Rather than rounding up the obvious online privacy trends of 2023, let’s dive into the weeds.
Because we’ve spent enough time and spilled more than enough ink this year talking and writing about Big Tech privacy fines, enforcement actions and the unutterably slow phaseout of third-party cookies in Chrome.
That said, this article would be remiss if it didn’t at least mention big news last week from the Federal Trade Commission, which proposed changes to the Children’s Online Privacy Protection Act (COPPA), that would make it harder for tech companies to collect and monetize children’s data.
This long-awaited proposal is, in the words of New York Times reporter Natasha Singer, “one of the most significant attempts by the US government to strengthen consumer privacy in more than a decade.”
The COPPA Rule was last updated in 2013 – which might as well be a century ago in internet years. TikTok didn’t exist in 2013. Even Musical.ly, TikTok’s precursor, didn’t exist yet. Clearly, a COPPA update is long overdue.
The public now has until mid-February to file comments on the proposal with the FTC. (Read the draft here, if you are so inclined.) After that, the FTC will review any comments it receives before taking next steps.
And so, in the meantime, here are five of AdExchanger’s top ad-tech-flavored data privacy stories of the year.
Wait for it … (or not)
This super-technical deep dive on the inner workings (and consent failures) of PubMatic’s identity management tool was our most-trafficked privacy story of the year.
In a nutshell: PubMatic’s Identity Hub was found to have set its consent timer too low by default – a fraction of a second in length – meaning that, although there was an opt-in mechanism in place, there wasn’t enough time to actually collect consent. This put publishers using the tool in danger of GDPR violations.
Major h/t to Mike O’Sullivan and Ian Meyers of Sincera for the discovery.
The Sincera team also noticed that, separately, PubMatic was observing Prebid API activity and replacing the identifiers sent to DSPs in the main wrapper on the fly with IDs pulled from Identity Hub.
Why should publishers care about this? Because you can’t be too careful.
As O’Sullivan put it: “I’m partial to the phrase ‘Be distrustful by design.’ That means do your own checks – on everything.”
- Read it: PubMatic Code Didn’t Wait For User Consent: Why Publishers Need To ‘Be Distrustful By Design’
- Go deeper: The Big Story: Wait For Consent 🎙️
(AddThis) SubtractThat
Oracle bought social sharing and content recommendation widget AddThis for $200 million in 2016 – back when Oracle still had big ambitions for its Data Cloud business.
Those aspirations fizzled in the face of privacy regulations. In 2019, Oracle stopped using unconsented AddThis data from Europe in third-party audience segments in an effort to comply with GDPR. But European publishers could still use AddThis tools, including social bookmarking, for free.
Four years later, however, Oracle shut down its AddThis business for good globally, which was inevitable. If Oracle couldn’t access third-party data from publishers through AddThis, there was no point in maintaining the service.
Especially considering the regulatory risks, the juice was simply no longer worth the squeeze.
- Read it: Oracle To Shut Down AddThis – Completely This Time
- Go deeper: Oracle Does Not Have Detailed Profiles On ‘5 Billion’ People
From ad tech to privacy tech
Over the past couple of years, numerous privacy tech startups have cropped up founded by programmatic veterans who cut their teeth in ad tech.
Guess if you want to know where the bodies are buried, you might as well ask the people who buried them.
Or, as Senior Editor James Hercher puts it in his piece profiling four of these new companies (Coir, lockr, Licorice and Qonsent): “If programmatic ad tech was a canary in the coal mine for how data privacy would affect the online advertising industry, then some of the canaries have escaped and are creating businesses to help coal mine operators do better.”
- Read it: Programmatic Vets Are Behind A Wave Of New Startups Built For A Privacy-First Web
- Go deeper: The Big Story: Meet The Ad Tech Vets Going Into Privacy Tech 🎙️
Elephant in the clean room
Data clean rooms have become one of the buzziest technologies in ad tech – but they’re not the perfect solution to every privacy problem.
The promise of secure data collaboration is real, but putting data into a clean room doesn’t automatically make it consented or compliant. Also, not all data clean rooms provide the same level of security and encryption.
In short, as InfoSum’s VP of product marketing noted at an IAB Tech Lab Rearc privacy event in New York City earlier this year, advertisers should do their own due diligence before selecting a clean room partner.
Because if a platform doesn’t live up to its security promises and private data is exposed, linked or enriched by another data set, “you can’t walk that back,” DeBlasio said.
- Read it: Fun Fact About Clean Rooms: Data Security Isn’t A Given
- Go deeper: An Overview Of Post-Cookie Collaboration Tools – And Their Shortcomings
In a state
There are now 12 – count ’em 12 – US states that have passed their own data privacy laws.
California, Colorado, Connecticut, Utah and Virginia already enforce their laws. Montana, Oregon and Texas privacy laws go into effect next year, followed by Delaware, Iowa and Tennessee in 2025. Indiana’s state privacy law comes into effect in 2026.
(And that’s not to mention the states with active privacy bills in the works right now: Maine, Massachusetts, Michigan, Missouri, New Hampshire, New Jersey, North Carolina, Ohio, Pennsylvania and Wisconsin.)
To help ad industry stakeholders comply with this evolving legal landscape, the IAB launched its multistate privacy agreement (MSPA) in 2022. The MSPA is a so-called “springing contract” that creates a contractual relationship between signatories so they can (theoretically, at least) comply with multiple state laws as data flows through the supply chain across different jurisdictions.
As Associate Editor Anthony Vargas puts it in his piece explaining how the MSPA works for publishers: “The goal is to obey the law while maintaining as much of the digital advertising status quo as possible.”
