Following recent changes announced by Google for its Chrome browser, users will be prompted to exercise more control over third-party cookies. And while it is plain to see that Google and regulators wish to avoid a repeat of the App Tracking Transparency (ATT) debacle, the mere possibility of comparison warrants serious investigation into alternatives, of which Privacy Sandbox appears heir apparent.

Years of development and negotiations, its most recent pivot, and newly announced features demonstrate Google’s dedication to finding a balance that satisfies its obligations to the Competition and Markets Authority (CMA) and the concerns of the Information Commissioner’s Office (ICO). When it does, addressability through cookies will decline rapidly and brands dependent on them will be impacted absent adaptation.

Powering this colossal and oft-delayed shift is an irrefutable truth: online privacy has become a core concern for lawmakers and their constituents in Europe and worldwide.

The Legal Push Behind Corporate Change

Privacy is no longer a niche concern; it is becoming a fundamental expectation of regulators and consumers, especially in the States where legal reforms are gaining momentum. Comprehensive privacy laws are taking effect in nearly twenty states, with California leading the way through the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA).

The rapid pace of legislative change is striking — more than half of new privacy laws were introduced in 2023-24 alone. While the House failed to pass the American Privacy Rights Act (APRA) out of committee, the bill came far closer to a floor vote than most anticipated. Congress appears poised to pass children and teen-focused privacy bills before the end of session.

This shift is more than just a legal headache for companies; it reshapes how businesses interact with consumers. Brands should rethink their data collection and data use strategies, due to the requirement to respect types of opt-out signals mandated by laws in California, Colorado, and Texas, as well as increased obligations to consent for certain data types, and internal data mapping requirements.

U.S. state laws, while different in structure from the General Data Protection Regulation (GDPR), share common enforcement elements that compel companies to change their data practices, and penalties for non-compliance are steep The message is clear: compliance isn’t just about avoiding penalties—financial and reputational—it’s about staying ahead of a wave of risk that is only gathering strength.

What the U.S. Can Prepare For

Looking to Europe provides a roadmap for how privacy laws can amplify consumer expectations. The GDPR, now six years into enforcement, has dramatically altered the landscape for advertisers and consumers alike. With more than  2,000 fines issued by March 2024 and penalties nearing €4.5 billion, companies have had to adjust their strategies to comply with stricter privacy regulations.

Even though privacy was already a top concern for consumers in Europe, legally required changes by companies there led to increased awareness of users’ privacy rights and more frequent exercise of those rights

In the U.S., this process is beginning to unfold. While data protection concerns have historically focused on government surveillance, the growing wave of state privacy laws and increasing public scrutiny of private data usage — especially after Cambridge Analytica — are starting to mirror the European experience. However, the signs of fatigue in Europe due to the constant consent requests have led regulators to express a desire for reform. If it happens, the process will likely be slow, but we may hope to see similar changes in U.S. legislation sooner rather than later.

The Path to Consumer Trust

The importance of comparing the EU and U.S. approaches to privacy lies in user behavior. As brands prepare to comply with evolving privacy laws, consumers are becoming increasingly informed about data practices, leading to heightened expectations around transparency and choice. However, there is a critical need to find the right balance between customer expectations regarding data privacy and their desire for relevant, personalized experiences.

A recent survey revealed that 86% of Americans are concerned about their online privacy, a number likely to rise as privacy laws gain ubiquity. Just as the GDPR heightened awareness among Europeans, U.S. consumers will reasonably demand more control over their data. This shift will inevitably result in more users opting out of third-party cookies, requesting their data deletion, and exercising their rights to the data companies hold about them — whether manually, through changes implemented by platforms, or via authorized agents.

Navigating the Road Ahead

It’s essential for brands to recognize that user behavior will evolve alongside legal obligations. Companies that fail to adapt their strategies now risk losing trust and relevance in the eyes of consumers.

The shift towards cookieless technologies is not merely a legal necessity but also a crucial response to meet evolving consumer demands and offset increased risk and overhead associated with new obligations.

First-party data and strong consumer relationships have never been more critical. Diversifying vendors for each critical function will ensure continuity and create a competitive advantage amidst these changes. Additionally, assessing whether partners are equipped to help navigate this new landscape is vital.

Laws are driving changes in both corporate behavior and consumer expectations, forcing companies to adapt. Eventually, the switch for third-party cookies will be flipped to “off.” The time to prepare is now.

The post Beyond Compliance: Adapting to Privacy-Centric Platforms and Consumer Expectations appeared first on AdMonsters.

AI has already begun transforming various aspects of mobile marketing, from personalized recommendations to predictive analytics. As AI technologies evolve, their impact on mobile measurement and attribution will become even more pronounced. 

AI’s ability to process and analyze vast amounts of data quickly and accurately is unparalleled. In the context of mobile measurement, AI can provide deeper insights into user behavior, helping marketers understand what users are doing and why they are doing it. This capability will enable more precise targeting and personalized marketing efforts, enhancing user acquisition strategies.

The Power of AI in Mobile Measurement

Predictive analytics powered by AI can forecast future user behaviors based on historical data. For example, AI can identify patterns that indicate a user is likely to churn, allowing marketers to intervene with targeted campaigns to retain the user. This proactive approach can significantly improve user retention rates and lifetime value (LTV).

