The word of the year, at least according to Collins English Dictionary, is “NFT.”
Putting aside the fact that NFT is an acronym and not a word, consider a proposal that the word of the year for 2021 be “consent.”
With third-party cookies going away and other identifiers, like Apple’s IDFA, getting harder to come by, ad buyers, media sellers and their ad tech partners are all madly angling for opt-ins.
Although, not everyone is scrambling. As Nate Woodman, CEO and founder of tech consultancy Proof, noted in a July AdExchanger column, some brands and agencies are paralyzed not by a lack of desire to solve for digital identity online but from a lack of certainty that any solution being put forward, whether by a biggie or an indie, will be viable and road-ready by the time third-party cookies finally breathe their last on Chrome.
Ask and ye shall
There is something advertisers and publishers can do to obtain consent without finagling or duplicity: Ask for permission, be transparent and offer a decent value exchange – as opposed to issuing a dire warning that failing to opt in will lead to a suboptimal experience.
“Data privacy is no longer a niche field with protections quietly implemented by privacy professionals behind closed doors,” said Caitlin Fennessy, VP and chief knowledge officer at the International Association of Privacy Professionals. “As a result, companies are getting better at explaining the ‘what’ and ‘why’ of tracking and are pairing that with campaigns for user trust.”
This dynamic could serve as one explanation for a somewhat surprising recent finding from Gartner, which predicts the opt-out rate for mobile app tracking will decline from 85% now to 60% by 2023.
But there’s a bigger story here than developers optimizing their pre-permission prompts on iOS, said Andrew Frank, Gartner VP of research.
Some people will opt in because they don’t like the less targeted experience they’re served after opting out, he said.
Consumers are “learning that there’s a cost to dealing with in-targeted ad loads and in-app pressure to buy goods or subscriptions,” Frank said. And they will opt in more regularly when they’re familiar with the new opt-in system and see benefits from sharing data.
The top two reasons consumers provided to Gartner for why they choose to share data included product or brand familiarity offer and in exchange for incentives, such as cash rewards, discounts, coupons or loyalty points.
And that’s “despite the fact Apple promises to ban and reject apps that attempt to offer users monetary incentives to enable tracking through ATT [AppTrackingTransparency],” Frank said.
But how did we get here?
With your permission, let’s reminisce. It’s been a long year.
January 2021
Google Ends Its Silence On IDFA Prep Plans, Won’t Show ATT Prompt In Its Apps
Google says it will no longer collect and use the IDFA in its own iOS apps that currently do so for advertising purposes. That means Google will not show the ATT opt-in prompt in these apps, including YouTube and Maps.
After leaving developers on tenterhooks for months, Apple finally shares its broad timeline for ATT implementation.
CCPA On The East Coast? Meet CDPA, Virginia’s Consumer Data Protection Act
Virginia’s House of Representatives and Senate pass the Consumer Data Protection Act (CDPA) – an opt-in law – with sweeping majorities.
March
Virginia’s Gov. Signs The Customer Data Protection Act Into Law
Virginia Gov. Ralph Northam signs the CDPA into law. Under the CDPA, businesses are required to prove they have informed consent before processing personal data. As with the GDPR, Virginia’s law requires that consent be clear, affirmative, freely given, specific, informed and unambiguous in order to process personal information.
Google gives The Trade Desk’s leadership a migraine – and throws shade at Unified ID 2.0 – with the announcement that it will not use alternative methods to track users online once it ends support for third-party cookies on Chrome. From Google’s point of view, even consented PII graphs essentially mirror the functionality of cookies by aggregating IDs from many users around the web.
It’s not clear, though, if Google will go so far as Apple, which only allows developers to use identity data on iOS if it’s been collected with permission through an ATT prompt.
Project Rearc One Year In: IAB Tech Lab Proposes Specs For Accountability And Addressability
The IAB Tech Lab releases several technical specifications for review in support of Project Rearc, an industry initiative to develop a framework for online targeting without third-party cookies. One of the proposals is for a Global Privacy Platform that would plug into an Accountability Platform and provide a systematic way for companies to use compliance tools, such as the Transparency and Consent Framework in Europe and the IAB’s CCPA compliance framework.
