3 To-Dos to Ensure Compliance & Stop Ad Privacy Violations
Much of the advertising ecosystem is still struggling to keep pace with industry regulations that evolve at breakneck speeds. The exit of third party cookies and the introduction of new targeting solutions represent the latest changes adding to the layers of complexity.
Consumers are increasingly concerned about how their data is being used, and they have a right to be. A study by MIT and University College London show that only 12% of content management platforms (CMPs) meet the legal minimum requirement for data compliance. When trillions of real time ad auctions happen everyday, how can you be sure that your data partners are as careful with consumer data as you are? Today, making sure people DON’T see ads is just as important as making sure they do.
Privacy is a leading priority when brands buy media so it's vital that you go above and beyond to make sure the data you’re processing for digital advertisements is compliant to avoid some hefty repercussions.
The risk of not taking data compliance and ad violations seriously
The punishment that most brands are concerned about for breaching data privacy is a hefty fine. GDPR penalties for data mishandling in Q3 of 2021 reached $1B alone. California is giving 30 days to fix compliance before issuing fines and other state laws will follow in early 2023. While it's easy to measure the costs in fines, the actual cost to your business may be far greater e. Here are a few factors to also consider:
Reputation damage: Information is power and a misuse of data can cause serious distrust with brands and consumers resulting in a loss of revenue. It can take years to build trust but seconds to break it!
Business disruption: You may have to cease certain business activities while investigations take place or advertising accounts could be shut down if they are found to breach data privacy. Other projects may need to take a backburner resulting in your tasks moving further down the to-do lists.
Loss of productivity: Compliance breaches are a huge distraction from the normal day-to-day and the impact trickles through the company structure affecting efficiency and team morale.
3 to-do’s to ensure ad compliance and stop ad privacy violations
To ensure you’re not violating ad privacy you need to:
1. Spot problems with consent signal handoffs throughout the ad ecosystem
Under regulations such as GDPR you must gain an individual's consent in order to process, store, and share their data for the purposes of serving personalized ads - this includes both prospecting and retargeting. In order to process sensitive information for profiling (understanding a user’s behaviour and interests online), you must gain what is known as ‘explicit consent’. This is when a user gives you a yes or no answer. The continued use of your website does not give explicit consent, but clicking ‘accept’ on a data privacy notification banner when they first land on your website does.
Both advertisers and publishers need to collect consent to use this data for advertising purposes. Unfortunately, due to the complexity of the ad ecosystem and automated technologies, data sharing between media companies, technology providers, and brands opens up possibilities for incorrect consent signal handoffs.
Scenario A: A user lands on an advertisers website and does not give consent to share their data. A recent platform upgrade via the CMP leads to misconfigured signals and that user is served a retargeting ad on another website, leaving the brand and publisher in violation of privacy laws.
Scenario B: A brand is running a retargeting campaign based on shopping cart behavior. While data is clean in their CMP, a broken consent string occurs via programmatic ad delivery and users are improperly retargeted across the web.
Despite seeking consent in both cases, they have committed ad violations. The biggest problem here is neither party will likely realize the data was processed unlawfully because they believe they’re fulfilling their obligations by asking for consent. Therefore it’s vital that advertisers and publishers are proactive in finding these incorrect data signals to fix them before they become a problem.
2. Identify compliance violations across a range of regulatory frameworks
GDPR is just the beginning, as a publisher you also have to be compliant with the various state laws including California’s CCPA, Nevada’s Senate Bill 220 Online Privacy Law, and the Maine Privacy Act. More are following suit with an update and expansion to the CCPA known as California's CPRA, Virginia's VCDPA, and Colorado's CPA, all of which are due to take effect in 2023.
Unfortunately this doesn’t leave a lot of time for businesses to understand the policies and put in processes that ensure they are compliant. You may also do everything you can to ensure you’re adhering to the law, but are your data partners as careful as you?
These are the risks you run into when using third-party data and you may be completely unaware that the data you are using has been obtained this way.
3. Visualize the flow of consumer data on an ad by ad basis
You might have an idea that you’re running into compliance issues (or worried that they’re happening despite your efforts) but where do they lie and how do you solve them?
There are three ways online ads violate data privacy:
Violation 1: Consent failure - this is the cause of the privacy breach. This happens when a user's opt out request is not passed between partners. This could happen because the SSP loses the consent signal and assumes opt in, for example.
Violation 2: Improperly Shared Data - when personal data is shared against user consent for re-target advertising. This is an outcome of consent failure.
Violation 3: Unauthorized Data Collection - data syncs are no longer permissible after opt out and at this stage bidding platforms can skim data, gathering user data that should not have been available to them.
The difficult part is identifying these breaches so they can be solved before you become liable. That’s where Boltive’s Privacy Guard comes in! Created with the co-author of CCPA and CRPA, our synthetic user personas browse the open web just like your consumers, sending thousands of data points to your dashboard.
Using this data we can identify and flag improperly retargeted ads, unauthorized data collection, and failed consent signals between systems. Importantly, this means you have the ability to audit your partners compliance, no matter how far downstream your data goes. With the Boltive Risk Index, or BRI™, your ads, partners, data collectors, and user segments are given a score that helps you understand at a glance if your partners' data practices are putting you at risk of regulatory action.
Data changes coming into play
A common method of tracking data to generate user profiles is using third-party cookies. Despite them being an incredibly effective tool for advertising they are also controversial. Passing cookie data between third-parties creates opportunities for mishandling data. As a result, cookies have come under fire by those concerned about data protection and as such, they are on their way out. This can already be seen in Apple's release of iOS14.5 where users have to allow tracking permissions and in Google Chrome's removal of third-party cookies as part of the Privacy Sandbox Strategy.
This will mainly affect advertisers who want to record a user's behaviour to create a profile for targeting purposes. So what can be used instead?
- Identity solutions - This replaces sensitive information such as email address and phone numbers by assigning a user ID. This ID can be used across websites that are connected to the identity solution and allows them to target users without sharing identifiable information that could be leaked and abused.
- Google FLoC - This stands for Federated Learning of Cohorts and is part of Google's Privacy Sandbox initiative which uses application programming interfaces (APIs). Rather than generating unique profiles for each user, they will be assigned a cohort filled with people with similar interests.
- Contextual targeting - targeting based on the type of content that the user is consuming. This benefit is reaching the user where they are most receptive, however, there are inherent measurement challenges when it comes to reach and frequency.
2022 will be a year to evaluate these solutions as the countdown continues for cookie deprecation. As brands & publishers test these various solutions, Boltive provides solutions to evaluate the effectiveness of each solution to ensure that brands are reaching the correct audience and that publishers are maximizing their programmatic revenue.
How to ensure your compliant across your ad ecosystem
As mentioned earlier, it can be incredibly difficult to know whether the data you are using is 100% compliant. But what if there was a tool that could scour the internet and check that for you?
Boltive Privacy Guard™ is the first tool that can simulate consumers’ web journeys, verify that consent management works and ensure that data isn’t sold or shared unlawfully.
Privacy Guard captures and aggregates real ads being served to your personas in real time, delivering the key insights you need to keep your consumer data -- and your brand reputation -- safe.
Privacy Guard’s patented technology is a codeless solution which means no system integration is required. It’s easy to add to your current set of tools without adding weight to your site or ads. Just set up your personas and run.