In a detailed discussion with AdMonsters’ Yakira Young, James Rosewell, co-founder of Movement for an Open Web, discussed the nuances of the Competition and Markets Authority’s (CMA) recent report and concerns regarding Google’s Privacy Sandbox. 

Exploring the pivotal changes and challenges in digital privacy and competition, this analysis highlights the tension between innovation and regulation, examining how new policies may reshape the digital advertising landscape. 

Here are Rosewell’s insights into the evolving dynamics of digital privacy and its potential ramifications for the industry. This recap highlights the significant aspects of his analysis, touching on the tensions between privacy, competition, and interoperability, as well as the future steps for addressing these emerging challenges.

Tensions at the Triangular Table

• Digital Industry’s Inflection Point: Rosewell describes the CMA’s April report as a pivotal moment that could dictate future directions for digital advertising and privacy. It’s a tipping point for the digital industry, marking significant changes in the regulatory landscape.
• Interplay of Competition and Privacy: The report underscores the ongoing tension between competition and privacy, pointing to the need for balance between these elements.
• Interagency Dynamics: Rosewell clarifies the distinct roles of the ICO and CMA in the UK’s regulatory framework, emphasizing their collaborative yet focused mandates on privacy and competition, respectively.
• Google’s Compliance Challenges: The ongoing scrutiny over whether Google’s Privacy Sandbox meets the dual mandates of the ICO and CMA.
• Future Projections for Google: Insights into potential changes Google might need to implement to align with regulatory expectations.

Unpacking Compliance and Concerns

• Non-Compliance with ICO Guidelines: Rosewell points out significant gaps in Google’s adherence to privacy standards, particularly in how the Privacy Sandbox handles data. While Google’s Privacy Sandbox has not fully complied with the ICO’s privacy guidelines, this could signal significant shifts in how data privacy is managed. Rosewell suggests that the ongoing non-compliance could lead to more stringent oversight and possibly a rethinking of current data privacy frameworks.
• Technical Shortcomings in APIs: There are concerns about the technical limitations and the potential misuse of de-identified data. The report details criticism of how privacy APIs might still be processing personal data, indicating a lack of true anonymization.
• Call for Clarity and Compliance: Upcoming, more detailed ICO reports, are expected to address these compliance issues. 
• Stakeholder Feedback: Reflections on the broader industry concerns regarding the overreach of the Privacy Sandbox beyond basic legal frameworks.

Governance and Technical Hurdles

• Need for Robust Governance: The discussion emphasizes the essential role of governance in managing digital practices fairly and transparently.
• Governance in Digital Operations: There is a necessity for proper governance frameworks that ensure fairness and compliance in digital operations, as opposed to automated, unchecked processes.
• Challenges of Ensuring Reliability: There are limitations in current technological solutions like the Attribution Reporting API’s Coordinator Service.
• Industry’s Call for Protection: There is a potential need for warranty language to safeguard the interests of advertisers and ad tech partners.
• Technical Challenges of Latency: The discussion of latency issues within digital platforms, emphasizes the limitations of browser-based solutions and the potential need for server-side solutions.

The Smaller Players’ Predicament

• Disproportionate Impact on Smaller Entities: Changes driven by the Privacy Sandbox could particularly challenge smaller publishers and advertisers.
• Potential for Increased Market Consolidation: Stringent privacy regulations may inadvertently push smaller players towards more restrictive platforms and into less competitive environments.

Looking Ahead: Remedies and Regulations

• Advocacy for Meaningful Dialogue: Rosewell calls for a balanced discussion that does not sacrifice interoperability, privacy, or competition.
• Engagement with Regulation: The importance of engaging with regulatory processes to influence and adapt to new market conditions.
• Envisioning Future Remedies: Data labeling and enhanced privacy guidelines could serve as potential solutions for the industry.

In this crucial moment for digital advertising, Rosewell’s insights underscore the importance of a collaborative regulatory approach that balances innovation with privacy and competition. As the industry anticipates the next phases of the CMA’s evaluations and Google’s responses, the continued dialogue at AdMonsters Ops — during Rosewell’s closing keynote June 4, 2024 — promises to provide a vital forum for shaping the future of digital advertising. 

The challenges and opportunities discussed highlight the critical need for an industry-wide dialogue and cooperation to ensure that future developments benefit all stakeholders.

The post LinkedIn Live Rewind: Unpacking the Implications of CMA’s Surveillance on Google’s Privacy Sandbox appeared first on AdMonsters.