AI-driven automation will streamline various aspects of mobile measurement and attribution. Tasks that were previously manual and time-consuming, such as data collection, segmentation, optimization, and reporting, can now be automated. This not only increases efficiency but also reduces the likelihood of human error.

Automated attribution models, for instance, can dynamically adjust to changing user behaviors and market conditions, providing more accurate and timely insights. This agility will be crucial in a fast-paced industry where trends and user preferences can shift rapidly.

Privacy Concerns and Regulatory Challenges

While AI offers numerous benefits, the rise of privacy concerns poses significant challenges to mobile measurement and attribution. Users are becoming increasingly aware of how their data is collected, stored, and used, leading to greater demand for privacy protections.

Governments around the world are enacting stricter data privacy regulations. The General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the United States are just two examples of legislation having significant implications for mobile measurement and attribution.

These regulations require companies to obtain explicit consent from users before collecting their data and to provide transparency about how data is used. This shift towards user consent and control over personal data will limit the amount of data available for traditional attribution models, which rely heavily on tracking user interactions across various touchpoints.

The Shift Away From Traditional Tracking

Additionally, changes to Apple’s Identifier for Advertisers (IDFA) and Google’s upcoming Privacy Sandbox for Android are major developments that will impact mobile measurement. Third-party cookies have been a staple of digital advertising, enabling cross-site tracking and attribution. However, with browsers like Safari and Firefox blocking third-party cookies and Google’s Privacy Sandbox for Android planning to remove any personally identifiable information (PII), marketers need to find alternative methods for tracking user behavior.

Similarly, Apple’s introduction of the App Tracking Transparency (ATT) framework requires apps to obtain user permission before tracking their activity across other companies’ apps and websites. As a result, many users are opting out of tracking, reducing the effectiveness of IDFA for attribution purposes.

Adapting to a Privacy-First Future

The mobile app industry needs to adopt new strategies and technologies to navigate the challenges posed by AI and privacy concerns.

With traditional tracking methods becoming less viable, marketers should explore privacy-centric attribution models. By leveraging solutions like incrementality, marketing mix modeling (MMM), and predictive analytics, it’s possible not just to work with aggregated data, but to gain true insights from it. This involves analyzing trends and patterns at a cohort level rather than tracking individual users, thus respecting user privacy while still gaining valuable insights.

First-party data, collected directly from users with their consent, will become increasingly valuable. By building strong relationships with users and encouraging them to share their data willingly, companies can create rich datasets for analysis and attribution. This data is often more accurate and reliable than third-party data, leading to better targeting and measurement outcomes.

Contextual targeting, which focuses on delivering ads based on the context of the content being consumed rather than user behavior, will also gain prominence. This approach respects user privacy by not relying on personal data and can still achieve effective targeting by aligning ads with relevant content.

The Role of AI in Ensuring Compliance and The Future of Mobile Attribution

AI can also play a crucial role in ensuring compliance with privacy regulations. Machine learning algorithms can be used to detect and manage sensitive data, ensuring that personal information is handled appropriately. AI can automate the process of obtaining and managing user consent, making it easier for companies to comply with regulations while maintaining a positive user experience.

The intersection of AI and privacy concerns presents both challenges and opportunities for mobile measurement and attribution in the coming years. AI has the potential to enhance data analysis, predictive analytics, and automation, driving more effective user acquisition strategies. However, the increasing demand for privacy and regulatory changes will require the industry to adapt by adopting privacy-centric attribution models, leveraging first-party data, and exploring contextual targeting.

As the mobile app industry navigates this evolving landscape, companies that can successfully integrate AI-driven solutions while respecting user privacy will be best positioned to thrive. The next 12-24 months will be a critical period of transformation, shaping the future of mobile measurement and attribution practices for years to come.

The post What Is the Role of AI in Mobile Measurement and Attribution? appeared first on AdMonsters.

The digital advertising world stands at the cusp of a major revolution, poised to redefine itself as it phases out third-party cookies. A recent study by Deloitte Digital forecasts a striking $300 million annual loss for major sectors like CPG, Retail, and Financial Services, while the broader impact on long-tail SME advertisers suggests potential losses far exceeding $2 billion in Return on Ad Spend (ROAS). Further adding to the urgency, McKinsey & Company, in partnership with the Interactive Advertising Bureau (IAB), predicts a daunting $10 billion revenue shortfall for publishers.

In the ever-evolving digital advertising landscape, privacy concerns and cookieless tracking have led advertisers and publishers to seek innovative solutions that respect user preferences and comply with stringent regulations. Enter contextual advertising — a strategy poised to redefine the engagement between advertisers and consumers in a privacy-first world.

The Reemergence of Contextual Advertising: A Timely Solution

Dotdash Meredith’s recent unveiling of D/Cipher, an intent-based targeting tool that operates without reliance on cookies, signifies a significant stride towards adopting contextual advertising. This method, further refined through their strategic collaboration with OpenAI, showcases the robust potential of privacy-safe advertising solutions that can effectively connect advertisers with their audience.

As digital advertising’s landscape evolves, OAO celebrates 20 years as a publisher-focused ad operations provider. Initially specializing in traditional trafficking and campaign management services, OAO has expanded its expertise to include programmatic monetization and data analytics, along with being a value-added reseller (VAR) for best-in-class sell-side technologies. Enhancing its suite, OAO introduces its partnership with Ops Mage, a revolutionary AI-driven contextual targeting solution with a strong focus on privacy-first policies. 

