Data compliance
Editor’s note: Dan Frechtling is CEO of advertising services firm Boltive, Seattle.
The advertising industry is in an unprecedented predicament: trillions of ad auctions are happening every day as industry regulations governing these transactions are increasing exponentially. How can brands keep up with the changes?
Due to the complexity of the situation, there’s no easy answer. But there are things you can do to protect your consumers’ privacy and your business. With the exit of third-party cookies and other regulatory shifts, making sure people don’t see ads is as important as making sure they do. The consequences of violating consent regulations are potentially serious, not only financially, but also for a brand's reputation.
What are the consequences of ad violations?
GDPR, for example, levies hefty fines: penalties for data mishandling in Q3 of 2021 reached $1B. In California, under CCPA, businesses have 30 days to fix compliance before issuing fines. California will introduce stricter rules in 2023 alongside laws from other states.
There is also potential for lost revenue. Violations are a bad look; misusing customers’ data can break their trust. They can also force you to shut down certain business operations or advertising accounts. Either way, your business will lose money.
A study by MIT and University College London shows that only 12% of content management platforms (CMPs) meet the legal minimum requirement for data compliance. Below are four ways to improve your processes.
1. Review your consent string.
GDPR requires advertisers to acquire explicit consent – a “yes” or “no” answer – to process, store and share consumers' online behavioral data for personalized ads. This includes retargeting and prospecting ads. The current solution being used by advertisers and publishers is a pop-up asking for this permission: if they accept, you have explicit permission. Unfortunately, getting that permission may not be enough. The answer the user clicks is put into a complex string of symbols passed along between media companies, tech providers and brands.
These disruptions aren’t necessarily the fault of the publisher or advertiser (though it is possible for the string to be manipulated – which is an entirely different issue).
Here are two examples of how the string can be corrupted.
- Example A: A user lands on an advertiser's website and clicks “no” on the permission pop-up. A recent platform upgrade via the CMP leads to misconfigured signals and that user is served a retargeting ad on another website, leaving the brand and publisher in violation of privacy laws.
- Scenario B: A brand is running a retargeting campaign based on shopping cart behavior. While data is clean in their CMP, a broken consent string occurs via programmatic ad delivery and users are improperly retargeted across the web.
Despite seeking consent in both cases, they have committed ad violations. The biggest problem here is neither party will likely realize the data was processed unlawfully because they believe they’re fulfilling their obligations by asking for consent. It’s up to advertisers and publishers to find and fix these incorrect data signals, using an employee with the proper knowledge or a vendor specializing in data privacy.
2. Take a fresh look at GDPR and other compliance laws and make a checklist.
Publishers must be wary of not only GDPR, but also state laws including California’s CCPA, Nevada’s Senate Bill 220 Online Privacy Law and the Maine Freedom of Access Act. More are following suit, with an update and expansion to the CCPA known as California's CPRA, the Virginia Consumer Data Protection Act and the Colorado Privacy Act, all of which are due to take effect in 2023.
Review this list to make sure you’re up to speed, and take a look at this 10-step checklist to navigate your compliance.
3. Analyze your data partners.
Your efforts to follow the law might be for naught if your data partners aren’t being careful.
Analyze their ads, website and other content they’re putting online. You can usually tell if a company is reputable by doing some online research. Is their website well-done and modern? Are there spelling errors or typos? Does the site look like it was thrown together, or built with extreme care? If a company is sloppy with its public-facing content, there is a reason to be worried about them being sloppy about data collection.
Have a conversation with them about the topic. It doesn’t have to be an inquisition. Tell them you’re revamping your GDPR and data privacy procedures and would like their input. Their response will be telling. If you’ve done your research, you’ll know if they have done theirs.
4. Consider cookie alternatives.
Third-party cookies are an effective data collection tool, but with them being the impetus for change in data privacy laws, it’s worth checking out alternatives for collecting data for targeting purposes.
- Identity solutions. This replaces sensitive information such as e-mail address and phone numbers by assigning a user ID. This ID can be used across websites that are connected to the identity solution and allows them to target users without sharing identifiable information that could be leaked and abused.
- Cohorts. Rather than generating unique profiles for each user, this solution assigns users to one or more cohorts filled with people with similar interests. Google Topics is one such approach, part of Google's Privacy Sandbox initiative, which uses application programming interfaces.
- Contextual targeting. This form of targeting is based on the type of content that the user is consuming. This benefit is reaching the user where they are most receptive, however, there are inherent measurement challenges when it comes to reach and frequency.
Reevaluating your data privacy policy
Now is the time to reevaluate your data privacy policy as cookies become less feasible and privacy laws continue to tighten.
Identify and flag improperly retargeted ads, unauthorized data collection and failed consent signals between systems. Consider auditing your audit your partners' compliance. If you don’t have the in-house expertise to do it on your own, consider hiring a data privacy company.
A little preparation now might save you a lot of trouble later.