Data buyer beware: agencies are starting to ditch complacent providers

“There’s a lot of [data] providers that we have spoken to that haven’t made the shift yet,” said Harris. “They don’t have answers to our questions when we ask if they’re enabling opt-outs or elimination of data from third-party cookies.” The result is simple, said Harris: “If they don’t have that [opt-out] ability, they won’t become a long-term partner for us,” he said.

When asked which types of data providers are at-risk, agency execs interviewed for this story were reluctant to name names. However, they suggest third-party data providers, or those concocting products from so-called data exhaust — that is the firms without direct connections to the point at which data is gathered — are skating on thin ice. That includes location-data aggregators, credit card transaction data providers and firms that build audience profiles based on third-party cookie data swirling around programmatic ad exchanges.

“If you are two to three layers away from actual ingestion of that data, the actual consent of that data, you’re going to have challenges,” said Nii Ahene, chief strategy officer at Tinuiti, which primarily handles ad buys on platforms including Google, Facebook and Amazon.

Not passing security check-points

Agencies including Goodway Group and Rapp are subjecting data providers to tougher data privacy and security inspections. Goodway already has given some suppliers the boot, said Amanda Martin, vp of enterprise partnerships. “We’re taking a far more granular look at where we’re spending and how we’re spending [on data],” she said. Already in 2021 and going forward, the agency is limiting or ending relationships with “third-party data providers that we just feel don’t meet the consent requirements or outsource so much of their data.”

Goodway is working this year to set more formal standards pertaining to data providers that entail evaluating their methodologies, determining how their data is sourced, inspecting how they garner consent from people for data use and conducting performance reviews. The agency also aims to grade data providers based on their approach to navigating the deprecation of third-party cookies and device IDs, said Martin.

Some smaller or medium-sized data brokers are not passing muster when it comes to security evaluations, said Laura Aldridge, vp and data privacy officer at Rapp. “We’re seeing it more in the data broker area where they’re just not up to scratch at all in terms of how they’re handling data,” she said, noting that two in ten data brokers the agency inspected this quarter did not meet security criteria. In general, she said these data firms are falling short when they don’t have the proper data processing security certifications in place required by the agency.

For instance, because responsibility for data use under GDPR and CCPA falls on the agency’s advertiser clients, they must ensure that the companies processing personal data on their behalf operate according to the appropriate protocols, such as by getting consent for collection and use of email addresses. “Sometimes you’ll hear data brokers say, ‘But it’s just an email address,’ but it’s [personally-identifiable information],” said Aldridge.

Shedding light on a black box

Companies supplying data for advertising, media and marketing purposes have always been reluctant to reveal details of where they get their information. And as more and more advertisers look under the hood, that opacity stubbornly remains, despite regulatory pressures, said Tyler Pietz, evp of global data at data-centric agency MightyHive. He said some clients are concerned about the business-related or legal ramifications of sourcing data from third-party providers; however, they typically do not get details about how data is sourced or how providers garner and manage consent for that data use. “Most of these providers won’t expose [that information],” he said. “They consider it to be proprietary.”

Martin backed up his assessment, noting, “Previously data providers comfortably operated in a black box when it came to methodology and sourcing.” She suggested that the Interactive Advertising Bureau Tech Lab’s self-reported data labels and data quality evaluations from independent firms such as Neutronian are helping data buyers require more rigorous standards. 

Sometimes agencies and brands don’t have direct data licensing agreements with providers. Instead, they buy data to enhance ad targeting capabilities when managing ad campaigns through demand-side platforms, by choosing from a menu of providers inside the DSP environment. And, in some cases in the past, agencies like Goodway may have looked to brand clients to determine which data suppliers they want to work with, Martin said.

The GDPR effect

Europe’s GDPR already had some agencies re-evaluating partnerships with data suppliers, said James Coulson, strategy director at London-based media agency Infectious Media. “In Europe, our relationship changed with data providers with the implementation of GDPR, so we’re a bit ahead of the curve in these matters,” he said.

Agencies, of course, build their brands on being ahead of the curve. Others interviewed for this story suggested that third-party providers have been data non grata for some time. MightyHive has advised clients for the past few years to “prepare for a world in which third-party data starts to basically go away entirely,” said Pietz.

State privacy laws in the U.S., particularly in California, have only heightened concerns around using data that is not closely attached to a direct relationship with people it’s gathered from or collected in conjunction with some form of notice or opt-out capability.

A reckoning for location and credit card data suppliers

That move away from third-party data has put mobile location data providers in the crosshairs, many of which assemble location-data based products from the data they siphon off the bid stream in programmatic ad exchanges. When people give app publishers permission to collect their location information, publishers sometimes include that information when they auction off ad impressions in programmatic ad marketplaces, enabling other firms participating in those marketplaces to collect that location data. “Usually you’re getting a [latitude-longitude] off of the bidstream,” said Pietz. As Apple has limited location permissions by default, he added, “That in general has definitely started to have an impact on the scale or the veracity of the location data,” he added.

That lack of direct consent from people when location data is gathered has led agencies like Rapp to “steer away” from location data providers, said Aldridge. Data products built from credit card data also have a limited shelf life as a result of the California Consumer Privacy Act, said an agency exec who asked not to be named. “We’re seeing those partnerships [with credit card data providers] be fallouts of CCPA,” said the exec.

Now that Apple’s Safari, Mozilla’s Firefox and, by next year, Google’s Chrome browsers have restricted third-party cookies, they are reinforcing what regulators are signaling to advertisers about third-party data, agency execs said. The browser decisions have “pulled sharply into focus the need to speed up the conversations with the data providers about what their solutions are in this space, as well as talking to clients about the need to invest in their first-party data infrastructure and start using it more,” Coulson said.