Google is seeking public comment on its revised IP Protection feature, part of its Privacy Sandbox initiative. They believe a two-hop process may offer consumers maximum protection against covert site tracking. A few months back, AdMonsters explored how it will impact publishers. Now, let’s see what advertisers are saying about it.

A Quick Recap

Google’s IP Protection is a proposed feature that blocks websites from tracking users’ digital lives. They introduced the feature three years ago under the name “Gnatcatcher” and conceived it as an opt-in. 

To prevent covert tracking, Google is considering a two-hop privacy proxy system. First, the feature will send traffic from Chrome browsers to a privacy proxy, creating a secure and private tunnel from the browser to the destination website. This means that the destination website will not see the IP address assigned by the ISP for that session.

There’s also talk about routing some (possibly all?) through an external CDN for additional protection, but the specifics are still murky.

Some Advertisers are Worried

Some have raised concerns about the potential impact of IP Protection on ad targeting and measurement. Location-based targeting will take a hit, which for some advertisers means more than just retargeting users’ mobile devices as they pass by a brand’s retail outline.

Some brands — think online betting and gaming apps — need to know a user’s IP address of origin to comply with local laws. Take, for instance, Illinois, which permits online betting, and Missouri, which does not. The two states share a lengthy border, and St. Louis, Missouri, is just four miles from East St. Louis in Illinois. Countless people commute across state lines for work. It’s easy enough to target a reader of a St. Louis website with an online gaming app. Yet, the advertiser could face legal ramifications if that person is a Missouri resident.

Geolocation is also helpful in ensuring the right user sees the right ad content. Let’s say an insurance provider wants to target users during open season in the Upper Valley, which spans Vermont and New Hampshire. Without knowing the user’s IP of origin, the insurance provider can waste ad spend targeting consumers who don’t qualify for its services. IP addresses have been instrumental in helping advertisers display the right ad content to the right user, and they fear they will lose this efficiency with widespread IP blocking.

At present, Google is planning to limit IP Protection to its sites, but that’s not enough of a comfort to some advertisers. “The spirit of using proxy IPs for increased privacy is in the right direction as long as it is focused on the bad actor domains tracking IPs. If, however, it bleeds across to all domains and impairs personalization, targeted ads, and other useful functionality offered by ABM providers, it could certainly present new challenges,” Chris Golec, founder of Channel99, told MarTech last year.

It’s a concern shared by privacy lawyer and GDPR expert Atis Gailis, who wrote in a GDPRBuzz post: “Google’s IP Protection feature is a significant step towards enhancing user privacy. However, the challenge lies in striking a balance between protecting user privacy and maintaining the functionality of legitimate use cases.”

Not Everyone is Buying the Privacy Argument

Part of Google’s reasoning is that “IP addresses can be stable over periods of time, which can lead to user identification across first parties.” The word “can” is pretty important here.

There are different types of IP addresses, including public, private, dynamic, and static. Private IPs are those used by corporate Intranets; one IP address serves all the corporate network devices. Individual devices remain private, making tracking individual users by covert third parties difficult, if not impossible.

And 55% of users access the internet via mobile devices, which are generally very dynamic and change every few hours. IP data providers have noted that the same mobile IP address can be observed in locations thirty miles apart within very short time frames. A user’s mobile IP address can change 20 times a day!

IPs that provide residential connectivity tend to have more stable addresses, but according to Forbes, 77% of people use VPNs for personal use, taking it upon themselves to protect their privacy. 

Some critics have expressed concerns that the feature may not provide meaningful privacy benefits and could be used to further Google’s data collection efforts. It’s a land grab if you will. On a blog for ProtonVPN, Ben Wolford calls IP Protection privacy washing. “The idea behind IP Protection is much the same. It shields your computer’s IP address from other websites while passing all your web traffic through a server owned by Google. This gives Google a God’s-eye view of every website you visit at all times while using Chrome, whether you are logged in to your Google account or not.”

He’s not alone. “As with all aspects of the Sandbox, IP Protection is an anti-competitive technology that Google is attempting to impose upon the web under the veil of privacy. It removes an important piece of data from Google’s competitors whilst they can continue to make use of it,” writes Thomas Clayburn for The Register.

This land grab is precisely why The Movement for an Open Web (MOW) filed a complaint with the UK’s Competition and Markets Authority (CMA) last November, stating that Google’s new IP protection methods are anti-competitive. In addition to the unfair advantage, MOW is concerned that IP Protection will make keeping kids safe on the web more challenging.

Advertisers who share these concerns can voice them to Google, as the feature is still in the proposal stage.

