AdTech regulation and compliance

January 2022  |  TALKINGPOINT | SECTOR ANALYSIS

Financier Worldwide Magazine

January 2022 Issue

FW discusses AdTech regulation and compliance with Linda A. Goldstein, Gerald J. Ferguson, Fernando A. Bohorquez Jr., Jeewon K. Serrato and Justin T. Yedor at Baker & Hostetler LLP.

FW: Could you provide an overview of advertising technology (AdTech) and how the industry has grown to help brands target, deliver and analyse their digital advertising efforts?

Bohorquez: Advertising technology (AdTech) is an umbrella term that encompasses a wide array of technologies used to target, deliver, analyse and manage digital advertising to consumers across multiple channels and displays, including desktop, mobile, search, social and video. Although the digital advertising ecosystem is complex, in its simplest form it can be boiled down to two main verticals – the buy side, such as brands, agencies and demand side platforms (DSPs), the entities that purchase the content inventory where an advertisement is displayed; and the sell side, digital publishers and sell-side platforms (SSPs), the entities that sell the content inventory to display the advertisement. These two segments are connected and supported by an extensive web of servers, trading desks and networks that deliver a brand’s advertisement to a specific publisher to be displayed to a targeted consumer or group of consumers on one or multiple channels. AdTech refers to the diverse group of software companies and tools that power the buying, selling, delivery, verification, measurement and management of advertisements in the digital advertising marketplace.

Ferguson: For the past 20 years, brands have been relying on AdTech to deliver and target their digital advertising. In particular, the digital marketing ecosystem has relied heavily on the ability to track and target consumers as they surf across websites, apps and online platforms. This is done through third-party cookies – the small digital files that websites download to a user’s device to help identify the user as they interact with a website and traverse the internet. It is likely that in two years, the third-party cookie will be obsolete, and with it the third-party consumer behaviour-based digital advertising model.

Goldstein: Due to a confluence of new data privacy laws and advertising technology standards, the cookie, and specifically the third-party cookie, is scheduled to be phased out by the end of 2023. The questions advertisers are correctly asking themselves now are what will take the place of third-party cookies, and how should they best position themselves to market their brands in the post-third-party cookie world. The good news is that alternative data solutions are already being developed, and the picture of what the digital advertising post-cookie landscape may look like is starting to come into focus.

Connected TV will play a much larger role in ad spend, which will invite a growth of AdTech tools to support programmatic advertising on this platform.
— Justin T. Yedor

FW: Drilling down, could you describe the kinds of benefits and insights that AdTech solutions provide to brands and publishers?

Goldstein: In short, AdTech solutions benefit both brands and publishers by helping them scale their digital advertising operations, make the advertisement buy and sale process much more efficient and target ads to specific audiences. AdTech tools also provide verification and measurement insights to ensure that adverts are being viewed by the right consumers for specific advertising campaigns. For instance, AdTech solutions provide the technology underlying the shift to ‘programmatic advertising’. Programmatic advertising refers to the use of software, artificial intelligence (AI) and algorithms – as opposed to human ad buyers and salespeople – to purchase digital advertising. The transition to programmatic advertising has made the digital marketplace more efficient and enabled advertisers to access a wide range of inventory to buy for target audiences and to reach specific demographics.

Bohorquez: Real-time bidding, a type of programmatic advertising, is powered by AdTech to facilitate the purchase and sale of advertisements through real-time auctions, meaning that the buying and selling of an online ad impression occurs in the time it takes the webpage to load. On the publishing side, header-bidding is an automated auction AdTech solution that allows publishers to sell their inventory through a network of DSPs, while receiving bids at the same time from multiple advertisers. Third-party cookies have been a key AdTech tool in the digital marketing toolbox for more than 20 years, and over time, advertisers have developed a variety of ways to leverage them in campaigns. For example, it is the third-party cookie that enables several key programmatic advertising use cases, such as the use of software to automate the buying and selling of ads and fuel real-time bidding.

