Tag Archives: CCPA

Consumer Privacy Protection Regulators are Ready. Are You? 

27 Jan

Time for ActionData regulation isn’t new, but many marketers are at risk because of incomplete and or inadequate processes to comply with consumer privacy regulations. This is despite much publicized notifications and warnings related to regulatory enforcement and the levying of fines for non-compliant activity.

Marketers have been tasked with collecting, utilizing and sharing consumer data more responsibly. This means providing consumers with the ability to understand whether data is being collected from them, what data is being captured and the purpose for which that data is being used. Further, marketers must provide consumers with the ability to request that their personal data be deleted and made unavailable for specific purposes.

The challenge has been that there is no omnibus global or federal law that covers all geographies, business sectors or data types. As a result, most marketers are focused on the two broadest-reaching, most comprehensive laws:

  1. General Data Protection Regulation (GDPR) – Adopted by the European Union which went into effect May 25, 2018.
  2. California Consumer Privacy Act (CCPA) – Went into effect January 1, 2020. Coverage expanded with the passage of the California Privacy Rights Act (CPRA), which went into effect January 1. 2023.

Regulation covers a myriad of personal information types including personal identifiers, commercial information, internet or other electronic network activity and other data such as geolocation, biometric, audio, visual, thermal, olfactory or similar information, professional or employment-related and educational information.

Failure to comply can be costly. CCPA infractions will cost marketers $2,500 per violation and $7,500 if the violation was deemed to be intentional. So, for marketers with consumer databases containing tens of millions or hundreds of millions of names, the risks are real. Consider the fines levied by the European Union for GDPR violations:

Top 5 GDPR Fines (Source: Enzuzo)

  1. Amazon – $780 million
  2. WhatsApp – $247 million
  3. Google (Ireland) – $99 million
  4. Google – $66 million
  5. Facebook $66 million

Note: Sephora was fined $1.2 million in November of 2022 for CCPA violations. This was the first CCPA settlement. Risks accelerate as the July 1, 2023 “Enforcement” data nears for the CPRA.

While many marketers have updated “Privacy” and “Data Collection” notices on owned websites, this is nothing more than table stakes in this privacy focused era. Marketers must create platforms, systems and processes that provide a full view of their data, where it’s stored, what it’s used for, where it was gathered from and whether the proper permission was secured. Understanding “Consumer Rights” under these laws is a good starting point for developing such protocols:

Consumer Rights Under the CCPA 

  • Know that personal data is being collected on them
  • Know what personal data is being collected
  • Know if their data is being shared or sold and to whom
  • Ability to opt-out of their data being sold
  • Personal access to their data
  • Option to request that businesses delete their personal data
  • Protection against discrimination for exercising their privacy rights
  • Extra protections from data collection if they are minors

It should be noted that the regulations apply to all marketers, whether they’re focused on Business to Consumer (B2C) or Business to Business (B2B). At present, the CCPA broadly defines “consumer” to include “individuals acting as representatives of their employers.” While there are B2B exemptions that cover certain verbal or written communications with a consumer, the amendment (AB 1355) is highly nuanced and worthy of marketers securing legal guidance.

Beyond the notification of consumers and the provisioning of viewability and opt-out mechanisms, businesses will be tasked with protecting personal data in a safe and secure manner addressing threats to the confidentiality, integrity and access to the personal information in their databases. In addition, marketers will want to review and likely update agreements between their organizations and third-party data processors. These updates should include language requiring such suppliers to maintain data inventories, use due diligence questionnaires, provide records of processing actions, require the syncing of consumer response processes, allow for onsite assessments and audits, and require the mapping of any data elements shared with any party… including data that was sold.

While marketers await regulatory standardization within select markets, near-term it behooves marketers to understand that privacy requirements vary by geography and by sector and that a best practice would be to structure compliance programs to satisfy the strictest legislation, which should cast the broadest net when it comes to complying with other guidelines.

This article was written for informational purposes and not meant as legal guidance.

