Why regulators are still at odds over ad tech data privacy standards
By Seb Joseph
The “best laid plans of mice and men often go awry” is as typical for regulators as the oft-quoted extract is true.
Nowhere is this more apt right now than when it comes to curbing the unintended consequences of a data industry that’s powered by ad dollars, mired in complexity and underscored by nondisclosure agreements.
Take a recent instance in the U.S. in which the Federal Trade Commission sued ad tech vendor Kochava for allegedly selling location data that could track movements to domestic violence centers, reproductive health clinics and other sensitive places.
Intentions don’t always turn into realities. If they did, Kochava would have settled with the FTC. Instead, the ad tech firm has refused to settle over terms CEO Charles Manning said are “ambiguous.”
The sense of deja vu is palpable for anyone who follows these things closely.
At the start of the year, it seemed like the future of the Transparency Consent Framework (TCF) — the IAB Europe-led, industry-wide attempt to standardize compliance with the General Data Protection Regulation — was grim. Data protection watchdogs said it was illegal in its current form. Obituaries for its imminent demise swiftly followed. Several months on and those claims look increasingly premature. That’s because a few weeks ago (early September) it became clear that the TCF’s fate would be decided by the European Union’s high court.
Or rather, Europe’s top court would give its verdict on whether data was unlawfully collected through TCF and if the IAB Europe is financially liable for any GDPR claim brought against the ad tech ecosystem as a result. It’s crucial given the appeals court will not deliberate on the future of TCF until these questions are answered. That decision won’t arrive for at least another year.
So much for assertive enforcement.
The problem with attempts to bring order to online advertising’s data industrial complex is how loosely written the rules are. There’s enough opacity in these regulations, whether its GDPR or the California Consumer Privacy Act, to give companies some wriggle room to argue that no offenses were committed. And that’s exactly what has happened.
Companies (by and large) followed the law, but not always the spirit of it. Call it an inconvenient truth. When regulatory change is announced businesses are left to interpret the new legal requirements and adapt their business models as they see fit. The result can be messy, confusing, and lead to numerous attempts to flout or circumvent the rules.
Of course, data privacy regulators were going to want to put down a marker.
That’s not actually the issue for Kochava’s CEO. Manning understands reform is painful but necessary when it comes to data privacy. It’s the way the FTC has gone about pursuing those reforms that ruffled the ad tech exec.
“We’re seeking specificity and the FTC isn’t prepared to provide it,” said Manning.
For Kochava, the devil is in the details: The FTC wanted to Kochava to block sensitive location data but didn’t specify what that meant, said Manning. Had that specificity on locations …read more
Source:: Digiday