Ad tech isn't ready for California
Clean rooms, email-based identifiers may be in real trouble
The digital ad industry has made a big show of making preparations for a post-cookie, privacy-focused world. Much of that performance has seemingly been aimed at telling regulators - ‘we’ve got this.”
But this summer, we may find out whether all those efforts - clean rooms, first-party data focuses, new identifiers - may all be for naught. It’s not crazy to think that they could all be against the law.
I spoke to Jessica Lee, partner at Loeb & Loeb, and Chair of the firm’s Privacy, Security & Data Innovation, in the latest episode of my Next in Media podcast. We talked about the potential for. a national privacy law this year (forget it, she said) and the impact of the slew of state laws on the books.
The big one is in California. Because starting July 1, the newly-formed California Privacy Protection Agency takes over enforcement from the state’s Attorney General.
Then it’s game on, and into the unknown.
“Because these laws are so new and enforcement is so young,” she said. “I don’t think we’ve seen the full impact yet.”
There will likely be an impact.
“I get the sense that they are very excited to exercise their enforcement abilities,” Lee added. “I’m not sure everyone is fully prepared for an agency focused on privacy that both has audit and enforcement capabilities.”
“I do think there will be some attempt to reign in ad tech. It’s just not clear what angle.”
Ah the angle, that’s key. Does this state mostly care about protecting kids? Health data? Location data? Do they just want to protect consumers? Encourage competition? It’s hard to know.
Lee mentioned two key pieces of language in the California law: “Contractural Privity” and “Purpose Limitations.”
Contractural Privity, in the laymenist of layman’s terms, means that anybody who shares data with any other party has to have a written deal in place granting those rights- something that just doesn’t happen on the Lumascape.
“I don’t think the industry is focused on what that could mean if that’s enforced,” Lee said.
I asked a duh question - doesn’t everybody who shares data have a contract? Well as Michael Hahn, EVP & General Counsel for IAB, explained to me, by nature lots of data goes back and forth between parties in digital advertising, regardless of whether a financial deal is in place. Think of every time an ad server makes a call, or a tracking pixel is fired, or a DSP looks to target a consumer with certain characteristics.
Since it would beyond cumbersome to create and sign contracts for all of those instances, the IAB has come up with a solution - the Multi State Privacy Agreement, which is designed to fill in all the blanks. Thousands of companies have signed on, creating 'blanket contracts’ for all kinds of data sharing that California lawmakers might scrutinize.
Is it fool proof? We’ll see. “The MSPA has been drafted conservatively,” he said.
“It is intended to provide a measure of security and be consumer-first. I do think there is going to be enforcement activity. There are a number of companies that probably have not done a significant amount of preparation. But I think that we are well prepared with the MSPA.”
Ok, so that’s where things stand contractually. What about “Purpose Limitations”? Well, that’s where things could get really dicey.
In recent years, advertisers, publishers and tech platforms have leaned into using first-party data over third-party data in the name of being privacy-first. That’s lead to the use of new identifiers - such as the Trade Desk-led UID 2.0, as well as clean rooms anonymous device graphs and the like.
Are we sure these are all ok under the California law’s definition of purpose? Do consumers understand they are signing up for all of these uses of their data when they provide their email address to someone? When you signed up for Amazon 15 years ago, did you consent to have your information used in the Amazon Marketing Cloud, or your shopping history be used to target ads all over the open web?
We’ll see.
According to Hahn, in Europe, it’s become common for publishers and brands to provide a laundry list of use cases for consumers to say yes or no to. “Europe has a hyper=specific consent process,” he said. “The US is different.” He expects US companies to provide an opportunity for consumers to broadly opt out of data sharing, while providing an explanation for why the use of such data is helpful in providing people with relevant content and ad experiences.
Will that be enough to assuage Cali regulators? Lee, for her part, isn’t so sure.
“It depends on the technology and how it’s being used,” she said. “If the technology allows companies to do the same things they were doing before, that’s not going to be a clean escape from privacy laws.”
That leaves a big question of interpretation for California lawmakers. Are cookie alternatives and clean rooms really privacy-first, or actually just a way for the industry to conduct business as usual with some new tools? And does California have a problem with that?