Google Will Not Run FLoC Origin Tests In Europe Due To GDPR Concerns (At Least For Now)
Google decides not to make Federated Learning of Cohorts (FloC) available for testing in countries where GDPR and the ePrivacy Directive are in effect.
Why? It’s possible that when a web browser places someone in a cohort and associates them with a FLoC ID, that could count as personal data under the law. And so processing personal data to generate a cohort assignment without the proper consent would be a GDPR violation.
April
Apple Is Expanding Its Ad Business On The Cusp Of ATT Enforcement (Yep, You Read That Right)
Sources tell the Financial Times that Apple plans to expand its App Store business with a new ad slot appearing in the “Suggested” apps section of the store’s search page. Although the new unit isn’t a massive addition to Apple’s ad offering, it is somewhat hypocritical considering Apple’s high-profile condemnation of targeted advertising.
In the settings for iOS 14, for example, personalized advertising for Apple Advertising is enabled by default, a luxury explicitly not afforded to third-party developers and advertisers.
IOS 14.5 Is Live, ATT Enforcement Begins – And Here’s How We Got Here
It’s alive! Apple at long last releases iOS 14.5 out of beta – and, along with it, the AppTrackingTransparency framework finally enters the world.
May
Tapad Is Shutting Down Its Business In Europe
Experian-owned Tapad says it will exit its European business after seven years in the market and stop the delivery and use of its graph in the EU by August 1.
Better safe than sorry? For backstory, the UK’s data protection authority, the ICO, dinged Experian in 2021 after a two-year investigation into how the major credit reporting agencies handle sensitive financial data. The ICO found that Experian inappropriately used data for marketing purposes when consent had only been given for credit processing purposes – a big no-no under GDPR.
Google Tightens ‘Limit Ad Tracking’ Policies For Android Ad ID
Google says it will start zeroing out the Android Advertising ID – literally – when users have opted out of personalized advertising.
WWDC 2021: Apple Calls Open Season On IP Address Tracking And Targeting
In addition to announcing that it will start purposefully obfuscating IP addresses on iOS 15, Apple says it plans to release two new features, one which would allow people to see the trackers that attempted to profile them on Safari (dubbed the Safari Privacy Report) and another (the App Privacy Report) that will show how often apps use the permissions they’ve been granted to access someone’s location, photos, camera, microphone and contracts over the past seven days.
July
After Apple Tightens Tracking Rules, Advertisers Shift Spending Toward Android Devices (WSJ)
Advertisers began spending more on Android, where user-level targeting is easier, in the months after Apple started requiring iOS users to give permission for tracking purposes, according to Branch Metrics data.
Colorado Governor Signs Privacy Law Giving Consumers Right To Reject Ad Targeting (MediaPost)
Following in Virginia’s footsteps, Colorado Governor Jared Polis signs the Colorado Privacy Act (CPA) into law. The CPA will require that companies honor all opt-outs from targeted advertising, including requests that come through browser settings or other global opt-out mechanics. Companies will also have to obtain a person’s express consent before processing sensitive data, including info about race, ethnicity, health conditions and sexual orientation.
Facebook Is Rebuilding Its Ads To Know A Lot Less About You (The Verge)
Graham Mudd, Facebook’s VP of product marketing for ads, tells The Verge that the company’s ad personalization will “evolve very meaningfully” over the next five years to accommodate more built-in privacy and less granular ad targeting, including a more “anonymous, or at least more privacy conscious” version of custom audiences and look-alikes.
“If an advertiser and Facebook have the consent of [a] user to share that user-level information, then our expectation is that will and should continue. Consent will play a really important role in products like that,” according to Mudd. “But in cases where we don’t have consent, that’s where privacy enhancing technologies like multi-party computation can actually play a pretty meaningful role in trying to understand which types of people would find an ad relevant without ever learning about individual people.”