Tags: , , ,

Fraud & Privacy Regulation Create Digital Media Challenges

21 Apr

ChallengesDigital media’s value proposition is the ability to more finitely target audience segments, moving beyond traditional demographics, leveraging deterministic user data to paint rich, behavioral-based customer profiles, delivering a marketer’s message to those customers inexpensively, at scale.

This dynamic resulted in the rise of U.S. digital media spend from $26 billion in 2010 to $139 billion in 2020 (source: IAB/ PwC).

Yet recent developments, including increased regulatory activity surrounding consumer data privacy protection (GDPR, CCPA) and the resulting moves away from the use of third-party cookies to track website visits and collect consumer data to help marketers target their messages, have exposed some challenges related to digital media and customer targeting that the industry must now contend with.

The primary issue going forward is the fact that the major browsers have stated that they “will not use alternate identifiers” to track consumer web browsing activity. Further, consumers remain distrustful of sharing personal information, which has significantly thwarted marketers’ opt-in efforts, limiting their personalization and targeting strategies.

Secondly, data brokers and data management platform (DMP) providers may offer little credible support in this area. In a recent Forbes article entitled, “How Accurate is Programmatic Ad Targeting” Dr. Augustine Fou suggested that few AdTech providers “have users that voluntarily provide” demographic information. This means that the targeting “characteristics or parameters that a data broker or DMP has on users are derived.”

Thirdly, digital media fraud continues to limit marketing optimization efforts. In their 2021 “Marketing Fraud Benchmarking Report” Renegade and WhiteOps profiled some of the outcomes experienced by marketers whose databases have been corrupted by fraud. These include:

  • Website traffic spikes, not connected to new content
  • Steep increases in traffic associated with marketing campaigns
  • Wide variances in time-on-site metrics, depending on traffic source
  • Lower than expected conversion rates
  • Diminishing quality of in-bound leads

The primary cause behind these occurrences is fraudulent bot activity. In addition to skewing digital media audience delivery and campaign performance indicators, this fraudulent activity has also corrupted consumer databases. Thus, marketers may experience difficulty in determining what percentage of their target profiles and contacts are real or fraudulent, leading to ineffective and expensive retargeting and profiling efforts.

The alternative being suggested by many is to fall back on contextual marketing. In short, placing a marketer’s advertisement in the most appropriate context (e.g. adjacent to the most relevant content). This means either working with publishers and websites directly accessing their first-party data to target advertising based upon user activity and content preferences to shape ad targeting decisions or, in the case of ad networks, serving up ads based upon page content, keywords and metadata.

Unfortunately, some browsers such as Google will not allow advertisers to access contextual content categories and or identifiers to inform their ad targeting efforts. Additionally, one important trade-off of contextual targeting is that data is not collected on the user for use in creating buyer profiles or in predicting future behavior and thus has little value in establishing targeting parameters or in remarketing.

With 54% of U.S. media spend being allocated to digital and 65% of that being programmatic (source: Zenith Media), marketers and their advisers have their work cut out for them as they navigate the new digital playing field.

Tags: , , , , ,

Outdated Client-Agency Agreements Pose Risks to Advertisers

21 Aug

ExpiredWARNING: If the contract between your organization and its advertising agency(s) has an effective date prior to January 1, 2017, you may be at risk.

Not unlike fresh produce, dairy products, meat, medicine or even beer, contract language is perishable. 

