The future of online advertising – automated trading and you

In the finale of our serial feature on automated trading, we look at the privacy issues arising and the pitfalls they’re creating for brands and brand environments. In a landscape that changes as quickly as the online world does, mired in the complexities of an increasingly data-driven advertising market, can Australia’s lawmakers keep up, how much responsibility should industry take and who’s looking out for the consumer?

Before delving into this piece, we highly recommend reading Part One (or at least the glossary of terms at the end). Also in this series: Part Two, on DSPs and marketers, Part Three, focusing on media agencies, and Part Four, on publishers.

 

“Proposed Privacy Law is out of touch with business and the digital economy”. That was the title of a media release issued by the Australian Data-driven Marketing and Advertising Association (ADMA) around the middle of 2012, referring to draft legislation put before parliament after a six-year review of Australian digital privacy laws that would see all marketing and advertising messages required to carry opt-out options.

The Association has “significant concerns” about the proposed legislation; it would like it to be less technology specific. “The legislation has been designed for the last decade and includes restrictions that will hinder the ability for Australia to build a digital economy and compete in the global marketplace,” says ADMA CEO Jodie Sangster.

The beginning of the six-year review predates the rise of social networks such as Facebook and Twitter and technologies such as real-time bidding in online advertising. Many questions are raised: in a landscape that changes as quickly as the online world does, mired in the complexities of an increasingly datadriven advertising market, can Australia’s law-makers keep up, how much responsibility should industry take and who’s looking out for the consumer?

A piece of the PII

Current law in Australia addresses the types of information that can be collected and used by marketers. In online advertising, the most common mechanism for collection of user data is the oft-mentioned but little-understood cookie – a small text file stored in the user’s browser written by websites the user visits, thereby tracking that user’s online activities. It could be that she read a news article about football, or that she logged into her Hotmail account. Richard McLaren, Mi9’s chief data and technology officer, explains: “There is a reasonably strict definition in law of personally identifiable information (PII), which is essentially information that can identify you as a unique person. It’s something like an address, a name, social security number… anything that picks you out as an individual.” It’s the ‘non-personal’ information that advertisers and publishers can use, and what they’re really interested in – a user’s interest in buying a SUV, socioeconomic class, city of residence – especially for brand advertising.

But it’s in that distinction – the irony of what defines personal information – that David Vaile of the University of Sydney’s Cyberspace Law and Policy Centre and board member of the Australian Privacy Foundation sees issue. On the one hand, some data, such as the behavioural data that is so valuable to the real-time bidding model of advertising trading, is not defined as being personally identifiable, and does not fall under the legal definition of PII. But at the same time, the industry clamours to harvest it. “There’s a deceptive and inconsistent logical sleight of hand going on, because [those in the industry] then go and say, ‘We know enough about this person to know what’s happening inside their head and send an advertisement that will hopefully find favour, and maybe even slip under their radar if the package is right. But we say that this is not personal information’.”

What is valuable to advertisers and therefore publishers are characteristics of an audience that are targetable, rather than personally identifiable, McLaren points out. The idea that advertisers are interested in individuals (in an online display advertising context) does not make economic sense, and what may seem like an advertisement that is very specific to you when you’re browsing the web, is in fact applicable to many. “By and large, when people talk about targeted advertising, they’re really on the order of tens or hundreds of thousands of individuals,” says McLaren. Sometimes, we’re not as unique as we feel.

Opt in, opt out

For Vaile and the Australian Privacy Foundation, one of the fundamental issues is respect for the user, manifested in the transparent and open collection of permission and freedom to choose the information provided. Industry practice, that follows current laws, generally operates on the implicit collection of permission. For example, visiting a website acts as implicit permission, as described in that website’s terms and conditions, for the website’s publisher and its partners to collect visitors’ information – your consent is assumed unless it is explicitly withdrawn.

At any one time during a visit there may be a dozen or more third-party services occurring in the background, ranging from Google Analytics and social media services, to services involved in the serving of targeted advertising such as those by supply-side platforms and advertising exchanges. Vaile recommends installing a browser plug-in such as Ghostery, which alerts users to the third-party services occurring in the background as they browse the web.

The crux of the issue, says Vaile, is that users are largely oblivious to the activities occurring behind the scenes as they travel the web, as well as the fact they’re giving permission for it all to happen.

“We should have much greater transparency and permission seeking. What Ghostery has revealed is, basically, invisible industries going on not seeking people’s permission,” he says. One of the questions currently up in the air is whether Australia will follow a path similar to the US, where business is favoured, or the UK and Europe, which has introduced regulations requiring web companies to obtain explicit consent before storing cookies.

The grace period came to an end in June this year, and the European Commission is taking five countries – Belgium, the Netherlands, Poland, Portugal and Slovenia – to the European Court of Justice, seeking fines in the tens of thousands of euros per day of noncompliance.

Can the Australian industry self-regulate?

When dealing with data, consumer privacy is foremost in the industry’s mind, says Paul Fisher, CEO of the Interactive Advertising Bureau (IAB) Australia. “Everything that is done with that data has to be done, firstly, in total compliance with existing legislation. Secondly, the industry has got to come up with best practice guidelines and self-regulatory guidelines, which we’ve done, for example, with online behavioural advertising.” He cites the Australian Digital Advertising Alliance, which last year published a multi-industry best practice guideline for online behavioural advertising – an effort that he predicts will evolve to apply to ad exchanges and automated trading.

“We have a very good track record of selfregulation in this industry,” says Fisher. “And I think we would like to continue self-regulating to protect consumers while also protecting business.”

Those two things are not mutually exclusive.

“They actually have to go hand in hand. When consumers feel protected, and they feel in control of their data and their privacy, then they are quite willing for that data to be used in exchange for free services and free content,” says Fisher.

Vaile disagrees that the industry can regulate itself, and that it’s doing enough to inform users of what information is being collected and get their permission. He has no sympathy for an industry that “started off from a fundamentally disrespectful assumption that permission-based marketing is a pain because some people might say no.

“If industry wanted to say that self-regulation is the answer to this, then they need to pull their socks up and say something where [consumers are able to] make their own choices, and maybe to accept, to opt in to services where they think they’re respectable, they’re out in the open, they’re members of industry associations, and they give enough information to decide.”

McLaren sees it as a matter of economics, and also points out that Australian legislation doesn’t necessarily protect Australian users browsing websites hosted in the US, or any other country.

“We have a consenting, understanding, informed consumer willing to have some of their behaviours noted in order to be served more relevant advertising in a way that allows us to provide better free content. Somehow impeding that seems to be contrary to the free market, to be honest, and contrary to the competitiveness of Australian businesses.”

The way the cookie crumbles

For now, it seems, ADMA will be parking the bus in Canberra. Sangster says, “We need legislation that recognises the fresh and innovative ways that the digital economy can both protect the consumer and allow businesses to innovate, understand their customers and deliver on their expectations and needs.”