The post Google’s IP Protection Raises Concerns for Some Advertisers appeared first on AdMonsters.

In the United States, the cookie replacement talk is all Privacy Sandbox this, Privacy Sandbox that, but in the UK, they seem to move to the beat of a more skeptical drum. 

There is no doubt that Google dominates the open web. Whether you’re an ad tech company, publisher, or buyer, you will transact with the tech giant in some capacity. 

When it comes to big tech entities like Google, there is no competition, regardless of what they might tell the Department of Justice. They have the pipes, infrastructure, and the audience to garner the majority of ad spend.

Following the Competition and Markets Authority’s (CMA) report on digital markets in July 2020, the Movement for an Open Web (MOW) started in September 2022. MOW was encouraged by the CMA, as they needed someone to come forward to do their job. MOW is comprised of a mix of media, advertising and technology businesses.

MOW doesn’t see itself as a general services company. The organization was the original body that complained to the CMA, leading to the commitments that delayed the rollout of the Privacy Sandbox. Without MOW’s complaint and the CMA, Google’s Sandbox may have rolled out long ago.

“I think the fact that we exist is a testament to the fact that established trade bodies are not able to represent victims’ interests for various reasons adequately, some of which are the membership of Google in those organizations and the financial dependency that those organizations have on Google,” said James Rosewell, co-founder of MOW. Rosewell is also one of the leading voices of SWAN (Secure Web Addressability Network), a community-operated and open-source replacement for many use cases supported by third-party cookies.

Uncovering the Truth Within the Sandbox

The CMA’s current commitment to Google is that the entity exists to judge whether competition will be preserved once Google makes a series of changes. The highlighted modification is the end of third-party cookies, but other components, like IP protection, bounce tracking, and more, are set to change.

The test is twofold: one, does the design give the possibility of equivalence, and two, does the testing provide the evidence so that the CMA could make a decision that would stand up as a minimum for other regulators?

MOW believes the Privacy Sandbox fails on both of those tests. The design can’t achieve equivalents with third-party cookies, and we also see testing woes. We are just throwing things at a wall to see what sticks, which is not scientific enough, according to Rosewell.

In a perfect world, Google would have tested this technology on their properties. As a suggestion, MOW strongly feels that Google should have applied the Privacy Sandbox across YouTube for at least a quarter and then reported the revenue impact to the Security and Exchange Commission (SEC). Then, they could prove the revenue uplift associated with its usage. Upon publishing their findings on the market they would have achieved a high standard of SEC reporting and showed the market what worked, giving the CMA more of a leg to stand on.

Google ran a very small test, where they continued to use third-party cookies for everything except segmentation. They only tested the Privacy Sandbox solutions for attribution and tracking, but that was only one aspect. Big G claimed that the test ran on their owned and operated properties, but that just wasn’t enough according to MOW. The nonprofit organization strongly feels that if the Privacy Sandbox were this saving grace that Google claims it to be, YouTube would have made much more money using it. 

For publishers using the Privacy Sandbox, MOW warns that you won’t be able to measure advertising on your websites. This can only be accomplished by using Google’s algorithms to measure it at an aggregate level with noise.

“If you’re a massive advertiser like Nike or a massive Publisher like The Washington Post or the DailyMail, then the noise in aggregate reporting may be tolerable for you, but if the same amount of noise is added to a chain of three hairdressers in a local community’s website or a small local publisher, then it might not meet the threshold to come up and be surfaced as a report,” Roswell pointed out. 

Smaller businesses are restricted by the technologies that Google provides, he says. There is also no auditing and independent auditors like the Media Rating Council to determine whether or not Google’s code, the way it’s working, and the way it’s deployed is accurate. That is going to be a real problem. 

Is the Future of 2024 Bright?

2024 is going to be different because the dialogue will move to remedies. MOW is working on a summary of remedies in discussions with the organization’s participants and industry regulators. 

We need to see the browser regulated just as we would regulate traditional telecommunications. “AT&T does not have the power to tell a consumer that they don’t like a particular phone conversation they are having on the network; they wouldn’t ask to interfere in your conversation,” Rosewell added. 

He explained that digital advertising is about 25 years old and we must see regulation. The browser should be limited to access and navigation as it was originally intended. According to MOW, if standard bodies are regulated, they can’t disadvantage other participants as they do now by preferring the web browser and giving the web browser vendor preferential status. 

The post Google’s Privacy Sandbox: A Solution, or A Shiny Object? The UK’s MOW Weighs In appeared first on AdMonsters.