A 25-year industry veteran and current Executive Vice President of Government Relations at the American Association of Advertising Agencies (4A’s) in Washington, DC, Alison Pepper works with regulators, legislators, and cross-industry stakeholders on issues relevant to the advertising community.
Over the past 15 years, she’s witnessed the industry explode as privacy concerns have pushed digital advertising to an inflection point. The hyper-speed of evolution led to greater scrutiny by federal and state regulators as well as private consumers. As major players like Amazon, Google, and Apple take the lead on shaping the industry’s future, ad tech leaders must prepare to operate under new and evolving privacy regulations.
A Brief Look Back
When Pepper first joined the Interactive Advertising Bureau, an advertising trade association formed in New York in 1996, its focus was standardizing technical operations for banner ads. Since then, the online advertising industry has boomed. Much of this growth can be traced to Section 230 of the Telecommunications Act of 1996, limiting platforms’ and publishers’ liability for user-generated online content – arguably the bedrock that allowed the internet to develop the way it did.
Growth accelerated when Facebook ads came online in 2008, and again in 2014 when the number of mobile users surpassed the number of desktop users. A growing number of digital advertising players resulted in even greater complexity on the back end.
Throughout that period, Pepper says, “The ad tech industry moved far in advance of policy and regulation, operating under the old maxim—ask forgiveness and not permission. Now regulatory and legal challenges are catching up to this industry.”
Increasing Government Scrutiny
For years, Congress and state legislators sought to find ways to protect personal privacy around the use of data. Pepper points out that, “A lot of the concerns about the use of data and consumer privacy didn’t just evolve overnight. We’ve been aware of these concerns for a while; they’ve been bubbling up for over a decade now.”
Cambridge Analytica was the watershed event in 2016 that spurred Congress into more aggressive action. The political consulting firm obtained the profiles of 50 million users without their knowledge or consent, revealing what could happen if data usage and collection were unregulated and rules not enforced. The political became personal for these politicians for the first time when members of Congress saw how this data could potentially influence an election. Consumer privacy became embedded in the national consciousness.
Despite congressional concerns, data privacy still remains unregulated at the federal level, even with bipartisan support. Over 20 different bills and 40 different versions of comprehensive federal privacy legislation have been introduced since 2016.
States Take Action
“The degree to which states are tired of waiting on the federal government and just want to move ahead with their own initiatives grows every year,” says Pepper.
In the absence of comprehensive federal legislation, many US states are passing their versions of privacy legislation. The most well-known is the California Consumer Privacy Act of 2018 (CCPA), which was recently expanded with the California Privacy Rights Act (CPRA), a ballot measure approved by California voters in November 2020. Many US states and companies see the CCPA as a litmus test. They’re watching the economic impact on businesses, how often consumers utilize it, and the balance between business compliance costs and net benefit to consumers.
Since January of 2021, several states have introduced comprehensive privacy legislation. Companies are justifiably concerned that states will potentially enact 50 different versions of privacy law at the state level, leading to a stronger push for federal privacy legislation.
Tech Giants Lead the Way
However, states are not the only ones eager to act. In the absence of comprehensive federal legislation, tech giants are taking the lead in shaping the future of ad tech.
Google announced in 2019 that it would deprecate third-party cookies in Chrome, making it harder for online marketers and advertisers to track web users. That’s a massive loss for advertisers and marketers, who are heavily reliant on the use of third-party cookies. And in April 2021, Apple announced privacy changes to its Identifier for Advertisers (IDFA) in its iOS 14.5 software release. The policy shift gives users the option of not sharing personal data.
Motivating these changes is privacy, sure. But, as Pepper states, citing Shoshana Zuboff’s The Age of Surveillance Capitalism, “when these types of changes start coming from big companies, frequently it’s privacy cloaked in competitive advantage.”
Apple, for example, has simultaneously deprecated advertising marketer’s data on its platforms while quietly building out its internal advertising network. Though it is a privacy-friendly move, it’s also a huge competitive advantage if you dig far enough beneath the surface.
Amazon played a prominent role in shaping and supporting Virginia’s state privacy legislation earlier this year. (Notably, they also invested $35B in building out data centers in Virginia.) As a result, Virginia’s Consumer Data Protection Act lacks the right to private action available under California’s CCPA.
In addition, Pepper notes, if private companies with private boards are effectively allowed to set privacy laws, that practice can change with a different CEO and a separate board. Letting corporations effectively dictate privacy “policy” doesn’t negate the need for federal privacy legislation. Consumer advocacy groups, companies outside of big tech, brands, advertisers, and even legislators are still pressing for comprehensive privacy legislation.
How to Prepare for the Future of Privacy?
So what could US federal privacy legislation look like? What can ad tech players do to prepare?
Congress is currently less focused on comprehensive privacy than on reshaping Section 230 and reigning in the power of the large social networks. But a high-profile incident could push Congress to legislate privacy more aggressively.
Impact on Ad Tech Industry
What’s the likely future of personalized advertising in the wake of all these changes? Some reversion to contextual advertising that doesn’t rely on personally identifiable information (PII) at all or uses first-party data (data that companies obtain through their customers’ permission for their own use, rather than data that is bought or sold). Brands with first-party data will have greater leverage. Changes around privacy coming from browsers and operating systems will pressure the entire ecosystem, including vendors, to modify their own practices and policies.
The United States Federal Trade Commission (FTC), the Department of Justice (DOJ), and state attorneys general have proposed antitrust litigation, legislation, and potential remedies such as breaking up Google (search and the ad tech stack) and Facebook (Instagram, Facebook, and WhatsApp). Divestiture is not a remedy that the FTC or the DOJ typically like to pursue, however; they tend to favor fines and greater scrutiny of future mergers and acquisitions.
“Today, we’re at an inflection point with privacy and market concentration concerns and the absolute domination of certain companies in the marketplace. The outcome of these antitrust concerns will weigh heavily on future privacy legislation, not just coming out of Congress over the next few years, but the states as well,” predicts Pepper.
As the industry looks to the months and years ahead and prepares for greater regulation, ad tech may start to look like financial services and other highly regulated industries.