For Advertisers: Precision Meets Performance

Surpassing the limitations of traditional keyword block lists, Ops Mage provides a seamless AI-powered platform enabling advertisers to access over 750 IAB categories through advanced contextual and semantic signals. This robust tool delivers unparalleled insights with semantic sentiment analysis, brand identification, and safety, significantly refining targeting strategies.

Ops Mage significantly boosts media plan efficiency and scalability through direct integrations with publisher ad servers and DSPs, facilitating a seamless data connection between advertisers and publishers. With comprehensive omni-channel capabilities spanning video, audio, and display, Ops Mage equips advertisers with precise tools to optimize campaign outcomes through detailed contextual, sentiment, and competitive brand targeting.

For Publishers: Monetization in the Age of Privacy

Publishers now have the ultimate tool to boost ad revenue while adhering to privacy standards like GDPR and other regulations. Ops Mage offers no-code and low-code solutions that integrate smoothly with any ad server or analytics platform. By focusing on deep contextual and semantic signals at the article level, publishers can enhance the value of their inventory and achieve premium revenue through direct-sold ads, contextual PMPs, or bidstream enhancement.

The Ops Mage platform also respects the privacy-by-design ethos, making it an ideal choice for publishers aiming to minimize legal overhead and capitalize on their data in a controlled, transparent manner.

Ops Mage: Accessible Today

A key advantage of Ops Mage is its immediate availability to publishers, providing a ready-to-deploy solution that integrates effortlessly with existing ad ops stacks. This accessibility empowers publishers to proactively address the challenges of cookie deprecation and seize a competitive advantage in the rapidly evolving digital landscape.

Moreover, Ops Mage signals empower publishers to leverage their primary ad server to create and define their audience segments, putting control back in their hands while remaining independent from restrictive walled gardens. 

A Call to Action for Publishers

The brief reprieve of the Chrome cookie deprecation has extended the window of opportunity for publishers to begin exploring and embracing alternative, privacy-safe advertising technologies. As the digital advertising world braces for the post-cookie era, Ops Mage, in partnership with OAO, stands out as an innovative and accessible solution.

Contact sales@adops.com to learn more about Ops Mage.

The post Navigating the Post-Cookie Era: A Call to Arms for Publishers appeared first on AdMonsters.

At the beginning of the year, we covered Compliant’s US Publisher Compliance Index which revealed that 90% of US Publishers share consumer data without consent. 

Privacy compliance is becoming increasingly critical. A successful business must understand the dynamics of data regulation, privacy laws, and brand integrity. 

To follow up on the coverage of this study, I chatted with Compliant CEO Jamie Barnard to delve into the intricacies of compliance within the digital media industry. We talked about the rugged privacy compliance terrain in the US, the challenges faced by advertisers and publishers, and the innovative solutions shaping the future of data privacy and brand protection.

Andrew Byrd: In the study, you emphasize the importance of consistently measuring compliance in media. How do you see this happening overall in the industry? Where is it working, and where does it need improvement?

Jamie Barnard: When we examine the open web specifically, it serves as a valuable baseline for understanding. Approximately $90 billion is allocated annually towards the open web and digital media. Major global brands typically engage with 100 to 150,000 publisher sites worldwide. On average, a campaign targets around 44,000 publishers. 

Our research has assessed the data compliance of about 90% of the open web outside of China based on media spend. The remaining 10% yields diminishing returns because many sites generate only a fraction of ad impressions. For instance, in a 44,000 Publisher campaign, 86% of ad impressions concentrate on just 3,000 sites, leaving the other 41,000 publishers with less than 15% combined impressions. 

Shockingly, 85% of impressions land on sites failing to meet baseline compliance standards, highlighting the internet’s original design prioritizing functionality over privacy. Retrofitting emerging privacy regulations onto this framework proves challenging. We’ve realized we’re in an unsustainable environment requiring change, but we must implement solutions without stalling progress. 

We’re at a critical juncture as we face the cookieless future, characterized by impending privacy regulations. Effective media strategies must align with a new privacy, consent, and identity era. While we still need to prepare for this transition, it parallels the period before GDPR’s enforcement, where readiness evolved gradually. The industry is awakening to the necessity of adapting to this new reality.

AB: What legal obligations do publishers have concerning third-party vendors and tools that collect and share data from their sites? Do we have enough robust laws in the U.S. specifically to address these concerns?

JB: Regardless of location, site owners are responsible for ensuring that third-party tools or vendors collecting and sharing data comply with relevant regulations. Given the volume of work involved, achieving this due diligence is daunting. However, transparency tools can provide insight into the ecosystem and facilitate the establishment of a well-structured vendor network.  

For publishers, Data compliance has become integral to responsible media frameworks, as it ensures brand safety and mitigates privacy risks within the digital supply chain. Blindly placing ads without assessing publishers’ compliance poses significant risks, ranging from benign neglect to severe privacy breaches orchestrated by unscrupulous data brokers. 

Additionally, regulators are contemplating incorporating more technology to keep pace with industry changes. Despite the US being somewhat behind, this situation is transient. Comparing the level of fines in Europe provides a clear indication of the direction the US might take. GDPR fines in Europe surged from 300,000 euros in June 2021 to 4.2 billion euros in June 2023, a remarkable 14,000-fold increase in just 24 months. This trajectory suggests that US state regulators may intensify enforcement efforts, imposing substantial fines for compliance failures.

