The Top 5 Biggest Adtech Shakeups in January 2022*

It was a wild 2021 for adtech privacy and judging by the number of newsworthy pieces this past month, 2022 will be turbulent. Here are the top 5 biggest shake-ups in adtech privacy of January 2022.

1. FLoC Killed Cookies, but Privacy Advocates Killed FloC. Now Introducing… ‘Topics.’

The saga of Google’s third-party cookie continues with deprecation now scheduled for the end of 2023. No, Google hasn’t pushed by the date of deprecation again, and the word on the street is that they won’t. But the cookie replacement has changed. Google originally announced they were replacing cookies with the Federated Learning of Cohorts (FLoC), which would gather a user’s browsing data and put the users into categories (cohorts, if you will) based on interests. For example, if a user visited travelocity.com and looked at traveling to Lima, Peru, then Google would put that user into a cohort of people interested in traveling to Lima. But privacy advocates said FLoC wasn’t privacy preserving enough, that it didn’t actually stop users from being tracked. Instead, FLoC made it so that only Google could track a user, which isn’t privacy preserving, it’s just disintermediating in the name of privacy.

Well, the backlash worked. The newly introduced ‘Topics’ is a similar principle to FLoC, in that it tracks user interests based on their web browsing. The difference is that the interests disclosed are broader, thus giving out less information to advertisers. Essentially, the Topics method of targeted online advertising gives marketers less-granular information about web users.

1. CNIL fines Google and Facebook for Dark Patterns

CNIL has fined Google 150 million euros and Facebook 60 million euros for letting users opt-in to cookies easily, but not letting users opt out easily. Google, including YouTube, and Facebook made it harder to reject cookies than accept cookies, that’s what’s been deemed a “Dark Pattern.” (A hot topic of 2021). According to the CNIL, it took several extra clicks to reject cookies. Along with paying the fines, the companies have to fix the errors and make it just as simple to reject cookies as it is to accept them. If they don’t fix the errors, the companies have to pay 100,000 euros a day.

1. Legislate Away Surveillance Advertising

Congresspersons Eschoo (D-CA), Schakowsky (D-IL), and Booker (D-NJ) have introduced a bill to ban ‘Surveillance Advertising.’ The term ‘Surveillance Advertising’ was coined by Harvard Professor Shoshan Zuboff. The term gained popularity with her book, “The Age of Surveillance Capitalism: The Fight For a Human Future At The New Frontier Of Power” and has become a common term for using personal data for targeted advertising. While the bill bans targeted advertising, it does explicitly state that contextual advertising (where ads are selected based on the context of what the user is looking at on the page where the ad is served) is allowed. This bill should serve as a wake up call to adtech. The current forms of self-regulation aren’t working well enough. If you want legislators off your back, step up your self-regulatory game.[1]

1. If Legislation Won’t Do It, How About the FTC?

In January, the FTC looked for public comment on a petition filed by Accountable Tech that asks the FTC to use its rulemaking authority to prohibit ‘Surveillance Advertising.” Did I mention that privacy advocates want more regulation of adtech? The petition states that surveillance advertising is “inherently an unfair method of competition” as it relies on and reinforces “monopoly power.” While the FTC typically regulates unfair methods of competition through enforcement actions, it does have the power to promulgate legislative rules as well.[2]

1. Data Clean Rooms are Hot.

Finally, let’s talk about data clean rooms. They’re the next big thing in adtech. Because Google is joining the likes of Apple and Mozilla and getting rid of third-party cookies, adtech is reeling trying to figure out how to measure returns on advertising spend.

Let me give a quick primer. Cookies can do more than track a user’s interests based on their browsing activity. Cookies can also let advertisers know which ads were effective (the measurement of ad effectiveness is called “attribution”). This issue isn’t unique to web browsing without cookies, it’s the same issue advertisers face with Apple’s AppTrackingTransparency (ATT). Without use of cookies (or the IDFA on iPhones) advertisers don’t know which advertisements were effective and so don’t know how to spend their money with future campaigns.

So where do data clean rooms come in? Data clean rooms allow advertisers and brands to match user level data without actually sharing personal information, with the correct privacy controls, that is. And you can add all your favorite buzz words to data clean rooms too. ‘Differential Privacy,’ ‘homomorphic encryption,’ whatever. The data clean room can employ all kinds of privacy engineering, it’s just up to the owner of the clean room to do so. Big companies, sometimes referred to as “content fortresses” already have data clean rooms where you can upload your first party data and analyze your ad campaign. What’s new is ‘cross-network’ attribution which is the use of a data clean room not by a single content fortress, but by multiple companies. There is a debate on twitter about whether this use by multiple companies constitutes cross-site/cross-context tracking of users, even with all the privacy engineering buzzword bingo. We’ll see what happens. Maybe adtech will step up their game and self-regulate data clean rooms to avoid 3. and 4. above. Time will tell. Either way, data clean rooms are hot.

*originally posted by the Privacy Law Section of the California Lawyers Association January, 2022 https://calawyers.org/privacy-law/cla-privacy-law-sections-january-month-in-review-what-you-need-to-know-january-2022/#_ftn1