September
Your Guide To PIPL, China’s New Privacy Law
China passes the Personal Information Protection Law, which, unlike GDPR, does not include legitimate interest as a legal basis for processing personal data. In other words, consent might be the only game in town in China.
With iOS 15, Apple Will Get Permission Before Serving Its Own Targeted Ads
Sensitive to growing antitrust scrutiny, Apple tests a new pop-up for iOS 15 to request permission before enabling personalized advertising. This would be the first example of Apple asking users to opt into personalized ads in its own apps.
Big caveat here, though: Personalized advertising will still be enabled by default on iOS 14 and all older versions of Apple’s iOS, and Apple is also using a different, far more ad tech-friendly pop-up for itself than what it requires of third parties with ATT.
It’s Time To Comment On CPRA Rulemaking – Your Deadline Is Nov. 8
California’s new privacy protection agency begins seeking public comments to fine-tune its enforcement of the California Privacy Rights Act, including questions of how opt-out rights should work with respect to automated technology and how consumers’ right to opt out of the selling or sharing of their personal information should be implemented by tech companies.
October
Facebook says it will stop automatically linking Facebook and Instagram accounts associated with the same user. In the past, Facebook served ads across a user’s Facebook and Instagram accounts based on assumptions linking one account to another. It is unlikely users realized this was happening.
Ad Trackers Continue To Collect Europeans’ Data Without Consent (Digiday)
Digiday reports that three years after GDPR took effect, “consent mismatches and illegitimate data collection continue to undermine advertisers’ and publishers’ efforts” to comply with the law. Hundreds of thousands of online ad impressions served in Europe, for example, were found to contradict the data collection choices made by consumers.
November
Unified ID 2.0 Faces Roadblocks In Europe As A Result Of GDPR
Sources tell AdExchanger that The Trade Desk is having trouble lining up an independent administrator to govern and police the use of Unified ID 2.0 in territories where GDPR is the law of the land.
If consent strings are invalidated – a precedent that could soon be set in Belgium – it’s unclear how permissions will be shared across publishers and ad tech partners using UID2.
IAB Europe Says It’s Expecting To Be Found In Breach Of GDPR (TechCrunch)
IAB Europe recently announced that Belgium’s data protection authority will likely find it in breach of GDPR for its role in the Transparency & Consent Framework (TCF), a consent-collection system used by more than 80% of European websites.
Apple Reaches Quiet Truce Over iPhone Privacy Changes (Financial Times)
The Financial Times reports that Apple appears to be allowing companies including Facebook and Snapchat to continue tracking users even if they’ve opted out provided the data they collect is anonymized and aggregated rather than linked to specific user profiles.
Norway Spotlights Grindr’s Ad Tech Vendors
Norway’s data protection authority fines gay dating app Grindr $7.6 million for sharing sensitive personal information with its advertising partners – including (then Twitter’s, now AppLovin’s) MoPub, Xandr, Smaato, AdColony and OpenX – without user consent, a violation of GDPR.
OpenX’s no good, very bad day continues with the announcement on the same day as the Grindr settlement that OpenX has agreed to pay $2 million to the Federal Trade Commission to settle allegations that the company violated the Children’s Online Privacy Protection Act by collecting the personal information of children under the age of 13 without getting parental consent first.
Apple And Google Duopoly Limits Competition And Choice (UK CMA)
The UK’s Competition and Markets Authority publishes an interim report based on its probe of the mobile ecosystem that sets out a range of actions the agency could take to address Google and Apple’s “vice-like grip” over mobile devices and consumer choices.
The report specifically calls out Google’s and Apple’s respective “choice architectures,” aka the way in which they present opt-in notices to their users. The report notes “prominent disparities” between how Apple asks for permission for itself and the ATT prompt everyone else has to use.
Worth calling this quote out directly: UK privacy and competition regulators think that the first party/third party data distinction, and Apple’s thesis that it doesn’t ‘track’ you, is basically bullshit. https://t.co/hJitz8KNUv pic.twitter.com/ENSqVG66PP
— Benedict Evans (@benedictevans) December 15, 2021