Seems far-fetched you say. Consider that the ad industry is a dynamic, fast-paced business sector. One only need recall the breadth and rapidity of change brought on by technology advances and increasing levels of regulation in just the last four years:

  • April of 2016 – Europe enacts The General Data Protection Regulation (GDPR) governing how companies handle consumer data, forcing advertisers, agencies, publishers and intermediaries to implement business rules and guidelines to safeguard personal data and privacy.
  • June of 2016 – The Association of National Advertisers (ANA) publishes its North American Media Transparency study, leading to wholesale changes in contractual controls. As a result, nearly 2/3 of ANA members indicated that they would update their media agency agreements.
  • December of 2016 – The industry’s four largest agency holding companies involved in a Federal bid-rigging probe following allegations by post-production houses on the misleading use of rates they provided to agencies.
  • September of 2018 – The California Consumer Privacy Act (CCPA) goes into effect giving consumers more control over the personal information that businesses, including advertisers, agencies and publishers collect about them.
  • October of 2018 – The Federal Government informs the ANA and its members that the Federal Bureau of Investigation would be investigating potential misleading conduct and or deception between media holding companies and advertisers.
  • June of 2019 – Cybersecurity company, Cheq reports that advertisers will lose over $23 billion to ad fraud in 2019 alone.
  • July of 2020 – Year-to-date the European Union has issued over 300 fines to advertisers and publishers totaling more than $171 million for violating GDPR guidelines.

Each of these occurrences and numerous others has led to the need for advertisers to rethink their contractual controls in order to safeguard their organizations both legally and financially. In turn, this requires language enhancements and the addition of terms and conditions dealing with a range of topics such as privacy protection, data security, intellectual property ownership, transparency, audit rights and indemnification.

All too often, the contracts governing client/ agency relationships are slow to evolve, posing serious risks to advertisers. This in spite of trends such as the growth in the number of intermediaries, agency use of affiliates, expanding agency rosters, murky supply chains, brand safety concerns and the prevalence of ad fraud that pose risks to advertisers.

The thinking on items that were once considered “standard” within the industry, and therefore thought to be sufficiently covered in the context of agreement language can no longer be assumed. Advertiser expectations on topics such as; establishing principal-agent relationships, client-centric audit rights, requirement for full-disclosure in all dealings by the agency with affiliates and third-party vendors and limiting agency revenue to the remuneration described in the agreement and or appropriate SOWs must be reviewed and explicitly defined.

In our contract compliance practice, we have identified 3 key “triggers,” which if present, should incent advertisers to review and revise their agency agreements:

  1. The “effective date” of the current Client/ Agency agreement is more than 2 years old.
  2. If the parties utilized the Agency’s contract template as the basis for the agreement. These documents contain language that reflect the agency’s interest, not necessarily those of the advertiser.
  3. If an advertiser has “evergreen” agreements in place, but updates Statements of Work annually. Too often, while clients update the SOW, reviewing the contract for necessary updates is forgone.

The good news is that both the ANA and the ISBA have issued solid guidance in the form of framework agreements for use as a starting place to construct media and creative agency contracts. It’s important to note that while these broad-based agreements are an excellent resource, every relationship has nuances with new evolving risks that should be weaved into new advertising agreements.

Current, comprehensive supplier agreements leads to solid controls, improved transparency and stronger agency relationships. Integrate periodic contract compliance and financial management auditing and advertisers can rest easier knowing that they have successfully extended their governance and risk management framework to this important area.

“The essence of risk management lies in maximizing the areas where we have some control of the outcome, while minimizing the areas where we have absolutely no control of the outcome.” ~ Peter Bernstein

Tags: , , , ,

Time for Action, Not Apathy

31 Jan

ActionFraud continues to run rampant as digital media and programmatic buying continue to surge in popularity, garnering ever larger shares of global advertising spend. Regulatory actions around consumer privacy and data protection are presenting a plethora of challenges for the industry and its ability to use data to customize advertising messaging and delivery.

These are seminal issues that the advertising industry has been talking about for years. The risks and costs to advertisers and other industry players are significant. So how effectively has the industry dealt with these critical issues? If one were to generate an opinion based upon results, it would be easy to adopt the perspective that the ad industry has not dealt with these issues well at all.

Let’s start with the topic of ad fraud. While we all read the headlines, the question is; “Have we become numb to the impact of ad fraud on working dollars?” Consider that according to Juniper Research, advertisers lost $51 million per day to ad fraud in 2018. AFFISE estimates that 35.3% of all processed traffic in the first two quarters of 2019 was fraudulent. The World Federation of Advertisers (WFA) has stated that ad fraud will hit $50 billion per year by 2025.

