The “best laid plans of mice and men often go awry” is as typical for regulators as the oft-quoted extract is true.
Nowhere is this more apt right now than when it comes to curbing the unintended consequences of a data industry that’s powered by ad dollars, mired in complexity and underscored by nondisclosure agreements.
Take a recent instance in the U.S. in which the Federal Trade Commission sued ad tech vendor Kochava for allegedly selling location data that could track movements to domestic violence centers, reproductive health clinics and other sensitive places.
Intentions don’t always turn into realities. If they did, Kochava would have settled with the FTC. Instead, the ad tech firm has refused to settle over terms CEO Charles Manning said are “ambiguous.”
The sense of deja vu is palpable for anyone who follows these things closely.
At the start of the year, it seemed like the future of the Transparency Consent Framework (TCF) — the IAB Europe-led, industry-wide attempt to standardize compliance with the General Data Protection Regulation — was grim. Data protection watchdogs said it was illegal in its current form. Obituaries for its imminent demise swiftly followed. Several months on and those claims look increasingly premature. That’s because a few weeks ago (early September) it became clear that the TCF’s fate would be decided by the European Union’s high court.
Or rather, Europe’s top court would give its verdict on whether data was unlawfully collected through TCF and if the IAB Europe is financially liable for any GDPR claim brought against the ad tech ecosystem as a result. It’s crucial given the appeals court will not deliberate on the future of TCF until these questions are answered. That decision won’t arrive for at least another year.
So much for assertive enforcement.
The problem with attempts to bring order to online advertising’s data industrial complex is how loosely written the rules are. There’s enough opacity in these regulations, whether its GDPR or the California Consumer Privacy Act, to give companies some wriggle room to argue that no offenses were committed. And that’s exactly what has happened.
Companies (by and large) followed the law, but not always the spirit of it. Call it an inconvenient truth. When regulatory change is announced businesses are left to interpret the new legal requirements and adapt their business models as they see fit. The result can be messy, confusing, and lead to numerous attempts to flout or circumvent the rules.
Of course, data privacy regulators were going to want to put down a marker.
That’s not actually the issue for Kochava’s CEO. Manning understands reform is painful but necessary when it comes to data privacy. It’s the way the FTC has gone about pursuing those reforms that ruffled the ad tech exec.
“We’re seeking specificity and the FTC isn’t prepared to provide it,” said Manning.
For Kochava, the devil is in the details: The FTC wanted to Kochava to block sensitive location data but didn’t specify what that meant, said Manning. Had that specificity on locations been provided, Manning said he and his team would have been able to incorporate it (if it wasn’t already) into a product called Privacy Block they had built to do just that. Instead, that clarity never came, continued Manning.
“They [the FTC] said ‘no, that’s not how this is going to work’, and said they’d name out ‘sensitive health locations,’” continued Manning. “It left us with a question of how we get that specificity in a marketplace of data where what could be sensitive for one, may not be sensitive for another.”
Good luck trying to predict how this shakes out.
Neither the FTC nor Kochava seem prepared to walk back their widely reported stances on the matter. So there’s every chance this gets decided in the courts. And even then it could go either way. Yes, there’s a precedent. Indeed, the FTC has cracked down on the potential use of sensitive data in ways that people may not be clearly aware of or expect. Then again, Kochava hasn’t actually been found to have used data on ‘sensitive health location’ this way, said Manning. And even if it had that wouldn’t be illegal.
There are currently no federal laws that oversee the data broker industry — a point that was brought into sharp focus last month when the FTC had the opening comments for its rules making process after it filed the lawsuit against Kochava.
Or to put it another way, enforcement from the FTC came before it actually had regulation to enforce. No surprise there. In a post-Dobbs world, the regulator is acting with more urgency.
If this proves to be a flashpoint for data privacy then history indeed rhymed with the uncertainty over the TCF in Europe. But unlike the tet-a-tet between Kochava and the FTC, TCF’s moment of reckoning was hardly unexpected. If anything, it was a surprise that regulators hadn’t moved on it sooner. Remember, TCF relies heavily on good actors and the industry’s desire to be compliant. Spoiler: not everyone is. Data brokers are still trading personal data, and the online ad industry is riddled with potential abuses.
“The TCF isn’t a soup to nuts, GDPR-compliant solution in so far as there are a lot of other things you’re going to need to do to comply with the law,” said the IAB Europe’s CEO Townsend Feehan. “What the Belgium APD [regulators] want is for the TCF standard to take on more compliant functionality, which we will undoubtedly do sooner or later. That said, the responsibility for data processing for advertising has to lay with the companies that process data.”
A transformation of this kind would saddle IAB Europe with significant new costs since it requires the development and ongoing operation of a technical accountability infrastructure. That could be a very tall order, if not impossible, given how the OpenRTB ecosystem functions today — a thought not lost on the IAB Europe.
Wherever these lines in the sand are ultimately drawn could have major implications. They could either cement privacy watchdogs’ authority to regulate the space or severely hamper it.