Top Ad Tech Data Privacy Stories of 2023

Rather than sum up the obvious online privacy trends of 2023, let’s dig into the weeds.

Because we’ve spent enough time and spilled more than enough ink this year about Big Tech privacy fines, law enforcement actions, and the unspeakably slow phaseout of third-party cookies in Chrome. That’s because.

That said, this article wouldn’t have at least mentioned the big news from the Federal Trade Commission last week proposing changes to the Children’s Online Privacy Protection Act (COPPA) that would make it harder for tech companies to collect information. If so, this article would be a waste. Monetize children’s data.

In the words of New York Times reporter Natasha Singer, the long-awaited proposal is “one of the most significant efforts by the U.S. government to strengthen consumer privacy in more than a decade.”

The COPPA rules were last updated in 2013, which might be a century ago in the internet era. In 2013, TikTok didn’t exist. Even TikTok’s predecessor, Musical.ly, didn’t exist yet. Clearly, the COPPA update has been long overdue.

The public now has until mid-February to submit comments to the FTC on the proposal. (If you’d like, read the draft here .) The FTC will then consider the comments it receives before taking next steps.

So here are AdExchanger’s top five ad tech-flavored data privacy stories of the year.

Wait… (or not)

This ultra-technical detail about the inner workings (and consent failures) of PubMatic’s identity management tool was the most trafficked privacy story of the year.

In short: We found that PubMatic’s Identity Hub had a default consent timer set to a fraction of a second, which was too short. This means that even though an opt-in mechanism was in place, there was not enough time to actually obtain consent. Gather consent. This puts publishers using this tool at risk of GDPR violations.

Many thanks to Mike O’Sullivan and Ian Myers of Sincera for their discovery.

Separately, the Sincera team also noticed that PubMatic was monitoring Prebid API activity and replacing identifiers sent to the DSP in the main wrapper with IDs retrieved from Identity Hub on the fly.

Why should publishers care? Because you can never be too careful.

Mr O’Sullivan said: That means he checks everything himself. ”

(AddThis)SubtractThat

Oracle acquired social sharing and content recommendation widget AddThis for $200 million in 2016. At that time, Oracle still had big ambitions in its data cloud business.

These aspirations disappeared in the face of privacy regulations. In 2019, Oracle stopped using AddThis data without consent from Europe in third-party audience segments to comply with GDPR. However, European publishers can continue to use AddThis tools, including social bookmarking, for free.

But four years later, Oracle permanently shut down its AddThis business globally, which was inevitable. If Oracle cannot access third-party data from publishers through AddThis, there is no point in maintaining the service.

It was no longer worth juicing, especially given the regulatory risks.

From ad tech to privacy technology

The past few years have seen the birth of a number of privacy technology startups founded by programmatic veterans trained in ad tech.

If you want to know where a body was buried, you can ask the person who buried it.

Or as Senior Editor James Hartcher puts it in an article introducing these four startups (Coir, lockr, Licorice, and Qonsent): Some of the canaries then escape and start businesses to help the mine owners do better. ”

The elephant in the clean room

Data clean rooms have become one of the hottest technologies in ad tech, but they are not a perfect solution to all privacy issues.

The promise of secure data collaboration is real, but just because you put data in a clean room doesn’t automatically make it consent or compliant. Also, not all data clean rooms offer the same level of security and encryption.

That means advertisers need to do their own due diligence before selecting a clean room partner, as InfoSum’s VP of Product Marketing pointed out at the IAB Tech Lab Rearc privacy event in New York City earlier this year. there is.

That’s because if a platform doesn’t live up to its security promises and private data is exposed, linked or enriched by another dataset, “there’s no going back on that,” de Blasio said.

in a certain state

Currently, 12 states in the United States have passed their own data privacy laws.

California, Colorado, Connecticut, Utah and Virginia already have laws in place. Privacy laws in Montana, Oregon, and Texas will go into effect next year, followed by Delaware, Iowa, and Tennessee in 2025. Indiana’s privacy law goes into effect in 2026.

(And that’s not to mention the states that are currently actively enacting privacy laws: Maine, Massachusetts, Michigan, Missouri, New Hampshire, New Jersey, North Carolina, Ohio, Pennsylvania, and Wisconsin. is.)

To help stakeholders in the advertising industry comply with this evolving legal landscape, the IAB launched the Multilateral Privacy Agreement (MSPA) in 2022. The MSPA is a so-called “spring contract”, which creates a contractual relationship between the signatories so that they can (in theory, at least) ensure that their data flows through the supply chain to different jurisdictions. , must comply with multiple state laws.

As Associate Editor Anthony Vargas says in an article explaining how MSPA works for publishers: “The goal is to comply with the law while preserving the status quo of digital advertising as much as possible.”