One short year ago Facebook, in a highly publicized move eliminated 2.2 billion fake accounts, this following the elimination of 1 billion fake accounts during the 4th quarter of 2018. Interestingly, Facebook, one-half of the vaunted “duopoly” which captured over 65% of U.S. digital ad spend in 2019, itself accounts for 1 out of every 5 dollars spent on digital media in the U.S. (source: eMarketer) before and after this move.

While surely an astute media planner could readily make the case for Facebook’s appeal to advertisers, the justification for its share of the digital ad market is mystifying to the layman. According to the United Nations Population Division, there are 7.7 billion people in the world. Nielsen Online has identified 4.5 billion internet users globally. So, if Facebook eliminated more than 3.2 billion accounts, albeit fake over the course of four months, how many accounts could it possibly have had? What level of due diligence were agencies and advertisers undertaking to verify the base? Or, could it be that the industry simply has no valid means of verifying or measuring key digital audience factors?

The term “Big Data” was coined in the early part of the 1990s, referring to the vast amounts of data being gathered as the internet expanded. The data allowed marketers to conduct computational analysis that could reveal patterns, trends and associations related to human behavior. As the use of algorithms, artificial intelligence and marketing automation technology has come into vogue, the ability to more finitely target an advertiser’s message to specific niches, based upon this data, held great promise. This led to the meteoric growth of AdTech and MarTech solution providers vying for a share of advertiser dollars.

Then, in 2016, the European Union introduced the General Data Protection Regulation (GDPR), ushering in laws designed to protect consumer data and privacy. GDPR has since served as a model for regulatory action in countries around the world and within the United States, with the introduction of the California Consumer Privacy Act (CCPA). The impact on the ad industry has been significant as marketers, technology providers and publishers have struggled to comply with these varying laws. In turn, this led one important player, Google to announce the elimination of third-party cookies from its Chrome browser to avoid some of the risks associated with privacy regulation. The impact on marketers’ audience targeting and attribution modeling efforts will be swift and significant. Some have suggested that this could even signal the end of personalized marketing.

From this author’s perspective, the industry has not effectively dealt with these challenges. There are simply too many disparate interests at stake, which have served as very real impediments to progress in tackling these issues.

Let’s face it, in spite of the impact of fraud, fake devices, fake locations, fake impressions, fake consent strings, ineffectual brand safety and fraud detection services and a lack of uniform industry measurement and verification standards, advertisers continue to spend on media types, intermediaries and technologies that are simply not generating a return worthy of their investment. So where is the impetus for change?

Rather than working on real solutions to address real problems, the industry adopts labels or coins phrases that cover its retreat. Examples such as “Human Marketing” and the need to treat our target audiences as “people” as a solution to the inability to deal with the challenges presented by big data, technology and regulation to customize and personalize at scale. Or the use of the term “Contextual Marketing” in which ad delivery is based upon scanning texts of web pages and serving up a marketer’s ads based upon relevant keywords, rather than behavioral data. Or the nuanced notion of “Brand Suitability” versus “Brand Safety” to mask the inability to adhere to advertiser blacklists and or to ensure proper editorial adjacencies. Really? How is this all of a sudden more appealing than the noble quest, funded by advertisers, that gave birth to the “MarTech 5000” list.

From the outside looking in, it appears as though the industry is content with taking the path of least resistance, opting for a safer, more self-centered approach to issue resolution, rather than focus on doing what is best for the entire industry and ignoring advertisers’ desires to increase the effectiveness of their marketing spend.

To paraphrase American author, Richard Yates from his novel about 1950’s suburban life entitled Revolutionary Road; “It’s a disease. Nobody thinks or feels or cares any more; nobody gets excited or believes in anything except their own comfortable little mediocrity.”

 

 

Tags: , , , , , , , ,

%d bloggers like this: