The Perfect Storm: AdTech, Privacy and Digital Advertising
There’s a perfect storm brewing on the digital horizon, and organizations that want to successfully navigate through it need to get ready. Three elements are colliding to create this perfect storm:
- Record breaking revenue derived from digital advertising.
- Spikes in regulatory enforcement actions and settlement amounts in the EU and a fast-growing body of U.S. state consumer privacy laws, which are implicitly inspired by online tracking technologies.
- Industry-led shifts away from the third-party online tracking industry.
It’s not a surprise that as the digital economy continues to grow, advertising dollars follow. Covid notwithstanding, 2021 was an exceptional year for digital advertising growth across all digital channels, according to the IAB Internet Advertising Revenue Report: Full Year 2021. The report stated, “Overall, digital advertising revenue increased 35.4% YoY, the highest growth since 2006,” with revenue of $189 billion. It’s likely that 2022 will continue to deliver impressive digital advertising growth across all channels as digital channels become de facto ad delivery mechanisms. Many organizations, large and small, multinational or not, make significant revenue from digital advertising. Costs to advertise have dropped, while technology evolution has increased effectiveness. Companies sell more stuff. That’s the good news.
The bad news is that there has been a longtime and growing body of regulatory concern, not about digital advertising per se, but rather about how digital advertising is powered. Namely through the opaque and confusing third-party Advertising Technology (AdTech) ecosystem that uses online tracking technologies such as “cookies” to anonymously collect data about user browsing habits. A complex AdTech industry has evolved that dynamically collects information gleaned from website behavior, then shares it with other third parties in the AdTech ecosystem, slicing and dicing, aggregating, profiling and making algorithmic-based inferences about potential buying interests. All this is done in nanoseconds, and often without the knowledge of the website operator, through a complex daisy chain where authorized third parties allow unauthorized third parties to piggy-back onto the site, sharing information that culminates in a programmatically driven auction. Clusters of similar profiles are then auctioned en masse to buyers/advertisers that want to reach a specific audience.
EU regulatory concern, evidenced by a series of guidance documents, has recently morphed into a spike in enforcement actions at eye-popping settlement amounts, from €35M to more than €700M. The common concerns running through the regulatory guidance and enforcement actions include lack of transparency, invalid consent, improper lawful basis to process data, poor governance, and most recently, cross-border data transfers of personal data.
In the U.S., inspired by the opaque AdTech industry, currently five states have enacted consumer privacy laws, with another 17 progressing in varying legislative stages. The growing patchwork of U.S. state privacy laws creates added compliance complexity, costs and concordant risks, both regulatory and reputational, associated with the new individual rights to know and opt-out of this activity.
Finally, some are concerned that AdTech-based data activity may constitute an ongoing, massive data breach, which in some cases would trigger statutory enforcement carve outs and open the door for private right of actions (translated: class action lawsuits).
As if managing regulatory risk, while protecting and growing digital advertising revenue, wasn’t hard enough, some of the dominant technology platforms have either announced or have already implemented significant changes in how their respective technologies function. This includes either blocking by default third-party tracking (e.g., cookies), developing their own online tracking technologies within a walled garden or requiring consumers to provide opt-in consent to precise geolocation tracking in apps. Alone or in combination, each of these industry developments will require organizations to rethink not only their digital advertising and data strategy, but also the actual technological architecture on their websites. Notwithstanding the rosy predictions for digital advertising in 2022, organizations are sailing into the perfect storm.
On the other side of this storm is AdTech 2.0. Below are critical steps organizations can take now to navigate through the coming storm.
- Get a comprehensive understanding of data collection and inventory of third-party tracking on websites. Through an AdTech risk assessment, organisations can identify their uses of online tracking technologies and gain a comprehensive understanding of how data is collected by those technologies as well as how existing practices align or conflict with regulatory guidance, standards or industry best practices. These assessments help mitigate emerging risks arising from the use of AdTech and reveal regulatory concerns across transparency and consent, governance, impact to individual privacy rights, lawful basis to process data, data sharing, automated decision making based on profiling and cross-border data transfers.
- Review governance policies, standards and processes. In addition to an assessment of existing AdTech practices, teams should conduct a thorough review of their data privacy and information governance policies, standards and processes. This step should also include an evaluation of whether existing policies are inclusive of the latest changes in applicable data privacy legislation and to what extent policies are followed and enforced throughout the organization.
- Design a flexible risk-based governance framework. Organizations need a flexible governance framework that balances digital advertising strategy with emerging regulatory and compliance risks. This allows the organization to demonstrate and sustain accountability while at the same time preserving and growing revenue through digital advertising.
- Formulate a cross-functional team. Stakeholders from key groups including marketing, data governance, legal, compliance, privacy, IT and security should collaborate to review data strategy. Cross-functional teams should address future proofing against enforcement in the EU, U.S. and other jurisdictions, while protecting and growing revenue derived from digital advertising without dependence on third-party AdTech.
- Establish a consent and preference management program. Organizations have the opportunity to shift away from the current third-party AdTech ecosystem and move toward a zero-party and first-party approach. These approaches leverage the organizations’ existing consumer data, such as personal preferences, purchase decisions, consents and choice. Strategic consent and preference management and customer value exchange programs make it possible for organizations to uphold strong data privacy practices while still optimizing their data and driving sales.
How FTI Technology can help
Experts from within FTI Technology’s Information Governance, Privacy & Security practice have the domain experience needed to help organizations make sense of and mitigate their digital risk relating to online tracking, data privacy and digital advertising practices. Specialists in global and U.S. state data privacy regulation, AdTech, analytics, industry best practices and technology transformation work closely with clients to develop proactive and holistic programs and strategies that reduce risk while also extracting value from corporate data.
FTI Technology partners with clients to conduct AdTech risk assessments, create governance frameworks, design and deploy new AdTech architecture and design consent and preference management programs to optimize data to better manage risk, while growing revenue. Additionally, FTI Technology helps organizations operationalize AdTech governance through its managed services offerings. Together, these solutions empower clients to achieve compliance, transparency, innovation and business growth.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.