A Map or a Matrix? Identity Management Is More Complex By the Day

A newly published white paper on how advertisers and brands can recognize unique customers across marketing platforms underscores just how tough this important job is for data-driven marketers.

As technologists and policymakers weigh in themselves on the data universe – often without understanding the full ramifications of what they do (or worse, knowing so but proceeding anyway) – data flows on the Internet and on mobile platforms are being dammed, diverted, denuded, and divided.

In my opinion, these developments are not decidedly good for advertising – which relies on such data to deliver relevance in messaging, as well as attribution and measurement. There is a troubling anti-competition mood in the air. It needs to be reckoned with.

Consider these recent developments:

  • Last week, the European Court of Justice rendered a decision that overturned “Privacy Shield” – the safe harbor program that upward of 5,000 companies rely upon to move data securely between the European Union and the United States. Perhaps we can blame U.S. government surveillance practices made known by Edward Snowden, but the impact will undermine hugely practical, beneficial, and benign uses of data – including for such laudable aims as identity management, and associated advertising and marketing uses.
  • Apple announced it will mandate an “opt-in” for mobile identification data used for advertising and marketing beginning with iOS 14. Apple may report this is about privacy, but it is also a business decision to keep Apple user data from other large digital companies. How can effective cross-app advertising survive (and be measured) when opt-in rates are tiny? What about the long-tail and diversity of content that such advertising finances?
  • Google’s announcement that it plans to cease third-party cookies – as Safari and Mozilla have already done – in two years’ time (six months and ticking) is another erosion on data monetization used for advertising. At least Google is making a full-on attempt to work with industry stakeholders (Privacy Sandbox) to replace cookies with something else yet to be formulated. All the same, ad tech is getting nervous.
  • California’s Attorney General – in promulgating regulation in conjunction with the enforcement of the California Consumer Privacy Act (in itself an upset of a uniform national market for data flows, and an undermining of interstate commerce) – came forth with a new obligation that is absent from the law, but asked for by privacy advocates: Companies will be required to honor a browser’s global default signals for data collection used for advertising, potentially interfering with a consumer’s own choice in the matter. It’s the Do Not Track debate all over again, with a decision by fiat.

These external realities for identity are only part of the complexity. Mind you, I haven’t even explored here the volume, variety, and velocity of data that make data collection, integration, analysis, and application by advertisers both vital and difficult to do. As consumers engage with brands on a seemingly ever-widening number of media channels and data platforms, there’s nothing simple about it. No wonder Scott Brinker’s Mar Tech artwork is becoming more and more an exercise in pointillism.

Searching for a Post-Cookie Blueprint

So it is in this flurry (or fury) of policy developments that the Winterberry Group issued its most recent paper, “Identity Outlook 2020: The Evolution of Identity in a Privacy-First, Post-Cookie World.”

Its authors take a more positive view of recent trends – reflecting perhaps a resolve that the private sector will seize the moment:

“We believe that regulation and cookie deprecation are a positive for the future health and next stage of growth for the advertising and marketing industry as they are appropriate catalysts for change in an increasingly privacy-aware consumer environment,” write authors Bruce Biegel, Charles Ping, and Michael Harrison, all of whom are with the Winterberry Group.

The researchers report five emerging identity management processes, each with its own regulatory risk. Brands may pursue any one or combination of these methodologies:

  • “A proprietary ID based on authenticated first-party data where the brand or media owner has established a unique ID for use on their owned properties and for matching with partners either directly or through privacy safe environments (e.g.: Facebook, Google, Amazon).
  • “A common ID based on a first-party data match to a PII- [personally identifiable information] based reference data set in order to enable scale across media providers while maintaining high levels of accuracy.
  • “A common ID based on a first-party data match to a third-party, PII-based reference data set in order to enable scale across media providers while maintaining high levels of accuracy; leverages a deterministic approach, with probabilistic matching to increase reach.
  • “A second-party data environment based on clean environments with anonymous ID linking to allow privacy safe data partnerships to be created.
  • “A household ID based on IP address and geographic match.”

The authors offer a chart that highlights some of the regulatory risks with each approach.

“As a result of the diversity of requirements across the three ecosystems (personalization, programmatic and ATV [advanced television]) the conclusion that Winterberry Group draws from the market is that multiple identity solutions will be required and continue to evolve in parallel. To achieve the goals of consumer engagement and customer acquisition marketers will seek to apply a blend of approaches based on the availability of privacy-compliant identifiers and the suitability of the approach for specific channels and touchpoints.”

