The “best laid plans of mice and men often go wrong” is as typical of regulators as the oft-quoted excerpt is true.
Nowhere is this more appropriate right now than when it comes to limiting the unintended consequences of a data industry fueled by advertising money, mired in complexity and underlined by nondisclosure agreements.
Consider a recent example in the United States in which the Federal Trade Commission sued ad-tech provider Kochava for allegedly selling location data that could track movement to domestic violence centers, reproductive health clinics and other sensitive places.
Intentions do not always turn into reality. If they had, Kochava would have settled with the FTC. Instead, the ad-tech company refused to settle terms that CEO Charles Manning called “ambiguous.”
The sense of deja vu is palpable for anyone who follows these things closely.
At the start of the year, it looked like the future of the Transparency Consent Framework (TCF) – the IAB Europe-led industry-wide attempt to standardize compliance with the General Data Protection Regulation – was dark. Data protection watchdogs have declared it illegal in its current form. Obituaries for his impending demise soon followed. Several months later, these claims seem increasingly premature. Indeed, a few weeks ago (early September), it became clear that the fate of the TCF would be decided by the High Court of the European Union.
Or rather, Europe’s highest court would deliver its verdict on whether the data was unlawfully collected through the TCF and whether IAB Europe is financially liable for any GDPR claims brought against the ad tech ecosystem as a result. . This is crucial given that the appeals court will not deliberate on the future of the TCF until these questions are answered. That decision won’t happen for at least a year.
So much for the forceful application.
The problem with attempts to bring order to the online advertising data industry complex is how poorly written the rules are. There’s enough opacity in these regulations, whether it’s its GDPR or the California Consumer Privacy Act, to give companies leeway to claim that no breach has occurred. And that’s exactly what happened.
Businesses (on the whole) followed the law, but not always the spirit of it. Call it an inconvenient truth. When a regulatory change is announced, companies must interpret the new legal requirements and adapt their business models as they see fit. The result can be messy, confusing and lead to many attempts to flout or bend the rules.
Of course, data privacy regulators were going to want to put a marker down.
That’s not really the issue for Kochava’s CEO. Manning understands that reform is painful but necessary when it comes to data privacy. It’s how the FTC has pursued these reforms that have ruffled ad tech executives.
“We’re looking for specificity and the FTC isn’t ready to provide it,” Manning said.
For Kochava, the devil is in the details: The FTC wanted Kochava to block sensitive location data but didn’t specify what that meant, Manning said. Had that location specificity been provided, Manning said he and his team could have built it (if it wasn’t already) into a product called Privacy Block that they had designed to do just that. Instead, that clarity never came, Manning continued.
“They [the FTC] said ‘no, that’s not how it’s going to work’ and said they would name ‘sensitive health places’,” Manning continued. “That left us with the question of how to get that specificity in a data market where what might be sensitive for one may not be for another.”
Good luck trying to predict how this will play out.
Neither the FTC nor Kochava seem ready to back down from their widely reported positions on the matter. So there is every chance that it will be decided by the courts. And even then, it could go either way. Yes, there is a precedent. Indeed, the FTC has cracked down on the potential use of sensitive data in ways that people may not be clearly aware of or expect. Again, Kochava was not found to have used “sensitive health location” data in this way, Manning said. And even if it did, it wouldn’t be illegal.
There is currently no federal law that oversees the data broker industry – a point that was highlighted last month when the FTC made the opening comments for its rule-making process after filed the lawsuit against Kochava.
Or to put it another way, the FTC’s enforcement came before it actually had any regulations to enforce. No surprise there. In a post-Dobbs world, the regulator acts with more urgency.
If this turns out to be a flashpoint for data privacy, then the story has well and truly rhymed with uncertainty over the TCF in Europe. But unlike the tet-a-tet between Kochava and the FTC, the timing of the TCF judgment was hardly unexpected. On the contrary, it was a surprise that the regulators had not moved sooner. Remember that the TCF relies heavily on good players and industry compliance. Spoiler: not everyone is. Data brokers are still exchanging personal data and the online advertising industry is riddled with potential abuse.
“TCF is not a nut soup, a GDPR compliant solution in that there are many other things you will need to do to comply with the law,” said Townsend Feehan, CEO of IAB Europe. “What Belgian ODA [regulators] We want the TCF standard to adopt more compliant features, which we will no doubt sooner or later. That said, the responsibility for processing data for advertising purposes rests with the companies processing the data. »
Such a transformation would impose significant new costs on IAB Europe, as it requires the development and continued operation of a technical accountability infrastructure. This could be a very difficult, if not impossible, task given the way the OpenRTB ecosystem operates today – a thought not lost on IAB Europe.
Wherever these lines in the sand are ultimately drawn could have major implications. They could either cement the authority of the privacy watchdogs to regulate the space or seriously hamper it.