AB: The study highlights the Publisher Compliance Index (PCI) as contributing to a new brand integrity standard in digital media. Could you explain how the PCI achieves this and its significance for advertisers and publishers?

JB: Earlier, I mentioned that we’ve extensively assessed the data compliance of publishers worldwide. Regardless of your brand’s market, if you’re running an ad campaign, we can provide insights into its compliance at various levels: campaign, publisher, and individual impression. Our PCI serves as a compliance score. We conduct thorough web interrogations using machine learning to scrutinize each publisher’s URL, gaining transparency into vendors, tools, beacons, pixels, and cookies. 

This process allows us to discern consent management solutions, analytic tools, data brokers, and more. We then overlaid over 30 privacy-related data points to gauge compliance with legal and regulatory requirements. The initial score is perfect, but identifying compliance risks gradually diminishes it. 

Currently, scores range from zero to five, reflecting the severity and frequency of identified risks. This score empowers you to analyze past, present, and future media buys, enabling adjustments for improved compliance alongside metrics like viewability, brand safety, and sustainability. Enhancing compliance without compromising brand performance is essential for industry progress.

AB: The U.S. Publisher Compliance Index 2023 Report highlights a significant gap in PCI scores between North American and European publishers. Can you provide insights into the average PCI scores and what they reveal about compliance with privacy laws in these regions?

JB: After examining Europe and the US, I was surprised that the privacy regulation gap isn’t as wide as expected. In Europe, opting in is the norm, meaning data is only shared if explicitly allowed. In contrast, the US operates on an opt-out basis, assuming consent unless denied. 

While Europe offers various lawful bases for data processing, consent remains vital, especially in advertising and marketing. Conversely, the US generally allows data sharing unless refused. There’s a growing recognition, especially led by California, that a consent-based approach is the future. The shift won’t be immediate, but all will likely adopt a consent model over time, though it requires significant restructuring.

AB: Your study said that 90% of US publishers share data without securing consent. What advice would you give to US publishers about privacy compliance? 

JB: Compliance isn’t about constraints anymore; it’s crucial for the future of media and effectiveness. Companies with high compliance standards make quicker decisions, better leverage data, and buy media more effectively, avoiding wasted resources on non-compliant sites. Recognizing compliance as a value driver rather than a limitation is key. Progressive brands and media agencies leading in compliance are outperforming competitors thanks to the quality and clarity of their data, enabling swift decision-making.

The post The Future of US Privacy Compliance: A Q&A With Jamie Barnard, CEO of Compliant appeared first on AdMonsters.

When it comes to protecting consumer’s privacy, dating apps catch a bad rap. But, not all of it is unwarranted. And when it comes to protecting consumer’s privacy, not all dating apps are created equal.

Dating apps are like nosy neighbors asking users for all of their juicy details to set up their profiles. We’re talking really sensitive data here — race or ethnicity, sexual orientation and gender identity, political and religious points of view, as well as alcohol and drug use or abuse. This data is so sensitive, it’s got its own VIP section under GDPR rules.

Now imagine if all of that information gets shared outside of the app. There’s a lot for users to be worried about when it comes to their freedom and safety.

Remember When Grindr Was Found Violating GDPR?

It was only back in 2020 that Grindr, Tinder, and OkCupid were exposed for sharing personal user information with advertisers and potentially violating GDPR by the Norwegian Consumer Council. Unsurprisingly, some of Grindr’s ad tech partners, like AppNexus, OpenX, and MoPub, were also named by NCC in the government agency’s complaint under the EU’s General Data Protection Regulation. The story ended in late 2023 when Grindr was slapped with a $6 million data-sharing fine. Ouch!

Grindr was busted for sharing GPS location, IP address, the device’s advertising ID, age, and gender, as well as other sensitive data, between July 2018 and April 2020. And, according to Cybernews’ recent analysis, where they looked into the data collection and sharing practices of 10 popular dating apps, Grindr looks like the most data-hungry offender.

Grindr is collecting 23 points of data about its users for various reasons, including app functionality, analytics, and advertising. “It links all of the collected data to user identity and tracks two types of data, namely device ID and advertising data, which it can share with other companies,” according to Cybernews.

Swipe Right for Data: Unpacking What Dating Apps Know About Love Seekers

Apple requires developers to disclose 35 types of data or privacy points their app is collecting, including contact information like name or phone number, financial information like payments or credit, and user location.

Developers have to list out the data that’s tied to users, which means any data that can be traced back to who a person is – think account, device, or something as personal as a phone number.

Every app Cybernews checked out came clean about collecting data that’s linked to identity. But there’s a plot twist: some apps play it coy, saying, ‘Yeah, we gather data, but we don’t tie it to a user.’ Four apps from Cybernews’ list are dancing this delicate dance.

Apple lays down the law here: If devs want to claim they’re not tracking users, they have to strip the data of any identifying signals like a user ID, before they even think about collecting it. And Apple’s guidelines are against app publishers trying to reconnect the dots to a user’s identity after the fact.

Six out of the ten apps in Cybernews’ analysis are collecting data that could potentially track users across other apps and websites, and might even be shared with data brokers. All of these apps are peeking into their users’ photos and videos, and they’re also pretty upfront about gathering sensitive info like sexual orientation.

