A History of Ad Tech Chapter 4: The Privacy Reckoning

Investors giddy at the prospect of striking gold with “the next Google” were all eager to lay to rest the infamous John Wanamaker adage with the power of data and ad tech. Marketers, eager to establish a new consumer engagement paradigm, fueled this demand.

Although, at the dawn of the 2010s, such enthusiasm became moderated, giving way to the contemporary mood, which is more tempered by public concerns over privacy. And governments are responding accordingly.

Even the scions of Big Tech (publicly, at least) have been subdued by this zeitgeist, as recent years have seen both Apple and Google introduce restrictions to their respective ecosystems. At the same time, obscure terms such as Privacy Sandbox, Intelligent Tracking Protection, and App Tracking Transparency have caused much chagrin across the industry.

At the mercy of Big Tech

Now, as the industry stands on the precipice of 2024, it is 12 months away from arguably its most seismic overhaul as Google prepares to roll back support for third-party cookies, a.k.a. the data that has become the lifeblood of the digital media ecosystem, in its market-leading web browser Chrome.

Google is not the only Big Tech provider to have made such moves: Look at how Apple has torn asunder the business prospects for third-party marketing services in its ecosystem with the rollout of ATT and ITP in recent years.

However, Google’s further foray into privacy protection (in the guise of its Privacy Sandbox initiative) could have a more profound impact on the digital marketing industry. After all, compare Chrome’s market dominance of the web browser market (64%) to its nearest rival, Apple Safari (20%), per Statista numbers.

At the genesis of such moves are more comprehensive limitations through laws such as the General Data Protection Regulations (2016) in the EU or the California Privacy Rights Act (2020).

Meanwhile, Ana Milicevic, co-founder and primary at Digital Sparrow Advisers, points to pre-existing legislation — such as U.S. Federal law, The Children’s Online Privacy Protection Act (1998) or the EU Cookie Directive (2009).

“In that period, you had two types of innovators … those that knew commercial innovation, rather than technical innovation, and knew how to match advertisers with inventory,” she said, recounting how performance marketing principles were increasingly applied to digital advertising in the late 2000s. “Then there were folks that had exposure to offline performance marketing because that was the other area where user-level data was particularly impactful, that started to apply those principles to digital advertising.”

The rise of the data platforms 

During the late 2000s and early 2010s, software outfits (distinct from ad tech companies) launched products capable of helping businesses garner data based on various sources, both primary and third-party data. These were commonly known as data management platforms. Their pitch was to help brands gather online and offline data to help improve the effectiveness of their marketing activity.

Early leading proponents of such technologies were purchased by SaaS (software as a service) providers (see below), some of which were eager to expand beyond their pre-existing CRM offerings.

• Demdex, acquired by Adobe (undisclosed sale amount) in 2011
• BlueKai, bought by Oracle ($400 million) in 2014
• Krux, bought by Salesforce ($700 million) in 2016
• Neustar, bought by Transunion ($3.2 billion) in 2021

Milicevic, who was part of the executive team that sold Demdex to Adobe, noted how vendors often got into the space offering “DMP-like solutions” due to encouragement from their existing clients. For example, she noted how entities from other parts of the sector, such as MediaMath and The Trade Desk, dipped their toes into the martech sector, offering those “DMP-like solutions.”

She further noted how such instances were indicative of the sector’s rapid evolution during this era. “You usually have a first burst of innovation, then something becomes ‘a category’ when it gets featured on part of the LumaScape,” Milicevic added, while describing how the early wave of M&A can help spur more, often confusing, terms. “So, when the DMP-space got snapped up very quickly by strategics [acquirers] … when this happens, there’s a slew of business use-cases that don’t necessarily require a separate solution. This is usually when the floodgates open.”

Milicevic further added that many companies in the ad tech space would white-label the solutions of pure-play martech, or SaaS, providers and then pass it off as their own. “The same goes for the [customer data platform] CDP and the cleanroom space,” she said. “So, that leads to a confusing market because if you ask a company, ‘Hey, are you a clean room?’ They’ll be like, ‘Sure, we do that too…’ In many cases, it’s legitimate, but in many other cases, it wasn’t.”

Primary goals

However, early DMP offerings relied heavily on activating third-party data, such as cookies or (frankly) unconsented data — insights that soon became persona non-grata with laws such as GDPR coming into place.

For Bob Walczak, CEO of MadTech Advisors, the ongoing shift from “open data networks” toward “closed data network model,” a move that’s been caused primarily by GDPR enforcement since 2018, is a shift that has also made execs in the U.S. start to pay attention to privacy matters.

He said he believes the Big Tech sector presaged government scrutiny and the subsequent rising tide of privacy laws “before anybody else” in the early part of the last decade. And in the 2020s, those chickens are coming home to roost.

“Now we’re seeing a shift towards first-party data, opted-in, consented users, that enables that same level of interoperability [of third-party cookies], which requires much more close collaboration and communication with your counterparty,” Walczak said, describing the rise of data clean rooms. “That’s where you’re going to see the shakeout … what you’re seeing is that platforms and companies have to shift the way they manage their data and allow others to access that data.”

No silver bullet 

Most sources agree that laws such as GDPR have strengthened the influence of Big Tech players, given their primary control of the user interface of web browsers or mobile operating systems, etc. For some, this effectively makes outfits such as Google and Apple the global regulators of the industry, given their ability to roll out policies across international borders, not to mention lobby governments.

Arielle Garcia, founder of ASG Solutions and former privacy chief at agency holding group Interpublic Group, noted how the industry is often quick to think it has solved all its issues as it stands on the precipice of this new privacy paradigm.

She pointed to the IAB-led attempt to cite GDPR’s “legitimate interest” clause as a just reason for publishers passing otherwise unconsented user data to third-party ad tech as evidence of the widespread folly present in the industry. Popularly known as the IAB’s Transparency Consent Framework, the industry’s repeated efforts to shoehorn TCF’s proposals into play since 2018 have often come up against regulatory scrutiny.

According to Garcia, this proposal was simply an unsustainable — the legitimate interest clause has since been removed — means of attempting to maintain the status quo.

Moving the goalposts?

“I saw the TCF as mental gymnastics that would enable there to be no disruption and everyone to continue in the current state until told otherwise,” Garcia said, adding that many privacy solutions on the market are just “shifting the goalposts.”

“There are valid reasons and ways to use CDPs and clean rooms, but none of them void the need to comply with privacy law or the imperative of aligning with consumer expectations,” Garcia added.

Others point to the emergence of black box technologies from the industry’s major tech platforms, a.k.a. walled gardens, many of whom cite user privacy as the main reason for their reticent methodologies as a growing concern, with many citing Performance Max as a case-in-hand.

Garcia, who stood down from her former role as chief privacy officer at UM amid concerns over the broader industry’s ability to hold Google to account over consumer protection concerns, said she believes such black boxes indicate a trust deficit the entire industry has to address.

“While there is a general awareness of privacy laws and data-related obligations across most of the industry, true competency and application continues to lag,” she said, scoring the industry “three out of five” over its progress toward privacy in recent years.

Garcia further noted how the buy-side of the industry has more work to do when it comes to compliance, as this sector has seen less enforcement of laws such as GDPR. “This reinforces the tendency of advertisers and agencies to remain reactive or to follow the lead and accept the narratives put forth by Big Tech,” she added.

Garcia concluded, “The primary focus for most of the ecosystem remains on technical solutions to mitigate signal loss, rather than the need to recalibrate data collection and use such that it is more fair and respectful to consumers.”