. She suggested more pragmatic paths need to be forged.

A Better Way Privacy by Design

“Ideally, we need a technologically neutral national framework with a consistent application across enterprises. It should support consumers’ expectations to have same protections on all online entities. The law should make distinctions between personally identifiable information which deserves protection, but not require same high standard for public data, de-identified, and anonymized data which do not carry the same risks. Unlike the GDPR, the US policy should not make it more expensive to do business, reduce consumer freedom or inhibit innovation.”

Data ‘Seat Belts and Air Bags’ for Privacy

In a second hearing, before the Senate Committee on Commerce, Science and Transportation, Interactive Advertising Bureau (IAB) CEO Randall Rothenberg provided a spirited statement of data’s role in the U.S. economy and the benefits that continue to accrue. He, too, drew from an another industry’s history which he believes offers a helpful analogy and cooperative blueprint:

IAB CEO Randall Rothenberg | Credit: Photo: Chet Dalzell

Internet’s Profound Communication Power

“The Internet is perhaps the most powerful and empowering mode of communication and commerce ever invented. It is built on the exchange of data between individuals’ browsers and devices, and myriad server computers operated by hundreds of millions of businesses, educational institutions, governments, NGOs, and other individuals around the world.”

Advertising’s Essential Role Online Much of It Data-Driven

Advertising has served an essential role in the growth and sustainability of the digital ecosystem, almost from the moment the first Internet browsers were released to the public in the 1990s. In the decades since, data-driven advertising has powered the growth of e-commerce, the digital news industry, digital entertainment, and a burgeoning consumer-brand revolution by funding innovative tools and services for consumers and businesses to connect, communicate and trade.

The Indispensable Ingredient: Trust

“Central to companies’ data-fueled growth is trust. As in any relationship, from love to commerce, trust underlies the willingness of parties to exchange information with each other; and thus, their ability to create greater value for each other. The equation is simple: The economy depends on the Internet; the Internet runs on data; data requires trust. IAB strongly believes that legislative and regulatory mechanisms can be deployed in ways that will reinforce and enhance trust in the Internet ecosystem.”

Universal Truth: Consumer Data Is Good

“We recommend Congress start with a premise that for most of American history was self-evident, but today seems almost revolutionary: consumer data is a good thing. It is the raw material of such essential activities as epidemiology, journalism, marketing, business development, and every social science you can name.

The Auto Industry Offers Us a Proactive Model

“We believe our goals align with the Congress’ decision to take a proactive position on data privacy, rather than the reactive approach that has been adopted by Europe and some states. We believe we can work together as partners in this effort with you to advance consumer privacy. Our model is the partnership between government and industry that created the modern concept of automotive safety in the 1960s. Yes, the partnership began as a shotgun wedding. Yes, the auto industry resisted at first. But an undeniable consumer right to be safe on the highways met well-researched solutions, which the Congress embedded in well-crafted laws that were supported by the states.

Auto Safety and Digital Wellness

“The result has been millions of lives and billions of dollars saved. We believe the analogy holds well here. Americans have a right to be secure on the information superhighway. Well-researched solutions and well-crafted laws can assure their ‘digital wellness.’ We should be thorough, practical and collaborative. Our goal should be to find the three or five or 10 practices and mechanisms the seat belts and air bags of the Internet era  that companies can implement and consumers can easily adopt that will reinforce privacy, security and trust.”

Notice and Choice Bombardment Or Predictable Rules of the Road

“Together, based on our members’ experience, we can achieve this new paradigm by developing a federal privacy law that, instead of bombarding consumers with notices and choices, comprehensively provides clear, even-handed, consistent and predictable rules of the road that consumers, businesses and law enforcers can rely upon.

One Federal Standard in Harmony

“Without a consistent, preemptive federal privacy standard, the patchwork of state privacy laws will create consumer confusion, present significant challenges for businesses trying to comply with these laws, and ultimately fall short of consumers’ expectations about their digital privacy. We ask the Congress to harmonize privacy protections across the country through preemptive legislation that provides meaningful protections for consumers while allowing digital innovation to continue apace.”

It is worth reading the testimonies of the privacy advocates present at these two hearings, as well. These GDPR fans have many sympathetic voices in the media and Congress, and truly need to be part of any conversation where consensus ought to be built. It is my hope the right federal legislation will result. The early evidence from Europe where advocates won over reason portends the punitive risks of getting it wrong.

New Privacy Regulations Coming Your Way: California Consumer Privacy Act (CCPA)

Have you recovered from last spring’s GDPR adrenaline rush yet? As much anxiety as GDPR regulations provoked, that may soon look like the good old days. Now California passed a privacy initiative you will be expected to follow starting Jan. 1, 2020.

