“Data Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is by Jay Stocki, VP of Business Development at Bering Media. All opinions are Jay's alone and not those of Bering Media.
We have a privacy problem in online advertising. An anecdote that sums it up well came about as I walked my father through what I do for a living. After multiple explanations of the various display ad targeting machinations, his explanation back to me was as follows:
- "So IP targeting is like direct mail through the post office. Companies target me with ads because they can make certain assumptions about what I like/want based on the demographics of my neighborhood." "Yes Dad."
- "First party cookie ads are like mailings or phone calls I get from companies that I already do business with. We have an established relationship and they might want to sell me something else so they target me." "Essentially correct."
- "Third party cookie ads are people trying to contact me because they have been watching me – where I go, what mail I open, what stores I shop at." "Umm – a bit harsh, but not wrong."
Of course my father's next question was on how to control it. We started with IP targeting. Since IP targeting is controlled by his ISP, we logged into his ISP account and went to his preferences page. A checkbox allows for disabling IP location targeting. This enables/disables any IP targeting on all browsers on all devices in his house - simple enough. Note, I am not referring to GeoIP targeting from third party databases but to accurate IP targeting by using ISP data.
The next step was to control cookie targeting. We first talked about the NAI AdChoices icon. We even watched their video. Opting out was simple enough, but even my father grasped that this was a partial solution. That led to a discussion of the advantages of cookies, why they exist, etc. We then continued the control discussion by examining customizing cookies on a browser-by-browser basis. I walked him through how to control first and third party cookies on IE and Firefox. I also showed him what cookies were on his machine. We were about 20 full screens down the cookie list and were still in the 'A's of the alphabetical list. He looked at me and asked "All of the companies have left something on my computer and didn't ask me? And that's legal?" This led to another hour of discussion about EULAs, disclosure, etc.
I work in online advertising. I am not a fan of Do Not Track as the default. When used properly, third party cookies are valuable for users and advertisers alike. Banning third party cookies puts too much power in the hands of large publishers. An expansive first party data set and broad reach give large publishers a significant advantage over small publishers. However, we cannot deny that we have a privacy problem in online advertising that needs to be addressed. Current control mechanisms are not "Privacy by Design." They are "Privacy by Bolt-on". The average user has no idea how or why they are being targeted, much less on how to control it. The NAI model was a valiant effort, but in practice it does little for the average user like my father. Firefox's recent announcement that it will turn Do Not Track on by default is being heralded as a win for privacy, but it is like using a bazooka to kill a cockroach. Nonetheless, the Mozilla team is responding to a real problem voiced by their users.
The online ad industry needs to take a hard look at the privacy relationship with the consumer. The approach taken by ISPs regarding IP-based targeting is a solid model to follow. The ISPs have implemented a Privacy by Design methodology. The data use case is completely transparent and explained in language the average user can understand. Most importantly, the privacy control interface is easy to use. Granted, this is a far simpler use case as there is no behavioral component to IP-targeting, but the ISPs that are doing IP-based targeting have provided a good model to follow.
Advertisers, publishers, ISPs and ad-tech vendors must work together to make an easy-to-use and effective privacy control point. If we fail to act now, there will be continued point solutions that could do more harm than good. Even worse, we may have a solution forced upon us by legislation.