A blend of approaches? Looks like I’ll need a navigator as well as the map. As one of the six key takeaways, the report authors write:

“Talent gaps, not tech gaps: One of the issues holding the market back is the lack of focus in the brand/agency model that is dedicated to understanding the variety of privacy-compliant identity options. We expect that the increased market complexity in identity will require Chief Data Officers to expand their roles and place themselves at the center of efforts to reduce the media silos that separate paid, earned and owned use cases. The development of talent that overlaps marketing/advertising strategy, data/data science and data privacy will be more critical in the post-cookie, privacy-regulated market than ever before.”

There’s much more in the research to explore than one blog post – so do your data prowess a favor and download the full report here.

And let’s keep the competition concerns open and continuing. There’s more at stake here than simply a broken customer identity or the receipt of an irrelevant ad.

As Amped-Up Ad, Data Privacy Laws Near, Self-Regulated Programs Matter More

As we prepare ourselves for federal (and state) legislation around privacy and advertising, it’s worth taking account of our own industry’s self-regulated programs — both those here at home and worldwide.

As we prepare ourselves for federal (and state) legislation around privacy and advertising, it’s worth taking account of our own industry’s self-regulated programs — both those here at home and worldwide.

Why? Because even in an age of regulation, self-regulation — and adherence to self-regulatory principles and ethics codes of business conduct — matter. One might argue that legal compliance in industry is good enough, but business reputations, brand equity and consumer trust are built on sterner stuff.

Having a code of conduct is exemplary in itself, but I’d like to address a vital component of such codes: enforcement.

Self-Regulated programs
Transparency & Accountability in Advertising Self-Regulation Matter Greatly. | Credit: Chet Dalzell

Credibility in Codes Requires Peer Review & Accountability

Behind the scenes, every day, there are dozens of professionals in our field who serve — as volunteers and as paid professionals — to monitor the ethical practice of advertisers, who devise and update the codes we adhere to, who educate companies that proactively reach out to them, who work with companies and brands that go astray to resolution, and who enforce and refer non-compliant companies to government agencies, when necessary.

They may take complaints directly from consumers, competitors and industry observers. They may employ technologies and their own eyes and ears to monitor the marketplace. They may meet regularly as volunteers as a jury to deliberate on any need for corrective action. And, usually, they have a “contact us, before we contact you” operations effect: brands and businesses can proactively ask ethics programs questions about the “right” way (by the consumer) to execute a marketing practice, so it doesn’t prompt a formal query after a mistake is made after the fact.

Importantly, credibility depends, too, on reporting publicly on outcomes — potentially to “name and shame,” but most often to work cooperatively with businesses and to serve as an industry education vehicle in the reporting of correction and the resolution process. Generally, “punitive” is when a non-cooperative company is referred to a government agency for further action. Government agencies, for their part, tend to wholeheartedly welcome any effective effort to keep the marketplace aligned with the consumer. It helps when brands and consumer interests are in sync.

Accountability Programs Deserve Our Industry’s Expertise & Ongoing Financial Support

All told, these important players in our field serve us well, even as we face what might be referred to as co-regulation (government regulation on top of self-regulation). While any potential business mishap — for example, in the handling of consumer data or the questionable content of an ad — has its own set of facts and ramifications, a demonstration of good-faith efforts to adhere to ethical business practices might be seen as a mitigating factor, even as a brand finds itself needing to take a corrective action.

Agility, flexibility and responsiveness … these are all attributes of successful self-regulation — as well as successful accountability. Effective self-regulation serves to keep pace with innovations in our field, and “point the way” for other companies, as issues arise. (The rigidity of laws rarely can accommodate such innovations.)

While industry professionals may serve as volunteers on juries and review panels — it can be fascinating to serve on such panels — there is almost always an infrastructure of programs and staffs underpinning self-regulation success. Trade associations may finance some of these efforts with membership dollars — but usually businesses can lend their own resources directly, too. It’s great to have a seat at the table.

Marketing Ethics & Self-Regulation Programs — A Partial Listing

In all likelihood, there are potentially many more codes of conduct — particularly in vertical fields (pharma, travel, non-profit, retail, etc.) — but here is a brief listing of advertising-related codes and programs that may be helpful to catalog, bookmark, research and support, with some of which I’ve had the honor to be associated:

Please feel free to use the Comments section to suggest others. And thank you to every volunteer and staff person who serves or has served in an industry accountability capacity. It makes a world of difference, with marketplace trust of advertising and advertisers being the ultimate goal.

The Sustainability of Consumer Trust

I refuse to jump on the privacy “scandal” bandwagon. It is rough listening in this week to certain lawmakers fail to recognize the absolute benefits accrued by consumers through the responsible collection and use of data for commerce, advertising and innovation. Yes, data handling requires stewardship — but that doesn’t mean “data” in and of itself — constitutes anything close to being a harm that needs to be regulate.

I refuse to jump on the privacy “scandal” bandwagon.

