Thinking systematically about ad data ecosystems
Adtech data flows through complex multiparty data ecosystems. The first two steps in managing risk in any multiparty system are working out:
- what are relevant risks, and
- which party should be responsible for mitigating which risk.
Flows of data about interactions by consumers with ecommerce sites, social media platforms and media publishers clearly create risks that consumer data may be misused by some intermediaries in digital advertising supply chains.
Data flows and what happens downstream
Secondary uses of consumer data may breach data privacy laws by failure of entities to comply with requirements as to notice and consent. Lack of transparency may hide other problems. When consumer organisations and regulators are unable to evaluate whether uses of data about consumer interactions are fair to the affected individuals, the credibility of claims that targeted advertising delivers consumer benefits is questioned. Consumer advocates rightly point to risks of unfair discrimination, of targeted denial of availability of offers, and other algorithmic effects which are detrimental to the interests or expectations of an internet user.
For digital advertising supply chains to be trusted by consumers and regulators, there needs to be sufficient transparency and predictability as to how consumer data is being shared and used for each intermediary in that supply chain must be demonstrably accountable and trustworthy.
The digital advertising sector has focussed upon addressing concerns of regulators. Some digital advertising entities have also lifted their individual compliance. However, consumer advocates are increasingly focussed upon how the ad data ecosystem works. They inform regulators that unscrupulous or uncaring intermediaries in the digital ad supply chain are making inappropriate and excessive uses of consumer data. The digital advertising sector as a whole risks being judged by shortcomings of those ad tech intermediaries that do not get their own houses in order.
Responsibility for what others do
Well-run adtech entities also face new legal exposures. Data flows between entities in the digital advertising supply chain create risks that an entity will be held legally responsible for illegal acts or omissions of another entity in that chain. The law around accessory liability has always been complex. However, Australian Consumer Law creates ample scope for plaintiffs and the ACCC to claim that where one entity has engaged in misleading and deceptive conduct, such as by using data about consumer transactions contrary to that that entity has said it will or won’t do, other entities knowingly involved in that contravention may also be liable. Liability can be attributed to another entity which has “been in any way, directly or indirectly, knowingly concerned in, or party to” a contravention. In other words, knowingly ‘turning a blind eye’, while empowering someone else to engage in misleading conduct, can constitute an offence.
One aspect of complexity of ad data ecosystems is the multiplicity of paths that ad data flows through the system. The ad data ecosystem looks more like a multiverse than a mapped galaxy. This complexity makes it hard for regulators and plaintiffs to attribute legal responsibility and liability among different entities sharing data within that ecosystem. However, regulators increasingly focus upon activities of gatekeepers: those entities that decide whether to share data, and if so, which data sets at what level of granularity, and then subject to what controls and safeguards.
Smartening up data privacy law
Data privacy statutes used to focus upon whether a collector of personal data relating to individuals was transparent to data subjects about how that entity used or disclosed that data, and whether they obtained consent in circumstances where consent was required. Those statutes are getting smarter. Perhaps the most significant innovation of the last decade in data privacy statutes around the world has been allocation of legal responsibility to entities that control collection of personal data – data controllers – to specify and oversee controls and safeguards implemented by entities that process that personal data on behalf of the controllers.
Some newer data privacy statutes extend that responsibility to encompass downstream activities within data ecosystems enabled by a data controller: that is, activities of downstream entities that are not processing on behalf of the controller, but who are acting to their own account. Data collectors that facilitate creation and use of multiparty data ecosystems risk legal responsibility to ensure that downstream recipients do not handle that data in any way that is inconsistent with statements that the data collector elects to make about how that data will, or will not, be used.
This is not tomorrow’s problem. As well as the requirements of the Privacy Act 1988, consumer protection statutes such as the Australian Consumer Law already take two important steps:
- looking for inconsistency between what an entity does with data, and what that entity says or implies it will or won’t do (or allow others to do), without any regard for whether relevant data is personal information about an individual, or non-personally identifying data relating to a device or browser, and
- creating liability where an entity is knowingly concerned, through actively ‘turning a blind eye’, to misleading or deceptive conduct by another entity.
Some digital advertising businesses operating in Australia do not understand the extent of their legal exposure through failure to ensure that their processes of data governance and assurance meet requirements of Australian Consumer Law and expectations of the ACCC as to management of multiparty data ecosystems.
What’s next?
Some businesses and their privacy lawyers are now agitated about the forthcoming increase in maximum penalties under the Privacy Act 1988. They may not have noted that these changes will align those penalties with longstanding provisions of Australian Consumer Law which include maximum fines of $10 million or 10% of the annual turnover of a corporate group.
Reform of Australian privacy law is important and will be impactful.
We should not underestimate the potential adverse impact upon the digital advertising sector of any poorly formulated extension in the definition of personal information about individuals to include non-identifying uses of tracking codes and device identifiers.
Responsible data sharing by entities that implement good data governance requires proportionate regulation of controlled and safeguarded sharing of non-identifying data relating to internet interactions.
Entities that operate responsibly, and tell consumers what they will or won’t do, should expect the law to require them to exercise corresponding responsibility across ad data systems that they manage. That may include legal responsibility for activities of other entities operating within that data ecosystem. There is nothing unusual in this. Sensibly reformulated, the revised Australian data privacy statute would align with existing Australian Consumer Law. However, the Australian digital advertising sector needs to be heard, and its views understood by consumer advocate and policy makers, before the sector can have any confidence that reform of the revised Australian data privacy statute will be sensible and proportionate.
Peter Leonard, Data Synergies
31 July 2021