For example, Cybernews reports, “Badoo users could expect their data across seven categories shared with third parties, including precise location, coarse location, email address, device ID, advertising data, other user contact data, and other data types. Meanwhile, Her app is an outlier on the list in that it tracks most of the data it collects about its users and links it to their identity.”

Hinge, Best Hope For Finding a Valentine?

For privacy-minded consumers, Hinge might be the best choice. It only collects user data across 14 types of data, which the company claims is only used to improve the app’s performance and for marketing purposes. It links most of the collected data to user identity, except for crash and performance data. The app does not track user data.

Tinder, Plenty Of Fish, and Raya also don’t track user data, but some of their data collection practices might still appear questionable to some users.

To read the full analysis, visit Cybernews. 

The post Dating Apps Data Hungry for Consumers’ Valentine Profiles appeared first on AdMonsters.

As we just recently crossed the fifth year anniversary of GDPR, one thing has become clearly evident — regulators will continue their tough stance on violations. I noted as much in my 5 Data Privacy Trends to Watch in 2022 article written for AdMonsters.

Well, just last week, while everyone in ad tech was traversing La Croisette for the Cannes Lions International Festival of Creativity 2023, the French Data Protection Authority (CNIL) levied a hefty fine against global commerce media company, Criteo.

The revised fine of €40M ($44 Million), dates back to complaints filed by None of Your Business (NOYB), an Austria-based nonprofit, and Privacy International in 2018, stating that Criteo did not have a legitimate legal basis for behavioral targeting. CNIL’s initial investigation in 202o found the ad tech company in breach of GDPR, slapping them with a €60M fine. Criteo attests that their actions were not deliberate, nor did they cause any harm. Criteo also argued that the initial fine represented half of its earnings and 3% of its global sales, which is “close to the legal maximum” allowable under GDPR.

I took a deep dive into Criteo’s 40M GDPR fine from the CNIL (one of the highest fines for cookie-related violations). Below are three highlights that jumped out at me:

Proof of Consent Required – Although the collection of consent for cookies was the responsibility of Criteo’s partners, who are in direct contact with their website users, Criteo was still required to verify and be able to demonstrate that these users gave their consent. The CNIL required Criteo to incorporate a new clause on proof of consent in its contracts. Partners must “promptly provide Criteo, upon request and at any time, with proof that the consent of the data subject has been obtained by the partner.” I am interested to see whether the CNIL will come back to Criteo to see if this clause has been exercised. Accountability is the new king. Adtech companies will need a solution for auditing and demonstrating accountability in the U.S. and EU, as regulators in both jurisdictions are no longer willing to allow companies to rely on paper assurances.

Consent Can Be Given and Taken Away – The CNIL alleged that when a person exercised their right to withdraw consent, the process implemented by the company only stopped the display of personalized advertisements to the user; it did not stop all processing activities. Criteo addressed this by putting in place a procedure to allow individuals to exercise their right to withdraw consent directly by clicking the button “Deactivate Criteo Services” in the company’s privacy policy.

Joint Controller Agreements work for Ad Tech – The CNIL did not challenge the joint controller agreements Criteo had in place with partners, but they got dinged for not specifying all of the respective obligations of controllers under the GDPR, such as the exercise by data subjects of their rights, the obligation to notify the supervisory authority and data subjects of a data breach or, if necessary, the carrying out of an impact assessment under Article 35 of the GDPR.

This is a huge fine (2% of turnover), but most of the issues raised seemed solvable to me.

The post A Deep Dive Into Criteo’s 40M GDPR Fine From the CNIL appeared first on AdMonsters.

Data privacy regulations like Europe’s GDPR, California’s CCPA, and now the amended CPRA disrupted businesses as they grappled with the challenge of ensuring compliance. 

To better help the industry comply with the notice and choice obligations required under said new laws, IAB Tech Lab collaborates with industry stakeholders and local trade bodies to support the development of frameworks like IAB Europe’s Transparency and Consent Framework (TCF) and the IAB’s US Privacy Framework. 

However, building distinct technology solutions for every jurisdiction was not sustainable. In September 2022, the IAB Tech Lab first launched the Global Privacy Platform (GPP) and recently closed public comment for the next version of the API.

Understanding the Global Privacy Platform (GPP)

As an industry, we must ensure that we provide the appropriate transparency and choice as required by law. More importantly, we need to consistently communicate user consent and choice preferences, ensuring that all parties can comprehend them properly.

 By doing so, we can handle users’ data in a manner that aligns with their preferences. GPP aims to solve the challenge of creating a common language for everyone in the ecosystem. This solution was developed over several years involving stakeholders from across the ecosystem, including publishers, advertisers, and ad tech vendors.

The key components of the GPP that should be understood are the privacy string and the available string transport mechanisms. These mechanisms include a field in the Regs object in openRTB, parameters and macros for URL-based services, and a standard API. It is the API portion of the GPP that the IAB Tech Lab is updating, but more on that later.

The GPP string can carry privacy signals for any supported jurisdiction. It currently supports privacy signals for Europe’s GDPR, Canada, and five states in the US that have privacy laws (California, Virginia, Utah, Colorado, and Connecticut). Notably, the GPP is extensible and goes beyond just supporting jurisdiction and also allows support for other industry signals, such as the Global Privacy Control (GPC).

Exploring GPP API v1.1

Delving into the specifics of the update, it’s important to understand what remains unchanged. The GPP string, a core component of the protocol, will stay as is. There are also no updates to how the GPP string is passed in openRTB and using the defined macros and parameters. Let’s dig into the changes in the GPP API.

