A Map or a Matrix? Identity Management Is More Complex By the Day

A newly published white paper on how advertisers and brands can recognize unique customers across marketing platforms underscores just how tough this important job is for data-driven marketers.

As technologists and policymakers weigh in themselves on the data universe – often without understanding the full ramifications of what they do (or worse, knowing so but proceeding anyway) – data flows on the Internet and on mobile platforms are being dammed, diverted, denuded, and divided.

In my opinion, these developments are not decidedly good for advertising – which relies on such data to deliver relevance in messaging, as well as attribution and measurement. There is a troubling anti-competition mood in the air. It needs to be reckoned with.

Consider these recent developments:

  • Last week, the European Court of Justice rendered a decision that overturned “Privacy Shield” – the safe harbor program that upward of 5,000 companies rely upon to move data securely between the European Union and the United States. Perhaps we can blame U.S. government surveillance practices made known by Edward Snowden, but the impact will undermine hugely practical, beneficial, and benign uses of data – including for such laudable aims as identity management, and associated advertising and marketing uses.
  • Apple announced it will mandate an “opt-in” for mobile identification data used for advertising and marketing beginning with iOS 14. Apple may report this is about privacy, but it is also a business decision to keep Apple user data from other large digital companies. How can effective cross-app advertising survive (and be measured) when opt-in rates are tiny? What about the long-tail and diversity of content that such advertising finances?
  • Google’s announcement that it plans to cease third-party cookies – as Safari and Mozilla have already done – in two years’ time (six months and ticking) is another erosion on data monetization used for advertising. At least Google is making a full-on attempt to work with industry stakeholders (Privacy Sandbox) to replace cookies with something else yet to be formulated. All the same, ad tech is getting nervous.
  • California’s Attorney General – in promulgating regulation in conjunction with the enforcement of the California Consumer Privacy Act (in itself an upset of a uniform national market for data flows, and an undermining of interstate commerce) – came forth with a new obligation that is absent from the law, but asked for by privacy advocates: Companies will be required to honor a browser’s global default signals for data collection used for advertising, potentially interfering with a consumer’s own choice in the matter. It’s the Do Not Track debate all over again, with a decision by fiat.

These external realities for identity are only part of the complexity. Mind you, I haven’t even explored here the volume, variety, and velocity of data that make data collection, integration, analysis, and application by advertisers both vital and difficult to do. As consumers engage with brands on a seemingly ever-widening number of media channels and data platforms, there’s nothing simple about it. No wonder Scott Brinker’s Mar Tech artwork is becoming more and more an exercise in pointillism.

Searching for a Post-Cookie Blueprint

So it is in this flurry (or fury) of policy developments that the Winterberry Group issued its most recent paper, “Identity Outlook 2020: The Evolution of Identity in a Privacy-First, Post-Cookie World.”

Its authors take a more positive view of recent trends – reflecting perhaps a resolve that the private sector will seize the moment:

“We believe that regulation and cookie deprecation are a positive for the future health and next stage of growth for the advertising and marketing industry as they are appropriate catalysts for change in an increasingly privacy-aware consumer environment,” write authors Bruce Biegel, Charles Ping, and Michael Harrison, all of whom are with the Winterberry Group.

The researchers report five emerging identity management processes, each with its own regulatory risk. Brands may pursue any one or combination of these methodologies:

  • “A proprietary ID based on authenticated first-party data where the brand or media owner has established a unique ID for use on their owned properties and for matching with partners either directly or through privacy safe environments (e.g.: Facebook, Google, Amazon).
  • “A common ID based on a first-party data match to a PII- [personally identifiable information] based reference data set in order to enable scale across media providers while maintaining high levels of accuracy.
  • “A common ID based on a first-party data match to a third-party, PII-based reference data set in order to enable scale across media providers while maintaining high levels of accuracy; leverages a deterministic approach, with probabilistic matching to increase reach.
  • “A second-party data environment based on clean environments with anonymous ID linking to allow privacy safe data partnerships to be created.
  • “A household ID based on IP address and geographic match.”

The authors offer a chart that highlights some of the regulatory risks with each approach.

“As a result of the diversity of requirements across the three ecosystems (personalization, programmatic and ATV [advanced television]) the conclusion that Winterberry Group draws from the market is that multiple identity solutions will be required and continue to evolve in parallel. To achieve the goals of consumer engagement and customer acquisition marketers will seek to apply a blend of approaches based on the availability of privacy-compliant identifiers and the suitability of the approach for specific channels and touchpoints.”