Editor’s Note: While this piece is directed at publishers, CCPA also will be something marketers will have to be compliant with, just like GDPR.

Have you recovered from last spring’s GDPR adrenaline rush yet? Everybody in publishing was nervous about finding the right way to comply with new European privacy regulations. It did not seem like there was one clear path to compliance.

As much anxiety as GDPR regulations provoked, that may soon look like the good old days. At least in the EU, 27 countries came together with one edict. They also spent the time necessary to be smart and coherent, whether or not you agree with all the details.

Now California passed a privacy initiative you will be expected to follow starting Jan. 1, 2020. In many industries as goes California law, so go U.S. standards. This will be, in practice, a new national standard. California is too dominant a market, larger than most countries on the globe. Add to that a quirk in the drafting of the law, which says you must treat anyone who has left California and intends to return as a Californian. What?

Newly minted California Governor Gavin Newsom hailed the “first-in-the-nation digital privacy law” in his first State of the State address, according to reporting by Wendy Davis in MediaPost. “Companies that make … billions of dollars collecting, curating, monetizing our personal data also have a duty to protect in. Consumers have the right to know and control how their data is being used.”

CCPA Is Not Like GDPR

“The California law was written in five days, and really shows,” says Christopher Mohr, VP of intellectual property and general counsel at SIIA. “It is an extraordinarily complicated and poorly written statute.” Adding insult to injury, it is grammatically inconsistent and difficult to understand. I can’t imagine what compelled them to rush such important legislation through. It sounds irresponsible when you consider the EU worked on GDPR for more than three years.

“This is not the same as GDPR — it’s much broader.” Not a statement the already GDPR-fearing publishing industry wants to hear. Mohr continues, “In GDPR the information is tied to a data subject, for example, an individual. The CCPA covers ‘households’ as well as individuals. In addition, the CCPA’s potential ban on the use of information extends not only to the information but to the ‘inferences’ you might draw from it.” Inferences? Yikes! The law goes on to explain what is meant, but the idea of inferring conclusions sounds ripe for misinterpretation to me.

The main goal of the law is to regulate the collection and sale of personally-identifiable (PI) consumer data to third parties and service providers. You do not need to get paid for the data. If you disclose it to another party, it is considered a transaction. Using outside vendors to help manage your data is not a problem, because you are the controlling party.

Everyone will now have the “right to delete.” I asked Mohr to confirm that means deleting people from your database, not from your articles. “That’s the intent, I think. Whether the words match the intent is a completely different issue, and it’s not as clear as it could be. Personal information covers any information that could be associated with an individual.”

Anyone can tell you to cease disclosing their data to others; and you must comply. You cannot deny goods or services to anyone because of their data opt-out. That becomes the new Catch-22: In order to know you are not supposed to have data on an individual, you must have that individual in your database. And since it is likely you must have data on an individual in order to do business with him or her, how do you conduct business with data exceptions? For those rare European GDPR complainants, admittedly some American publishers will simply delete; good-bye. In the Hotel California, “you can check out any time you like, but you can never leave.”

Preventing a Privacy Tower of Babel

Fortunately, enforcement is by state attorney general, not by individuals. In other words, thank God this is not an invitation to everyone in California to sue. Of course this law will be challenged in court. It may be too vague, according to some. It may be discriminatory, since non-profits (and government agencies) can ignore it and do what they want, the way it is written.

Living in this hyper-intrusive world, it’s hard to disagree with the intent of CCPA since we are all being personally data mined. But play this out. Imagine what mischief the other 49 states can do. Davis reports, Washington state “lawmakers are considering a bill that would not only give consumers the right to learn what data is collected about them, but would also allow them to prevent their personal data to be used for ad targeting.”

Federal legislation is coming on this after the recent grillings on Capitol Hill of some of the leading big-tech luminaries. Typically federal legislation trumps local law, which is what makes interstate commerce work. Hopefully there will be one law of the land, so any company handling data can maintain sanity versus bowing to every state, city, or county passing a law. But in these Alice in Wonderland times we are in, I will leave that speculation to you.

You have complied with GDPR so that means you now have DPO (data protection officer). The CCPA gives your DPO a little more to do.

I’m no lawyer, so I’ll provide the usual disclaimer on all the above. On the other hand, I am a member of and advocate for the Specialized Information Publishers Association, part of SIIA, whose general counsel Chris Mohr was invaluable in enabling me to share an understanding of this law. I believe it makes great sense to occasionally be involved with your peers and work on common problems like privacy laws. As a member of SIPA or Connectiv, you won’t need to call your lawyer every time there is a question about the new privacy landscape. You can take advantage of knowledgeable experts in your corner.

Do I have you pining for the muddy clarity of GDPR yet?