The primary changes to the API were born from industry feedback that it needed to better support callers of the API who operate within an iframe on a web page. Version 1.1 of the API includes callback support for all commands. This allows vendors who work within an iframe to use all the available commands that the API supports rather than just a subset.

In addition to adding callback support, version 1.1 of the API includes updates to status codes. While this may sound insignificant, on the surface, it is vital for callers of the API. There are additional explanations for several of the existing status codes. Still, the most important of the updates is the addition of a new event called signalStatus with potential values of “ready” or “not ready.” This new event adds a lot of clarity to when a GPP string, the representation of the user’s consent and choice preferences, is ready to be used. This will reduce the potential for confusion or misrepresentation.

 To reduce the number of calls needed to extract the appropriate information, version 1.1 of the API includes several optimizations to the objects returned by the API. These optimizations also help with reducing the complexity of vendor scripts.

Details are available here for those looking to dive deeper into the specifics of the updates included in version 1.1.

Implications of the Update on GPP Implementers

All stakeholders, including publishers, advertisers, and consent management platforms (CMPs), along with any vendors utilizing the API for GPP string retrieval, are urged to support the new version of the API which was finalized earlier this month. The enhancements are designed to better infer the privacy signals and enrich interactions with the API. For those vendors that aren’t interacting with the API and instead rely on fetching GPP strings via openRTB or URL macros, there’s no need for any changes. You are unaffected by this update.

As privacy regulation continues to evolve, so will the Global Privacy Platform. The GPP is ready to adapt and evolve to meet the needs of a global privacy landscape that shows no signs of standing still.

The post What Is the Global Privacy Platform (GPP) API v1.1? appeared first on AdMonsters.

One of the biggest changes in this area is that first-party data is given freely by online users, often in exchange for some sort of direct user benefit like a better experience online. 

As advertisers and publishers ask more users for their information online, a crucial part of the exchange is trust; consumers want to know that the data they are offering will only be used in the way they have authorized.

During AdMonsters’ March 29 webinar, “Consent-Based Advertising: How You Can Automatically Build Audience Trust,” OneTrust’s Strategic Solutions Engineer, Arshdeep Sood, explained why trust is crucial to building a relationship with your audience, how to keep abreast of the changes in privacy regulations, and why first-party data is nothing to be concerned about. 

Trust in the Digital Age

As the digital world evolves, concerns surrounding privacy are oftentimes the most stressful. To go beyond third-party cookies and understand your audience so that you can provide the best value data output, it all boils down to trust. 

“The last decade was all about transformation,” says Sood. The fast-paced world of data has required innovation in ways that sometimes seemed impossible, with the aim of providing better customer experiences, improving efficiencies, creating sustainable practices, and of course, staying in business. 

Sood asks, “What are we doing to protect the data that we have access to? Are we ensuring equity and inclusivity and even diversity across our business practices? And are we truly creating a culture of high ethical standards across the board?” All of these questions are about creating trust. 

Customers have trust expectations for companies they spend money with. Sood notes Adobe reported in 2022 that 69 percent of consumers stated they would stop doing business with a company that uses their data without permission. 

Add to this rules and regulations that vary from state to state and it can be difficult to navigate the changing landscape while maintaining and building upon user trust. This requires a change in mindset, Sood explains. 

[To view the full webinar, watch the video above.]

Building Trust Does Matter 

Users who trust a company are more likely to allow their data to be used in innovative ways, pay a premium for that company’s products and services, and maintain purchasing loyalty over time. Since it impacts your bottom line, trust is something you need to maintain a competitive advantage. 

Apple is working on building this trust with its latest update to iOS, which notifies the user of apps on their phone that are collecting data and tracking the user. This “App Tracking Transparency” prompt prohibits apps access to this data without first notifying the user. 

Sood notes that for these apps, building trust with the user can look like getting consent and even possibly discussing the value exchange and why access to this data is important. Also, use your Apple Privacy Nutrition Labels wisely. Employees working in compliance should collaborate with team members across development and marketing and advertising to ensure that you have the right strategy in place, she says. 

Competitive Advantage: Keeping up with Privacy Regulations

“In the face of new regulations, agility is going to be your competitive advantage to build that trust with the customer,” notes Sood. Rather than responding to new privacy law changes at the moment, she advises what will set programs apart is their ability to anticipate requirements of upcoming legislation and avoid the pain of last-minute changes. 

It is expected that by the end of 2023, 75 percent of the world will be affected by one of the recent privacy regulations, and more privacy regulations are actively coming down the pipeline all over the United States. Sood recommends working toward a strategy to deal with these changes in regulations as soon as possible. 

She adds that the job should be a team effort. “The privacy team is responsible to help you build business continuity to really enable marketing to have a very compliant risk-mitigated experience, but at the same time marketing and data teams are responsible for the end user journey.”

Last, Sood explains that privacy risk is a brand risk. The penalty for not adhering to privacy standards will not only be monetary, it will also affect your brand’s reputation because anything that happens within your company to affect consumer rights will be publicly accessible. 

Just like in personal relationships, you need to be clear about how you are using a person’s data, and if the use changes, you are responsible for informing them. You want this relationship to last long term, so make your users feel valued and like they own the data, she advises. 