A blend of approaches? Looks like I’ll need a navigator as well as the map. As one of the six key takeaways, the report authors write:

“Talent gaps, not tech gaps: One of the issues holding the market back is the lack of focus in the brand/agency model that is dedicated to understanding the variety of privacy-compliant identity options. We expect that the increased market complexity in identity will require Chief Data Officers to expand their roles and place themselves at the center of efforts to reduce the media silos that separate paid, earned and owned use cases. The development of talent that overlaps marketing/advertising strategy, data/data science and data privacy will be more critical in the post-cookie, privacy-regulated market than ever before.”

There’s much more in the research to explore than one blog post – so do your data prowess a favor and download the full report here.

And let’s keep the competition concerns open and continuing. There’s more at stake here than simply a broken customer identity or the receipt of an irrelevant ad.

Europe’s Forthcoming Data ‘Freeze’ and Why We Need to Care

European policymakers are transfixed with setting personal information controls on the private sector, and — beginning May 2018 — will give its citizens “default” power to shut down all such data usage for advertising purposes unless consumers provide affirmative consent. It’s called the General Data Protection Regulation (GDPR) and its companion ePrivacy Regulation.


There was a modicum of good news recently when the U.S. Department of Commerce’s “Privacy Shield” program was given a passing grade by the European Union, enabling private-sector cross-border data flows on European citizens between the U.S. and Europe. Thousands of U.S. companies participate in Privacy Shield. They rely on the program to help collect, process and transfer responsibly information for more relevant advertising, human resources, and other commercial and operational purposes. (It applies to charities, too.)

European policymakers are transfixed with setting personal information controls on the private sector, and — beginning May 2018 — will give its citizens “default” power to shut down all such data usage for advertising purposes unless consumers provide affirmative consent. It’s called the General Data Protection Regulation (GDPR) and its companion ePrivacy Regulation.

In the U.S., much digital information about consumer devices and browsers — such as their browsing history and app usage — is painstakingly “anonymized” by companies according to industry-wide self-regulatory codes. [Disclosure: One of my clients is the Digital Advertising Alliance.] Sweat equity through independent accountability programs safeguard such data from being used without proper consumer notice (transparency) and opportunity to exercise control through an easy-to-find, easy-to-use “opt-out.” However, in Europe, any digital information that “could” be used to re-identify an individual — even if anonymized from a U.S. perspective, such as an IP address — is considered personal by definition. Affirmative consent — most likely an “opt-in” though “consent” details are yet to be articulated — will hold sway. Common U.S. notice-and-opt-out regimens won’t suffice.

Imagine all the responsible data flows — even those clearly beneficial to consumers and the global economy — that will simply stop May 25, 2018, in Europe because of a hugely stricter consent mandate. American companies can only watch and wait to see who may be called out by EU data protection authorities, eager to fine a company up to 4 percent of its global returns, as provided for in the law.

Good policy? Or good politics. In reality, EU lawmakers are asking its citizens to pay a huge price. And that’s not my opinion as an American — it’s a fact in a Europe-born study. Look at what’s at stake:

  • €535 billion of the European Union economy benefits directly and indirectly from digital advertising;
  • 66 percent of digital ad spend depends on data, and 90 percent of digital advertising growth depends on data;
  • Ad units tied to data are 300 percent more valuable than standard run-of-network ads (because they are more effective)

That’s part of the economic argument. But there are social and political ramifications, too.

  • Much like U.S. consumers, Europeans prefer data-supported ads to paying for content — eight in 10 report such a preference;
  • Fully 68 percent say they would never pay for online content or use services such as email if they had to pay for it;
  • And 92 percent would stop using their favorite site or app if they had to pay for it;
  • Even 42 percent are “happy”: to see data used to deliver personalized ads.

European businesses, agencies and publishers have gone so far as to press policymakers that their respective countries’ own democratic and economic health is at stake — inherent in the power of data used in advertising:

  • Up to 50 percent of advertising growth will simply disappear if data cannot be used to make more relevant ads;
  • 70 percent of European citizens would abandon the Internet for news if they had to pay to replace the news content financed by digital advertising;
  • Internet usage would crash by 88 percent if EU citizens were forced to pay for online content and services;
  • And what of competition, diversity of content and innovation? The impact on small, independent publishers would be five times more pronounced than the impact on large media companies.

Yes, American companies are in the cross-hairs once GDPR and ePrivacy take some combination of enforcement effect next May — perhaps bad policy for seemingly good politics. Yet Europeans themselves are challenging such an objective — overreaching data controls punish consumers, employers and even democracies.