Ferguson: Specifically, third-party cookies provide a number of benefits and insights to marketers. Identification is one of the most popular uses of third-party cookies. AdTech platforms like SSPs and DSPs use third-party cookies to identify users across the web. Once an AdTech platform can identify users, the cookies are then used for behavioural targeting and retargeting to show the users personalised ads based on their behaviour and interests. Frequency capping helps identify whether a user a company is trying to reach has seen a given advertisement a specific number of times, and it helps limit the number of times a user is shown the same ad. Third-party cookies can also help measure the performance of a campaign and run attribution, allowing advertisers to understand which action was responsible for the conversion and what ads were clicked, were viewed and led to a purchase. Audience activation is a use case which enables advertisers to use data management platforms (DMPs) to leverage cookie syncing to create audiences and target them across different websites. Cookie syncing or matching underlies many use cases and basically means syncing or matching cookies that have been created by different players in the digital advertising ecosystem, such as DSPs, SSPs and DMPs, into one cookie ID to theoretically identify the same user.

Bohorquez: AdTech solutions have become increasingly helpful to brands and publishers in the ad verification and measurement space. Advertisement fraud is a multibillion-dollar industrywide problem. In response, many AdTech companies now arm brands and publishers with the tools to combat ad fraud by monitoring invalid traffic, avoiding bidding on invalid traffic in real-time bidding auctions and blocking ads from delivery to fraudulent bots. AdTech solutions also provide technologies that can measure whether an advert is viewable upon display across multiple channels, as well as protect brands from having their ads appear adjacent to questionable or offensive content.

Anonymous identifiers are emerging as tools for creating audience segments in a post-third-party cookie world.
— Jeewon K. Serrato

FW: How would you characterise current regulatory scrutiny of the AdTech industry? What penalties and other repercussions may face businesses that fail to meet their legal obligations?

Serrato: In recent years, there has been a proliferation of comprehensive privacy laws and regulations that limit companies’ ability to collect, track and share consumers’ personal information. A key regulatory focus of many of these laws is the flow of data from brands to the AdTech industry. While the intensity of regulation is increasing, this is not necessarily a new trend. The regulation of cookies, for example, dates back to 2009, when the European Union (EU) amended its ePrivacy Directive, which created the so-called cookie directive. In other words, at the time the leading privacy law in the EU, the General Data Protection Regulation (GDPR), took effect in May 2018, regulation of AdTech was actually already underway. Regulation of AdTech in the EU may have been underway before the GDPR, but the GDPR still brought a significant change to the regulatory approach. Prior to the adoption of the GDPR, website owners could generally satisfy the ePrivacy Directive with a cookie banner and an opt-out mechanism, much like the current approach of many US-only websites. With the adoption of the GDPR came a shift to opt-in consent for all nonessential cookies. The GDPR also removed any doubt that most cookies, by their nature, involve the processing of personal data.

Yedor: The new draft 2021 ePrivacy Regulation will further solidify this approach, ensure ongoing consistency between the ePrivacy rules and the GDPR, and update the scope of the ePrivacy Directive based on new technological developments. In short, the EU’s approach of requiring prior, opt-in consent for tracking technologies is here to stay. Meanwhile, in the US, regulators also have cookies and AdTech in their sights. The California Office of the Attorney General (OAG) has been actively enforcing online privacy laws, starting with the California Online Privacy Protection Act (CalOPPA), which went into effect in 2004 and required privacy policies for commercial websites. When the California Consumer Privacy Act (CCPA) came into effect in 2020, it gave the OAG yet another enforcement tool to regulate AdTech. Under the CCPA, businesses must allow consumers to opt out of the ‘sale’ of personal information, including information gathered through cookies. The CCPA broadly defines a sale as any transfer of personal information to a third party for monetary or other consideration. While some businesses took the position that permitting third-party cookies on their websites is not a sale of personal information, the OAG has made clear it sees things differently. In recent enforcement actions, the OAG has argued that allowing any third-party tracking cookies on an advertiser’s website constitutes a sale of personal information under the CCPA and that consumers must be able to opt out.