Some Acronyms You Need to Know

TCF & GDPR: When we think about this process, several acronyms come to mind, says Sood, one of which is TCF, Transparency and Consent Framework. A TCF banner is concerned with providing the right notification and collecting the right type of consent and an affirmative opt-in from users to align with GDPR (General Data Protection Regulation) requirements. However, these regulations are evolving and there is currently legislation surrounding these privacy measures and how they will ultimately be used. 

Sood explains it is crucial to keep abreast of these rulings to be prepared for any necessary changes that are on the horizon. OneTrust keeps a log of these changes to help its partners know of important updates. 

GPP & MSPA: Another big piece of the puzzle is the GPP, Global Privacy Platform. This aligns with the MSPA, which is the Multi-state Privacy Agreement across all the different states, Sood notes. To simplify all these varying rules and regulations, she says, “With the GPP, the idea is you can make sure that one singular signal directs a specific consent model and data point to the ad text providers downstream to ensure that you’re aligning with regulations and also [doing so] in the best possible fashion.”

The MSPA assumes a user is a resident of each state, which means it defaults to the highest possible national standard for privacy. 

What this all boils down to essentially is that from an advertiser’s perspective, it is imperative to look out for the GPP signals. Explains Sood, “You want to sign up for MSP and prepare yourselves to honor the signals, because you’re going to expect it coming downstream, and you will want to decode it and decide how you operate.” This is similar for publishers – these signals will ensure the regulations are being met, and pass along this information to vendor partners. 

“That’s why publishers, advertisers, and vendors, you really need to work in tandem to ensure that everybody’s listening to the same things, and CMP providers like OneTrust, we’re the ones who will be helping you generate that GPP and sending it downstream,” Sood shares. In fact, Sood says, the GPP platform is already in use, helping OneTrust’s customers.

Don’t Be Intimidated by First-Party Data

The future of data will phase out third-party cookies in favor of first-party data capture, meaning companies will need to build a first-party data capture focusing on consent. To do this effectively, Sood says companies need to evolve from a tick box compliance system into a powerful consent strategy that will transform the user’s experience holistically. 

Many consumers are looking for value in their online experience, meaning that rather than being something to worry about, the dissolution of third-party cookies should be seen as an opportunity to build a relationship with consumers. You will want to advertise to them, but also re-target and re-market to keep them coming back. 

“To do that you want to deliver timely offers, have customer service available to the user, if they bought your product and you want them as a returning user. You want to target new relevant content to the user and also provide any customer recommendations,” such as content that is on theme with what they previously bought, Sood says. 

Consent, says Sood, is here to help your marketing strategies. It’s a way to give users unique choices and the opportunity to tell you about what they want so you can make sure you are offering that to them. It allows you to truly personalize the user experience. 

When you give users content that is relevant to who they are, they are more likely to want to know more. You can build this into your interface, so they can offer this information to you directly. This information can be fed downstream, to relevant places like apps, data warehouses, and email marketing systems. 

“And this really circles everything together for us in this webinar today. We started out by discussing how technology, privacy, and consumers are dictating this change … It’s important for you to understand that until the user gives you consent, you will not be able to process the best possible dataset or build new datasets for yourself. And so, complying with these [regulations and] getting the right interfaces out there and leveraging that for users opt-in to activate your ecosystem and help you retarget is going to be instrumental,” Sood explains.

The post Webinar Replay: Consumer Consent & Trust Are Competitive Advantages appeared first on AdMonsters.

Last week the Connecticut House of Representatives and Connecticut Senate joined forces to pass the Connecticut Data Privacy Act (CTDPA). The legislation, also known as Senate Bill 6 (SB6), awaits Governor Ned Lamont’s signature to make everything 100% official. The bill is expected to take effect on July 1, 2023. 

The CTDPA mirrors recently instilled state privacy laws, allowing consumers to opt-out of data sales, targeted ads, and profiling decisions that “produce legal or similarly significant effects concerning the consumer.” This new provision will also include protection for minors and biometric data.

I know your next question is, what types of pubs would this apply to?

• Pubs that do business in CT or produce products or services targeted at residents
• Pubs that control or process consumer data of at least 100,000 people a year or gain over 25% of gross revenue from the “sale” of personal data and control or process the data of at least 25,000 people a year.

The consumer side of me says, “Way to go!” Yet, the ad tech side is thinking, “Darn.” Each new state privacy law only adds more and more hoops for pubs to jump through.

Get in the Know About CTDPA

If you are wondering what aspect of “consumer data” will be guarded by CTDPA, it is the information connected to an identified person. This does not include any information about someone that is public or considered de-identified data.

This is the second stab at a privacy law by the “Constitution State,” remember, Connecticut tried it last year and failed. This go-round, the bill is coming on strong and will even include the “right to cure” clause giving pubs some time to do some damage control before getting hit with a lawsuit. If you are caught violating the rules? Forget about it. There will be no time at that point to fix the infraction, and you may even get accused of “soliciting user consent.”

Pubs have a 60-day fix-it period to figure out reported violations until December 21, 2024. Starting January 1, 2025, the CTDPA will only grant a cure period if the Connecticut Attorney General sees fit, so be careful.

With the CTDPA opt-in consent for sensitive data is a must. Racial origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, sexual history, immigration status, genetic or biometric data, children’s data, and geolocation data are all included.