It is rough listening in this week to certain lawmakers fail to recognize the absolute benefits accrued by consumers through the responsible collection and use of data for commerce, advertising and innovation. Yes, data handling requires stewardship — but that doesn’t mean “data” in and of itself — constitutes anything close to being a harm that needs to be regulated, as if there were no rules already in place.

Whether or not I, as a voter, saw Russian-administered content online, in an alleged bid to stir up controversy and division among the American electorate, is an understandable concern. It should be investigated — because we need to isolate and diminish any and all “malicious” actors in our digital economy and democracy. Fraud, too, is a harm that must be isolated, identified and eradicated. You’ll have no debate from me here.

But let’s not conflate malicious actors with bona fide relevant advertising and content being presented to, and engaged by, consumers — a wholly beneficial outcome that public policy must acknowledge. Data, commerce and advertising are not dirty words — they are engines for job growth, innovation and — yes, even government revenue through taxes. Ads finance content freely available and useful to consumers and other businesses — and pay for journalism, too, and a diversity of content on the Net.

But all of this responsible data collection and use are useless if there is no consumer trust.

I argue that the U.S. approach to data regulation — legal restriction where sensitive personal information is collected, transferred and applied through sector-specific laws concerning health data, certain government IDs, personal finance, children’s data and credit — and where Fair Information Principles are applied for other data categories that do not have such propensity for harm. Consumers are extremely well-served by this regimen. It is far more harmful to have a breach of credit data, for example, than to have business entities share consumers’ advertising profiles in non-sensitive categories — the latter data use being wholly beneficial. U.S. data protections thus are wisely targeted and measured.

Ads pay the freight — and the economy grows as a direct result. Better for an ad to be relevant to an audience. I believe this is superior (at least for Americans) than other highly prescriptive regimes (read, Europe) that make little distinctions between data categories and require “opt-in” permissions for any and all types of data sharing, including that related to advertising and marketing. If consumers are inundated with opt-in requests for less sensitive types of data use, even for categories of use where they directly benefit, then inertia and fatigue will prevail and useful data flows won’t happen. I’m hoping businesses handling European citizen data will find ways to prove me wrong!

Is the motivation of such draconian restrictions in Europe really privacy protection as a fundamental human right? Or is it somehow questioning commerce, competition, diversity, trade and innovation, and other important social aims financed by advertising — all sacrificed on the altar of permission? Yes, consumer control should be a default with ad data — but affirmative consent should be reserved for data categories where the propensity for harm is real. This point of view, in Europe at least, is rhetorical — because the law is the law. And as of May 25, the General Data Protection Regulation is enforceable on all global entities touching EU citizen data. God Save the Queen and her data subjects, and perhaps all of us.

At a recent privacy conference, one of the primary architects of the European Union’s ePrivacy Regulation (a follow-up to GDPR) said, “What we are aiming at is to abolish surveillance-driven advertising.”

Surveillance-driven” advertising and “surveillance capitalism” — are Europe- and privacy-academic speak that seeks to link or conflate interest-based advertising with government surveillance of citizens. I mean, really? Ad tech may include companies not known to the consumer, and because brands enlist outside ad tech companies to help them make advertising inventory more relevant (and useful) to site and app users, and disclose such data sharing through enhanced notice mechanisms and privacy policies, somehow this still constitutes “surveillance” with all of its negative connotations. Let’s not forget that the intended result of these investments in consumer engagement is a more relevant ad, not a dossier!

We can see where some (important) heads may be motivated.

Back to the U.S.

Even something as innocuous as an ad served to a device — we have plenty of guidance for privacy rules of the road: Fair Information Practice Principles that are global, Data & Marketing Association Data Standards 2.0, Digital Advertising Alliance Principles and the YourAdChoices program (a client), IAB technical standards … and an active Federal Trade Commission (and other agencies, in certain data categories) overseeing the ecosystem, and enforcing privacy expectations — is both self-regulatory and legal.

The idea that the United States is a laissez-faire data free-for-all is pointedly not a correct assessment. In the digital world, we have 20-plus years of self-regulation, based on nearly 60 years of self-regulation offline. All of this premised on building and bolstering consumer trust. We have federal and state law in important data sectors. Through all of these decades, we’ve had an FTC minding the advertising/marketing store, growing the market, and — enforcing privacy and security of data through meaningful enforcement actions and consent decrees that serve as teaching tools to other businesses.

Instead of grandstanding and undermining years of hard-earned consumer trust, more policymakers — and perhaps industry leaders, too — should recognize how responsible data flows serve the consumer. Thus, they should back existing industry regimes that promote stewardship and governance — and hold us to it. Serving consumers, earning their trust, after all, is a shared goal by all responsible stakeholders.