Serrato: One of the surprises of the OAG’s CCPA enforcement is its insistence that advertisers treat the Global Privacy Control (GPC) browser signal as a request to opt out of the sale of personal information. Rather than requiring a user to click opt-out links on individual websites, the GPC allows users to automatically send an opt-out request to every website they visit through an enabled browser. Publishers like the New York Times and Washington Post have endorsed the GPC, but its real-world functionality across advertisers’ websites remains largely untested. Despite the newness of the technology and the fact that very few websites have implemented the GPC, the OAG has already brought enforcement actions against businesses that did not configure their websites to recognise the GPC. If the OAG’s enforcement actions left any doubt about the ongoing impact of signalling technologies like the GPC, three new laws taking effect in 2023 will settle the debate. The new California Privacy Rights Act (CPRA) allows businesses to recognise ‘opt-out preference signals’ in lieu of providing ‘do not sell’ links on their homepages – an option likely to increase the desirability of implementing the technology for advertisers. The CPRA also attempts to end any debate about whether a transfer of personal information for advertising purposes is a sale by extending consumers’ opt-out rights to ‘sharing’ of personal information for behavioural advertising purposes. While the OAG will continue to have civil enforcement authority under the CPRA, the CPRA also established a new enforcer, the California Privacy Protection Agency (CPPA), which will have administrative enforcement powers specific to consumer privacy. With $10m already allocated to it in the 2021-22 budget, the CPPA is expected to aggressively enforce the CPRA against targeted advertising in particular. Beyond California, more than 20 other states have also considered CCPA-like laws. The two that passed so far, the Virginia Consumer Data Protection Act and the Colorado Privacy Act (CoPA), both provide consumers with an express right to opt out of ‘targeted advertising’, and CoPA expressly requires recognition of browser-based opt-out signals. These newer laws leave no doubt consumers must be given the choice not to have adverts targeted to them based on their personal data. Businesses that fail to comply with these new notice and opt-out requirements may face enforcement actions and stiff penalties from regulators.

It is difficult to overstate the transformation in the digital advertising ecosystem we expect to see over the next several years due to the demise of the third-party cookie.
— Fernando A. Bohorquez Jr.

FW: What steps should AdTech companies take to ensure data privacy compliance? How important is it to gather and use personal data in a transparent manner, with a lawful basis for processing?

Ferguson: As a starting point to developing a privacy compliance programme, AdTech companies should understand and align themselves with industry self-regulatory frameworks. Two organisations that have played a critical role in developing self-regulatory frameworks are the Interactive Advertising Bureau (IAB) and the Digital Advertising Alliance (DAA). Both the IAB and the DAA have adopted tools intended to help businesses comply with the CCPA. The IAB approach requires participating publishers that choose to deploy third-party tracking cookies to California residents in connection with the programmatic delivery of digital ads to transmit to other participants in the placement of a digital ad a signal that communicates whether a consumer has opted out of inclusion of that consumer’s information in profiles created for advertising purposes. The DAA CCPA opt-out tool provides consumers with the ability to transmit requests under the CCPA for a browser to opt out of the sale of personal information to one or more DAA participating companies. Both tools are currently under scrutiny by the California OAG. The IAB also offers a tool for obtaining from users in Europe consent for the use of tracking cookies. As companies participating in AdTech prepare for the unknowns presented by the post-third-party cookie future, there are certain steps they should be taking now. As a starting point, they need to understand the data they have and how it flows. To this end, they need to audit their existing data collection points to understand what they are collecting and how they obtain it. They then need to engage in ‘data mapping’ to understand all the ways data is used, shared and stored. Once a company has an accurate picture of its data practices, it must review its existing contracts with its data partners to confirm that these contracts impose appropriate compliance obligations on these data partners and to verify that the company’s use of data is consistent with its contractual obligations. To the extent it has not already done so, it should put in place internal guardrails, including data use policies and technical restrictions on data use that promote compliance with the company’s obligations under law, contracts and self-regulatory schemes that the company has adopted.