Speaking of children, pubs will have to get opt-in consent from consumers under the age of 16 before using their data to target ads or monetize. You have to keep the kids first because when it comes to the Children’s Online Privacy Protection Act, you don’t want any problems.

Like privacy laws in Colorado and Virginia, CT consumers will have the authority to appeal a denial of a consumer request.

How Will CTDPA Affect the Advertising Ecosystem?

At the rate things are going, pubs will continue to be stuck in a cycle of scrambling to find new ways to identify consumers. While these state privacy laws are seemingly a step in the right direction for consumers, they sometimes create extra work for pubs and outsourcing vendors.

Many publishers feel they may go bald before Federal privacy legislation sees the light of day, but President Biden has been making baby steps in that direction after discovering a recent “national experiment” by big tech that utilized children’s data.

Potus said, “It’s time to strengthen privacy protections, ban targeted advertising to children, demand tech companies stop collecting personal data on our children.”

Whether it is a child or your great-great-grandma, pubs will continue to have to dip and dive through many loopholes when it comes to targeted ads and addressability because those violation consequences ain’t pretty.

The post What Is CTDPA? appeared first on AdMonsters.

Guess what? Preparing for privacy regulations, along with the death of the third-party cookie (and other identifiers used to target individuals and measure advertising) is still a colossal challenge.

So, what’s coming to the data and privacy landscape in 2022? Expect more state-led privacy legislation coming to the table, GDPR to kick it up a notch while privacy spans global, privacy ad tech to get a lot of shine, cookieless solutions to face the music, and global privacy controls to gain traction. Real-time bidding they’re coming for you.

5 Data Privacy Trends for 2022

The State Privacy Party Will Continue

There will be no federal privacy law this year. Instead, the “patchwork” of state privacy laws will continue. In addition to Colorado, Virginia, and California, I expect two-three more states to pass privacy laws this session. It’s not clear which states will go, but there will be more states to contend with by the end of 2022.

This is going to require companies to create (if they haven’t already) comprehensive privacy programs that allow them to understand what data they collect, where it sits, how they use it, who they share it with, and the value of that data.  This is not a one-time exercise, it will require ongoing maintenance.

This is the foundation that will help companies layer on additional privacy requirements as they come in, instead of scrambling and starting from old information each time there is a new law/obligation.  This exercise impacts legal, IT, procurement/sourcing, and the sales and marketing teams. The days when privacy was a problem for legal or compliance to deal with are over.

Privacy Goes Global

There is a lot of conversation about state privacy laws and the lack of federal privacy legislation, but outside of the U.S., we are seeing privacy go global. In the EU, I expect to see the enforcement of the GDPR and e-Privacy continue to escalate. After a few “quiet” years with a small number of fines, the cases filed with the various data protection authorities have worked their way through the system and the increase in fines reported in 2021 will likely continue. I expect there to be a focus on the use of cookies and the practice of programmatic advertising and real-time bidding.

Both the ICO in the UK and CNIL in France investigated this practice in 2019 and 2022 may be the year that they start to enforce the warnings previously given. Outside of the EU, Canada and Australia are updating their privacy laws, India is considering a new privacy law, China will be enforcing the law it passed last year, and Saudi Arabia (among other countries) passed a privacy law last year.

I expect to see the trend of increased privacy regulation and enforcement around the globe continue.  Companies will need to navigate much more than the U.S. privacy landscape if they really want to work on a global scale (see prediction #1 about the need for a privacy program).

Privacy Tech Will Take Center Stage

As regulators, consumers, and the big platforms continue to put pressure on business models that rely on the sharing of personal information, companies will turn to technology to help them achieve their business goals.  In 2021 we saw the rise of privacy-enhancing technologies – in 2022 they will take center stage.

Techniques like differential privacy and homomorphic encryption, along with solutions that involve synthetic data, will gain in popularity as sharing personal information continues to be stymied by privacy-related restrictions. Clean rooms will stay in the mix as a privacy-forward solution. Companies should expect to see more of these solutions being marketed in their inboxes and will need to understand the technology and its implications as they decide which to add to their tech stack.

Post-cookie Solutions Will Be Put to the Test

At the top of 2022, we are still anxiously awaiting news on the proposed regulations under the CPRA. The head of the CPPA, the agency writing those rules, has signaled some skepticism about e-mail based identifiers. That doesn’t mean they won’t survive, but they may be subject to the same restrictions currently placed on cookie IDs and similar identifiers.

Global Privacy Controls Will Gain Traction

I am using the lowercase here because I don’t know if uppercase GPC is the final word on what a global control looks like and I think there are still too many open questions about its implementation. That said, I think there is a real concern with how consumer choice is provided – regulators don’t like the idea that consumers have to navigate the privacy practices of each website they visit in order to exercise those choices (and neither do consumers).

My hope is that we have more dialogue on how a “gpc” should function and some standard setting for the signals sent.  First, we need to understand what exactly are consumers opting out of?

Each state has a different definition and slightly different approaches to what activities a consumer should be able to opt-out of – how can there be a “global” tool when there aren’t global definitions?

Second, there hasn’t been enough alignment on the logistics — how will platforms receive the opt-out signal, what is the impact on offline activities, how should browsers communicate the potential limitations, and how can we allow consumers to make individual choices for companies they have a relationship with.  I hope to see some of these questions answered before we see significant enforcement of unclear expectations.

The post 5 Data Privacy Trends to Watch in 2022 appeared first on AdMonsters.