That’s a mindful lesson for all of us.

The ‘Privacy Shield’ Is Here — How It Affects You

There’s a new framework for creating greater data privacy between the United States and the European Union. While it’s taken two years of work, some would argue little has changed and that it’s likely to get struck down — others laud the progress. Let’s get clarity on what that means for businesses leveraging data “across the pond.”

Privacy ShieldThere’s a new framework for creating greater data privacy between the United States and the European Union. While it’s taken two years of work, some would argue little has changed and that it’s likely to get struck down — others laud the progress. Let’s get clarity on what that means for businesses leveraging data “across the pond.”

Transatlantic Data Privacy Is Dead. Long Live Transatlantic Data Privacy.

First there was SafeHarbor, the European Union-United States agreement to protect data privacy of users in Europe as that data pulsed across the Internet and into the United States. It was arguably a historic step, but it ultimately was struck down and eliminated. Many questioned its value beyond being “a step.” It has now been replaced by the “EU-U.S. Privacy Shield,” which imposes greater obligations on U.S. businesses to protect Europeans’ personal data.

The Privacy Shield Agreement establishes a whole new set of legal requirements by the E.C.J. the European Court of Justice, which also ruled the previous Safe Harbour framework invalid.

What Is the Privacy Shield?

First and foremost, the Privacy Shield is opt-in. If your business doesn’t opt-in, you don’t have to abide by it. The downside, you won’t be published on the “list” of Privacy Shield Compliant companies. European consumers could refuse to do business with you, and it could become a media problem — though, the average consumer probably doesn’t know the ins and outs of data privacy. So its success will, in part, rely on its adoption. If it is not adopted widely, we can expect additional regulations to compel organizations exporting data from the E.U. to meet the objectives of the Privacy Shield.

Most importantly however, the Privacy Shield includes, for the first time, written commitments and assurance regarding access to data by public authorities. For the first time, the United States has given written assurances that it will not conduct mass surveillance of data entering the U.S.

The new Privacy Shield agreement requires the U.S. to “monitor and enforce” more aggressively. Also, new and greater collaboration with the E.D.P.A., the European Data Protection Authorities, is required by the United States.

The goals of both the original Safe Harbor Agreement and the new Privacy Shield are quite similar. Businesses must treat data created in the E.U. in accordance with E.U. law, regardless of whether that data is physically stored on a server in New York or Paris.

So how do companies accomplish this? The answer is by basically stating “yes, we meet the E.U. standards.” So not much has changed between Safe Harbor and Privacy Shield here.

How Do the Safeguards in the Privacy Shield Work?

However new safeguards help enforce that both companies and governments abide by the Privacy Shield’s requirements:

  • The first difference is a real one … it now falls on the shoulders of the U.S. Department of Commerce to make sure that companies meet the more stringent data privacy requirements. The Department of Commerce will monitor whether companies publish their commitments, which makes them enforceable under U.S. law by the U.S. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.
  • Second, if your data originates from the European Union ― and you don’t have to be a European (the U.K. is still covered post “Brexit”) ― you can complain if you feel your privacy rights were violated. Those complaints will now be sent to the U.S. and must be addressed “expeditiously” and at “no cost to the individual.”
  • In the agreement, the United States “ruled out indiscriminate mass surveillance on personal data transferred to the U.S.” Furthermore, the U.S. promises in writing that mass collection of data originating from the E.U. will “only be used under specific pre-conditions and needs to be as targeted and focused as possible.”
  • An ombudsperson will now handle complaints about data that is accessed on “national security grounds” — they are tasked with working independently of all other federal security agencies, which is a significant commitment for the United States, given our recent history and experiences under the Patriot Act.

Implementation for U.S. Firms in Simple Terms

At this juncture there are still details being worked out in the Privacy Shield Framework, but the following are fairly clear steps:

  • Self-certify annually that they meet the requirements
  • Display privacy policy on their website.
  • Reply promptly to any complaints.

Some might call all this common sense, some may call it non-sense. But Data Privacy is an issue that we have to give credit for addressing, and leveraging the learnings from the judgement striking it down.

We recommend businesses leveraging personal data, whether exporting from the E.U. or solely using it domestically, exercise some simple, common-sense steps that are consistent with the Privacy Shield:

  • Publish a privacy policy.
  • Listen to your customer
  • Have a clear and simple statement on how you will use consumer data – and how you won’t.

These simple steps can get you started; and for sure, there will be more to come in regard to data privacy.