Other technological developments are creating new ways to analyse the effectiveness of ads and are even creating new opportunities to interact with consumers.
— Linda A. Goldstein

FW: What are your predictions for the AdTech industry in the years ahead?

Bohorquez: It is difficult to overstate the transformation in the digital advertising ecosystem we expect to see over the next several years due to the demise of the third-party cookie. In the near term, brands, publishers and the AdTech vendors that support the buying and selling of digital ads will need to reckon with the sweeping changes implemented by Big Tech. From Apple’s transition away from targeted advertising to Google’s evolving privacy sandbox initiative replacement for targeting on the Chrome browser, the current playbook for finding and advertising to consumers online will become less effective. In the long term, brands and publishers will need to reorient themselves to a consumer-focused, privacy-centric, first-party-solutions-based framework for developing, building and targeting audiences. The AdTech solutions will follow, or in some cases lead.

Goldstein: While the imminent death of the third-party cookie will play a signature role in AdTech in the next few years, it is not the only trend we are watching. Other technological developments are creating new ways to analyse the effectiveness of ads and are even creating new opportunities to interact with consumers. First, if it has not been already, AI will be fully embraced by brands and publishers alike to better operationalise their digital advertising campaigns. Along those lines, advertisers will rely more on verification and measurement AdTech tools to ensure that their ads are being viewed by the right and real people at the right time, alongside the right content. AdTech solutions powered by sophisticated AI to ensure brand safety and suitability for their advertising campaigns will also start to lean heavily into contextual targeting, as opposed to behavioural targeting.

Yedor: As consumers spend more time online and on a variety of devices, omnichannel and cross-platform campaigns will continue to increase. Connected TV will play a much larger role in ad spend, which will invite a growth of AdTech tools to support programmatic advertising on this platform. Similarly, augmented reality (AR) is pushing the convergence of the digital and physical worlds. AR-based products present the opportunity for brands to advertise in an entirely new context, reaching consumers simultaneously online and in real life. While this new space presents tremendous opportunity, it will almost certainly need to be approached in the consumer-focused, privacy-centric way that will likely be commonplace in the post-third-party cookie era. In short, do not expect the AR environment to be a throwback to the pre-consumer-privacy internet.

One thing that basically everyone agrees with is that in the post-third-party cookie world, first-party data will be key.
— Gerald J. Ferguson

FW: What innovations are we likely to see as solution providers adapt their offerings to evolving regulatory restraints?

Goldstein: The big drivers of change in the AdTech industry are the increased regulation, the decision of Google and other browser providers to disable third-party cookies within the next two years, and Apple’s determination earlier this year to require apps running on its devices to obtain opt-in consumer consent before tracking the consumer’s activity on other apps and websites. In the wake of these developments, the ad industry currently lacks a consensus on the alternative to third-party cookies. But it is beginning to appear that the lack of consensus in and of itself is a preview of what the post-third-party cookie landscape may look like – meaning that the ‘one cookie to rule them all’ approach will instead be replaced by a variety of alternatives.

Ferguson: One thing that basically everyone agrees with is that in the post-third-party cookie world, first-party data will be key. First-party data, as the name suggests, is data collected by companies directly from the consumer. After first-party data, the most important post-third-party cookie development that advertisers should become familiar with is arguably Google Chrome’s Privacy Sandbox, a protected test environment used to determine how to run ad targeting, measurement and fraud prevention without third-party cookies using Google application programming interfaces. In addition, advertisers need to become familiar with platform-agnostic, industrywide post-third-party cookie solutions such as people-based identifiers and anonymous identifiers. People-based identifiers use first-party data such as emails, phone numbers, credit card numbers and loyalty IDs to identify customers, to connect them correctly across devices and to match that with data collected from other sources.

