Getting on the Front Foot: Managing Consumer Data in Ad Data Ecosystems
Data Collection & Management
Consumer data is a bit like the rain: you either have not nearly enough, or much too much.
Not enough data means that you spray ads across an audience including many recipients uninterested in the product.
Too much data means you become regulated about how you use it, what other data you are allowed to combine with it, and who you may share data with. So you are able to micro target, but the law prevents you from doing so.
Getting the right consumer data to enable the right audience segmentation for the right product is the Goldilocks moment of digital advertising.
The water analogy does not stop there.
Managing consumer data is like managing water. Water and data each want to be free. Each freely runs out of any hole left unplugged.
Almost all participants in the digital advertising supply chain – brands and their CMOs, agencies, media buyers, ad tech service providers, digital platforms and publishers and other providers of digital ad canvas – can’t carry on business without sharing some consumer data with others. Sharing of consumer data, like sharing of water, enables and nourishes the ecosystem.
Data Usage & Sharing
As water flows through an ecosystem, it is hard to maintain and monitor quality, to meter and detect misuse or overuse, and to ensure that each data user does just what they say they do. A digital advertiser can read any report on water mismanagement in the Murray-Darling Basin and feel right at home. Management of flows of consumer data, and permissible data sharing, in the complex multi-party ad data ecosystem is a lot like sorting out tensions between cotton farmers, other water users and environmental needs on the Darling River.
One of the most interesting sections in the ACCC’s Digital advertising services inquiry: interim report cites examples of conflicts over ad data sharing and continues:
These examples illustrate a recurring theme in this industry: a tension (real or claimed) between consumer privacy on the one hand and transparency and competition on the other. In each example, publishers or advertisers (as applicable) claim that they need greater access to raw data about the operation of the ad tech service to properly evaluate how well their service providers are performing, and therefore to make effective choices on which services to use. However, Google often publicly claims that privacy legislation, or consumer expectations of privacy, prevent it from releasing the data sought. But without access to the more detailed information, publishers and advertisers consider that they have to make decisions based on trust that the service is operating as claimed, which is unacceptable in a commercial relationship.
Data Regulation
The tension is real, although callout on Google alone seems a bit unfair: as discussed in this column last month, Because of the Privacy Act (BOPA) is a common refrain across the ad sector. However, consumer data privacy and competition policy be made to fit together. Competition regulators can address ad data sharing by regulation: to restrict sharing, to require it (including through requirements to make available and as to interoperability), to impose conditions about it; and to control uses of ad data within particular entities (such as requirements for technical and operational separation of data handling within those entities). But before doing any of those things, good regulators encourage or cajole industry participants to sort out sector specific rules – standards, reference frameworks, industry codes, good practice guides – anything that an industry sector can be convinced to do themselves, that avoids the dead hand of regulation.
Why is regulation so bad, even when regulators are good and careful?
Regulation is blunt and never agile.
Regulatory schemes rapidly become outmoded by technological developments.
Bigger players are better at gaming regulation, so even regulation to help smaller players often ends up working to benefit big incumbents.
And regulation often has unintended consequences.
If regulation was easy, everything would be regulated. Good regulators are rightly cautious.
And what about consumers? It is all very well for the digital ad sector to seek to enable and ensure diversity in opportunities for Australian entities to participate in the digital advertising ecosystem. The data privacy regulator and consumer protection regulator are now coordinating their responses with an objective of ensuring that uses of consumer data for digital advertising are consistent with expectations of consumers to be addressed fairly, respectfully and in accordance with data privacy and consumer laws.
Lessons from GDPR – Pseudonymised Data and Data Controllers vs Processors
You might think that the last place to look for ideas about sensible regulation is the European Union’s General Data Protection Regulation (GDPR).
You’d be right in many respects. The GDPR was drafted by a committee that didn’t agree about many things they were dealing with, so many of its provisions are obscure. However, there are some good concepts in the GDPR.
One good idea is thinking clearly about who controls data and who acts at the direction of a controller when processing data.
Another good idea is thinking clearly about pseudonymised data, which s absolutely critical to engaging with two key proposals explored by the ACCC: a common user ID, and a common transaction ID.
Good management of an ad data ecosystem that uses a common user ID, or limited number of federated IDs, and a common transaction ID, avoids sharing of consumer data that contains information about a consumer that is personally identifying information in and by itself. However, pseudonymised identifiers like common user IDs and common transaction IDs may be capable of use by a participant in the ad data ecosystem to attempt to identify a consumer, by associating the relevant ad data with other information available to that participant. For this reason, GDPR treats as regulated personal data so called “pseudonymised personal data” – personal data that cannot be attributed to an individual without the use of additional information, where that additional information is reasonably available.
Pseudonymised personal data is required by the GDPR to be kept separately and subject to appropriate technical, operational, organisational and legal controls to ensure that re-identification of an individual is not possible.
Wherever personal data (pseudonymised or not) is being handled and shared in a multiparty data ecosystem, GDPR requires clarity as to which entity is responsible for decisions about how that shared personal data is used or further shared or made available. This entity is the “data controller. That entity may either allow others to process that data while under the controller’s control, or release that data from its control (to another data controller). Different rules apply to each.
A data processor must implement verifiably reliable data handling processing policies, processes and practices to ensure that the contractor complies with obligations of a ‘data processor” under the GDPR. Where a data processor itself uses sub-contractors (such as a cloud platform service provider), the contractor must also manage those sub-contractors as data processors, overseeing their compliance by the rules. in accordance with GDPR. Because the data controller (or joint data controllers) can be clearly identified and carry responsibility for ensuring that the rules are followed by other participants that handle consumer data at their control and direction, consumer data is permitted to be shared with those other participants.
Pseudonymisation of personal information about individuals is not expressly recognised as a concept in the Australian Privacy Act as it stands today. However, the Australian Privacy Commissioner promotes removal of direct identifiers wherever possible as good data governance practice in minimising handling of directly identifying personal information, thereby reducing risk that when consumer data is disclosed, that data can enable identification of relevant individuals.
Common user IDs and common transaction IDs don’t solve anything in and of themselves, but they can be an important step towards enabling controlled and safeguarded sharing of consumer data across a multi-party ad data ecosystem. Taking that step may avoid consumer data disappearing into single party silos.
Key Steps for the Industry
Digital ad sector participants may sort out rules – standards, reference frameworks or industry codes – that create clarity as to which entities control and which entities process that consumer data, under what rules.
Regulators can help, but the digital ad sector is best placed to help itself, with assistance from the regular if required.
Regulator-imposed rules might be needed to control uses of ad data within particular entities, but industry itself needs to think about what rules it thinks should apply to each type of entity within the digital advertising supply chain. What are the key steps for the sector?
Step 1: Recognise rising expectations of regulators and consumer organisations of how data about consumers is handled and shared in digital advertising.
Step 2: Each entity in the sector to ensure that their own data handling practices address those rising expectations – for each entity to get its own house in order.
Step 3: Think about what rules the sector needs, and to try to get them in place before the regulator makes up the rules – and potentially gets them wrong.
The digital advertising sector needs to get on the front foot.
Peter Leonard
Principal, Data Synergies
29 March 2021