In 2018, Joe Jones was an associate at the London office of US-based law firm Covington & Burling working primarily on intellectual property cases.
Around that time, some of the firm’s clients, including large technology and media companies, started to have questions about a new privacy law everyone was talking about.
“It was a bit like, ‘There’s this thing called the GDPR, and we’re not sure if it’s actually got legs, but we wouldn’t mind getting some early advice on it,’” said Joe Jones, who joined the International Association of Privacy Professionals (IAPP) in January as director of research and insights.
Turns out, the GDPR did, in fact, have legs, and Jones became increasingly entrenched in the world of data privacy. Jones was on the team that represented Microsoft during the Schrems I case in 2019, which resulted in the European Court of Justice invalidating the EU-US Safe Harbor agreement.
“And that was the end of intellectual property for me,” Jones said. “It became all about data privacy and the GDPR.”
Before joining IAPP, Jones spent three years in different roles within the UK government, including with the Department for Digital, Culture, Media and Sport as deputy director of international data transfers and head of data adequacy. (Data adequacy is the status that the European Commission gives to countries outside the EU that offer comparable levels of privacy protection to those provided under European law.)
Now, Jones said, he’s “keen to get closer to issues related to ad tech.”
“This year,” he said, “is going to be a big one for the ad tech industry from a privacy perspective.”
Jones spoke with AdExchanger.
AdExchanger: A big part of your job is keeping privacy professionals up to date on data protection developments around the world … of which there is no lack. What’s top of mind for you?
JOE JONES: Well, it’s really about demystification. All of these issues are getting more complex, both substantively and technically. But they’re also getting more politicized and sensationalized, which can make it hard to cut through and understand what a given development actually means and what people need to do.
A really good case in point is the Irish decision against Meta early this year over bundling consent for ad targeting into their terms and conditions.
There’s now a whole community of people saying loudly, “Well, consent is the only option” or “this is the end of personalized advertising and we’re going to have to go back to contextual ads.”
But it’s important to understand the nuance and to hear a spectrum of voices and perspectives.
Are we reaching a point, though, where consent will be the only unassailable option – or legal basis, to use a GDPR term – for companies to do personalized advertising?
I don’t think we’re close to being there yet. And the regulators are actually being quite careful in what they say.
Back to the Meta case in Ireland, regulators criticized the lack of transparency but they didn’t say you can’t use a contract as a legal basis. It’s just that the contract has to be clear.
And then there’s legitimate interest [as a legal basis for personalized advertising]. We know regulators aren’t keen on it, but they haven’t ruled it out.
So, it’s premature to say now that consent is the only option. It’s possible we might end up there, but it’s going to take time. It’s going to have to go through the courts, and there will be multiple appeals.
If companies do eventually need to get consent for personalized ads, though, that’s going to be huge.
Huge because opt-in rates typically … aren’t so huge?
Precisely. The attrition rate when companies ask for consent can be very high, and then you lose the ability to target those people on your service with personalized advertising.
No doubt we’re going to start seeing more vendors emerging that say they can help boost consent rates.
Join the club, right? The privacy tech space is exploding in general.
It really is getting very hot and it’s going to continue growing. We run an annual report that tracks this space, and the most recent one shows a 777% increase from 2017 in the number of privacy tech vendors.
It must be hard for companies to know which ones are legit. Personally, I’m pitched by an increasing number of privacy tech vendors that want me to write about them, and one red flag for me is when they casually make a blanket statement like, “We’re 100% GDPR compliant” or “100% COPPA compliant.”
I’m with you. I’ve always been very cynical of any organization that says they’re 100% compliant with any law.
As the universe of companies that process personal data becomes more and more sophisticated, it’s becoming more difficult to even articulate exactly what a business does, let alone match that up against a specific regulation. And new questions are arising all the time.
What sort of questions?
For example, how do you remove data from a system?
Say someone retracts their opt-in and exercises their right to delete their personal data, but it’s already been fed into an algorithm. Can machines really unlearn everything they’ve learned?
There will need to be more clarity about what happens when people opt out. As in, what are you opting out of? Are you opting out of all future processing or will the company in question need to strip out that person’s data going all the way back to the very beginning?
If it’s the latter, not many data processing systems have been built to be able to do that.
This interview has been edited and condensed.
For more articles featuring Joe Jones, click here.