Serrato: Anonymous identifiers are emerging as tools for creating audience segments in a post-third-party cookie world. Under this framework, users consent to the creation of an anonymous identifier tied to the user’s identity. Typically, the user provides consent for the creation of the anonymous ID in exchange for premium content or some other valuable incentive. For instance, LiveRamp is partnering with publishers and matching data back to its own RampID, which uses emails, addresses and phone numbers. The Trade Desk has developed Unified ID 2.0, which it has contributed to an open-source project administered by the IAB. Intended as a cookie replacement, it uses anonymised email addresses that are gathered from a user logging in to a website or app. The goal of Unified ID 2.0 is to create an experience in which consumers understand the value of relevant advertising and get to set their preferences on how their data is shared. Launched in October 2020, Unified ID 2.0 already has several partners spanning the digital ecosystem. Preparing for the ‘cookie-pocalypse’ begins with recognising that there will likely not be a ‘one size fits all’ solution. Instead, brands will need to work with AdTech companies to look at a combination of alternatives that best match their current data sets, ad stacks and prospective marketing plans, while considering the emerging and evolving privacy-conscious regulatory and technology frameworks.

Bohorquez: The first steps are auditing your data and mapping your data flows and understanding the impact of laws, contractual obligations and industry frameworks on your operation. At bottom, digital industry advertising players must understand and assess the emerging alternatives to cookies. One thread running through the various post-third-party cookie alternatives is an emphasis on consumer privacy. In other words, brands and AdTech companies should keep consumer consent models in mind when developing a post-third-party cookie strategy. Not only will a consent-based approach help ensure regulatory compliance with the patchwork of global and US state privacy laws, but it will also be consistent with the most relevant emerging industrywide, non-platform-dependent cookie-alternative strategies and tools, such as first-party data and people-based and anonymous user IDs.

 

Linda Goldstein is recognised as one of the leading advertising lawyers in the US. She provides advertising counsel and regulatory advice to leading Fortune 500 companies across multiple industries. She advises clients on how to minimise the legal risks associated with mobile marketing, e-retail, online communities, social influencers, native advertising, email and telemarketing, sweepstakes and contests, fantasy sports leagues and casual gaming. She can be contacted on +1 (212) 589 4206 or by email: lgoldstein@bakerlaw.com.

Gerald Ferguson assists digital media and brick-and-mortar companies in developing, protecting and exploiting digital assets and intellectual property (IP). His experience includes designing and implementing national and global privacy programmes, vetting new digital products and services for legal compliance, managing responses to data security incidents, reducing risk in connection with the purchase or sale of digital assets, and developing IP portfolios. He can be contacted on +1 (212) 589 4238 or by email: gferguson@bakerlaw.com.

Fernando Bohorquez is a forward-thinking, problem-solving attorney who handles commercial, IP, privacy and bankruptcy litigation and business disputes. He has deep knowledge of and experience with all phases of civil litigation, managing large-scale cases in high-profile and high-pressure environments. He is a trusted adviser to technology and e-commerce companies on business law, litigation, IP, online advertising, and privacy and data security. He can be contacted on +1 (212) 589 4242 or by email: fbohorquez@bakerlaw.com.

Jeewon Serrato’s practice focuses on guiding organisations through periods of transformation and change, whether they are driven by innovation or crisis management. She counsels clients in the areas of consumer privacy, cyber security, data optimisation and data science. She assists clients in pivoting their business models, accelerating growth as a new business, and developing strategic acquisition, exit or divestiture plans. She can be contacted on +1 (415) 659 2620 or by email: jserrato@bakerlaw.com.

Justin Yedor focuses on creative solutions to clients’ data privacy problems. He is a thought leader on California privacy law, and a go-to adviser on the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). He helps clients make strategic decisions within the framework of these and other data privacy and consumer protection laws. He can be contacted on +1 (310) 979 8405 or by email: jyedor@bakerlaw.com.

© Financier Worldwide

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.