How changes to tracking will affect the online world [Q&A]
The Identifier for Advertisers (IDFA) is a random device identifier assigned to a user's device which advertisers use to track data so they can deliver customized advertising.
But Apple is about to replace the iOS IDFA tracking system in iOS 14 with a new App Tracking Transparency (ATT) feature which will allow iPhone users to opt-out of tracking on third-party apps and sites. This, plus Google's crack down on third-party cookies, means privacy is a hot topic currently -- and all signs point to even more shifts in the coming year.
We spoke to Alan Chapell, founding partner of Chapell and Associates, a law firm focusing on privacy for tech companies, along with Jonathan Harrop, senior director, global marketing and communications, of the mobile advertising network AdColony to find out what the impact will be on mobile advertisers and publishers. We asked Alan and Jonathan about how Apple may be paving the way for an 'opt-in' culture, the case against alternative tracking, and the chances of a federal privacy law being passed sooner rather than later.
BN: Which identity solutions look promising as we move toward the post-third-party cookie, post-ATT age?
JH: Targeting used to be art -- it was all about choosing the right context. But for the past 15 years, it's been a science of precise IDs. Advertisers who embrace a hybrid approach of contextual audiences (the art) informed by the audience signals from known users (the science) will succeed, but everyone has to understand the term audience doesn’t mean what it once did.
Audience is not device IDs. It's not about tracking individuals across their digital journeys or spreadsheets and data-based decision-making, though those can certainly assist with media buying. Advertising will become more of an art, and solutions that can match advertisers with the right 'tribe', will be the ones that persist.
AC: JH raises an interesting set of questions. There’s a lot of discussion around identity, but mostly, it’s in an ad targeting context. What sometimes gets lost in those discussions is that you need a way to maintain state -- even if you’re 'just' doing attribution or reporting on ad delivery.
BN: What is 'alternative tracking'? Don't new forms of tracking just compromise the privacy consumers are only beginning to attain?
JH: Apple has made it clear that the ATT prompt is a one-and-done request for tracking. Any company or organization saying they have a way around it is either betting their entire business (and then yours!) on being smarter than Apple or selling snake oil. Are you smarter than Apple? Facebook and Google decided they weren't.
Apple's core philosophy around tracking and the prompt is that if a user does not opt-in, you cannot track them. The end. No email, no fingerprinting, nothing. The default is 'off' and unless the user says yes, you can’t do anything. Google and Facebook, of course, had a different philosophy -- if you don’t tell us 'no', it’s an automatic yes.
The jury's still out on the solution being floated by a consortium of Chinese companies (the CAID) and how Apple will respond to that challenge to its rules, but at least that proposal is transparent in its goals compared to some of the euphemisms used by major players in Europe and the US.
BN: So is Apple essentially creating an opt-in culture? Can we expect other companies to continue to follow suit?
AC: One big question is whether the US stays as primarily an opt-out regime (i.e. where companies can collect most types of data until a consumer tells them to stop). The opt-out approach in the US is different from places like the European Union, which favors an opt-in standard (i.e. where companies must ask permission before collecting data).
The adtech world has remained subject to an opt-out standard for targeted ads in most places. One reason for that? Adtech companies process pseudonymous data which has a lower level of sensitivity than an email address or a social security number.
Apple is pushing an opt-in standard for multiple reasons -- some privacy-centric and some self-serving. Between Apple and everything going on in the browser world right now concerning third-party cookies, adtech companies should move toward an opt-in model for targeted ads based on cross-context data collection.
Having said that, I don't think opt-in consent is the panacea that it's being made out to be. Relying on opt-in consent creates a set of perverse incentives for businesses -- that once you've obtained consent to collect one piece of data, you might as well get consent for as many pieces of data as possible.
I'd like to see privacy rules (e.g. laws, codes of conduct, etc.) adopt a more sensible approach that encourages data minimization and recognizes that there are limits to the scope of consent obtained. Can any human manifest consent to the variety of activities that Google engages in concerning data? I don't know -- but that should be part of the equation when thinking about establishing privacy rules. And that's one of the reasons why Telco and ISPs are so heavily regulated in terms of privacy. But if you're talking about creating a consistent set of privacy rules, you need to have a good reason for treating telcos differently from other huge companies.
BN: When can the US expect a federal privacy law?
AC: I don't think we're going to see one this year. I give it a 10 percent chance, maybe 20 percent at a stretch for next year. By 2022 I'd put it at 50 percent that a federal privacy law gets serious discussion and/or possibly enacted.
It's less about stagnation within Congress and more about other priorities. I'm not claiming privacy isn't a priority of the Biden administration, but there's a pretty long list of priorities right now. And I just don’t know if it’s something that they will get to.
In the meantime, I think the interesting narrative to look at concerning a federal privacy law is what the states are doing. We're seeing states take up a lot of leadership on privacy laws: Virginia, Utah, Texas, Washington, New York in addition to California.
What may ultimately push for a federal privacy law sooner rather than later is state action. I remember back in 2003 there was a California email law that scared the heck out of the business community. And when that law (and a few other state email laws) were passed, it put significant pressure on Congress to create something that would preempt the patchwork of state laws. And that pressure resulted in the creation of the CAN-SPAM act.
In other words, if you see more than a handful of states pass their own privacy laws, I think the chances of federal law in 2021 go up significantly. And if those state laws contain a private right of action and/or require opt-in for non-sensitive data, the chances of Federal privacy law in 2021 tend to increase.
BN: What would a federal privacy law do to state laws? And what will this mean for most companies?
JH: A national-level law would by design supplant state laws, which would make it easier for everyone to comply with it. It's easier for those on the tech and developer side, and the industry as a whole, to follow one piece of legislation.
If you're a believer in user privacy, as I am, then you know it's better for Americans to have one law versus 25-50 individual state laws.
This is not to say that state-level privacy laws won't exist. Some states have different ages for driving, for instance. So there could be some that are more strict than even federal law. (Note, too, that any national law would probably hold up better in court than state-level law thanks to the Interstate Commerce Clause.)
From a corporate standpoint, whatever federal privacy law that does get enacted will likely be less of a burden to comply with than what we've already been through with GDPR. The slew of actions GDPR put in motion and the actual tasks and processes that companies began doing because of it now serve us. If you're GDPR-compliant, generally speaking, that will be sufficient.
Any law on a state level will be less restrictive than GDPR, too, but it may have other implications. For instance, an individual state says you can't take data out of it. Depending on the relative size of the state's population (i.e. Rhode Island vs Florida) a company may decide it's not worth it to do business there anymore.