At the heart of the whole privacy discussion is the question, “Why is the information (data) tracked in the first place?” Proponents say that publishers and other content providers can deliver more relevant content and advertising if they know more about their users’ desires, likes and dislikes (ie. targeted advertising). The more that users find their favorite content on sites, the more likely it is that they will remain on those sites to enjoy and engage with the content, purchase more through that site, and come back repeatedly. The value of personal data has increased because of its importance in steering our digital economy.
In our connected digital world, even more post-pandemic, we all can't seem to live without our connections through and to: Internet services, search engines, social media and apps. Most of us prefer when something feels like it is cost-free, so our own personal data has become the currency that pays for those services. Those who own and control the data have powerful information that can influence or manage the marketplace.
Here are some of the events that have been heating up during 2021.
Truth be told, if there were never concerns about the who, what, why, and how that information was handled, data privacy regulations would not exist today. However, many of the industry giants that bring us those great services and also collect our personal data, have been called out for less-than-admirable activities surrounding the misuse, loss or careless use of user data. Additionally, there are bad actors who profit from the sale of user data they track for criminal purposes. A 2021 poll by The Washington Post found that: Americans widely distrust the leading media giants’ handling of their personal data: Facebook 72 percent distrust, TikTok and Instagram more than 60 percent distrust, What’sApp and YouTube more than 50 percent distrust, Google, Microsoft, Apple and Amazon more than 40 percent distrust. While many Americans use social media, and most use Facebook, 64 percent say the government should do more to rein in big tech companies, a drastic increase from the 38 percent who felt that way in 2012. KPMG Advisory’s 2021 study “Bridging the consumer trust gap” revealed that of the business leaders surveyed, 70 percent say their company increased collection of consumer personal data during 2021, 62 percent say their company should strengthen data protection, and 33 percent say that consumers should be concerned about how their company uses the data. In the same KPMG survey, more than 44 percent of consumers disapproved of companies tracking their search behavior to make product recommendations (i.e. targeted advertising); and, 86% of American consumers say data privacy is a growing concern for them.
A January 28, 2022 AdExchanger article reported that US FTC Commissioner Noah Phillips said that we have seen a rebranding of what the industry used to call “targeted advertising” to what is now referred to as “surveillance advertising” in conversation with Julie Brill, Microsoft’s chief privacy officer and a past FTC commissioner herself, during a LinkedIn hosted virtual event. Phillips expressed that it is the same business behavior, but is now tagged with a pejorative term. The negative term was attributed to the increase in tracking activities over the past few years combined with increased consumer awareness of the tracking activities.
The collection of information about users, who has permission to gather and process the personal information, how much and what information is tracked, and the uses or purposes of that data collection, processing, sharing or selling, are the core reasons why privacy regulations like the GDPR and CCPA exist in the first place.
European regulators have issued more than €1.5 billion (equivalent to $1.7 billion) in privacy violation fines since the GDPR went into effect in May 2018, according to data from the EnforcementTracker.com. During 2021 we recognized a significant increase in the enforcement of privacy regulations by European regulatory authorities with total 2021 fines exceeding $1.4 billion, accounting for nearly 80% of the total of all GDPR fines. As we discussed in our In the Crosshairs 9/27/21 blog post, a series of huge fines were assessed on big players, like Google as well as including publishers like Le Figaro for violations of the GDPR or other privacy regulations. Before the end of 2021, the Conseil d'État (French Council of State) upheld the jurisdiction of the French CNIL for imposing the €100 million fine on Google in December 2020. And more recently, on December 31, 2021, the CNIL fined Facebook €60 million for making it more difficult for the social network giant’s users to refuse tracking cookies than to accept them, thereby refocusing the issue on what Confiant previously described as Dark Patterns in our 8/27/2021 blog post. Not coincidentally, on December 31, 2021, the CNIL fined Google €150 million for similar violations of the GDPR on Google search and YouTube. Regulators have been levying larger penalties on platforms and publishers wherever GDPR regulations are not obeyed.
Representatives in the US Congress introduced the Banning Surveillance Advertising Act of 2022. If approved as US regulatory law, it may create wider-reaching national regulations that control, contain, or totally ban personal information tracking in advertising in the US. But until there are unifying laws, we can expect a patchwork of regulations throughout the U.S. states, in Canadian provinces like Quebec (which has separate privacy regulations from the Canadian government), and in Europe where the UK has its own version of the GDPR, after Brexit split the UK from the EU. Changing regulations will continue to add complexity and confusion for many in the ad tech ecosystem as regulations evolve. Privacy violations or perceived violations may interfere with first party data collection as well. Facebook has a history of repeated privacy violations on its platform including, the FTC’s historic $5 billion fine for mishandling users’ personal data in 2019. That decision also mandated a significant set of requirements designed to boost accountability, transparency, and the ability of the FTC to audit Facebook’s user privacy compliance. Since that point, Facebook has changed its user privacy settings from decentralized under several categories, to centralized in one section of the platform, and then back again to decentralized, confusing and confounding users as noted in an August 4, 2021 TechCrunch article.
Yet, some small to mid-sized publishers may still believe that they are not in the crosshairs of regulators yet, or they are taking a wait-and-see approach on further investment in GDPR and CCPA compliance. That’s because they haven’t seen many examples of large penalties for publishers of similar size and scale as themselves, instead of just seeing examples of industry giants' penalties. For example some publishers that are included in CCPA are excluded under CPRA regulations (annual prior year gross revenue over $25 million; buys, sells, or shares 100,000 or more consumers’ or households’ data - doubling that of the CCPA; or derives 50 percent or more of annual revenue from selling or sharing consumers’ personal information). Those differences may tempt some to delay until January 1, 2023 when the CPRA takes effect. However, those differences won’t help publishers avoid penalties if they are out of compliance when regulators shift their focus to smaller targets. Ad tech's confusion over privacy regulations hasn't deterred enforcement from issuing fines, nor the courts from upholding those penalties.
Even the European IAB’s Transparency Consent Framework (TCF), which was introduced in May 2018 and has been widely adopted as the standard data framework for those in the advertising ecosystem to voluntarily share consent information to stay in compliance with privacy regulations, has been under fire recently. The Belgian Data Protection Agency (DPA) has determined that the TCF failed to meet the legal requirements of data protection specified under GDPR standards regarding the sharing of personal information. That decision has since been upheld to date. IAB Europe recently stated that they will appeal the ruling, claiming that they do not act as a joint controller for profiling and other data processing done by TCF vendors in the context of OpenRTB. In addition, as noted in our Ad Tech Vendor Caught Tampering blog post January 19, 2022 the TCF signal itself is not inherently secure, leaving it open to accidental as well as intentional tampering.
View/download Confiant's Privacy Infographic.
Interested in a free trial of Confiant's Privacy Solution? Request a free trial