Google announced last week that it will strip contextual content categories from the bid requests it sends to buyers via Google Ad Manager beginning February, which left some online advertising execs scratching their heads.
Google billed the change as “additional steps to safeguard user privacy,” but advertisers will still be able to access data like city-level location, website URL, app names or app IDs. On the face of it, those seem like more “private” identifiers than whether a user is on a news or weather site.
One ad buyer described the blog post announcement as “pretty blurry” and said they had to seek further clarification from their Google rep on the matter — even the rep needed to double-check. Others said the move was likely a small concession to show concern to the data protection authorities currently circling the company over GDPR compliance. But, as with many of Google’s other recent privacy-related moves, this change could actually raise its so-called “walled garden” slightly higher, even if unintentionally. Google, after all, will still have access to the contextual data itself.
“As pressure mounts, Google is looking to show more and more ways of moving positively in the privacy direction while still maintaining the revenue model,” said Ian Lowe, vp marketing at digital experience platform Crownpeak.
A real test of Google’s mettle in this area may come in February. Google is set to make an announcement about how its popular Chrome browser will treat third-party cookies — a decision that will have repercussions on the entire online ad ecosystem. Chrome has a 65% share of the global browser market across all platforms. Recent changes to restrict third-party tracking in Apple’s Safari and Mozilla’s Firefox browsers have proven to be disruptive for publishers, ad tech vendors and agencies. Still, with web privacy increasingly becoming a mainstream consumer concern, Google is under some competitive pressure to directionally follow suit.
The right profile
Google said the decision around restricting access to contextual category data followed discussions with data protection authorities. The company is currently under investigation by Ireland’s Data Protection Commissioner over how it handles personal data within its ad exchange. Meanwhile, the U.K.’s data protection body said earlier this year that Google’s and the wider industry’s open exchange real-time bidding protocols were not compliant with GDPR. That body, the Information Commissioner’s Office, said in June that the industry had six months to clean up its act.
Google’s February update will prevent ad tech companies who don’t have a primary relationship with a consumer from “listening in” to ad auctions in order to build user profiles using content categories. Under the current system, if a user visits a site like ESPN.com, Google’s exchange sends back information in the bid stream that includes the contextual subject “sports” to potential bidders. A demand-side platform and other ad tech companies like data-management platforms are able to see that information and could, theoretically, use it to create behavioral user profiles unbeknownst to the user. It’s not clear if this happens regularly in practice, but the possibility presents a GDPR risk. Building profiles of users based on bid data is also prohibited by Google’s ad policies.
Google said it will also expand the scope and reach of its existing EU user-consent policy audit program for publishers and advertisers and the audits for its Authorized Buyers program, with additional focus on real-time bidding and data compliance.
The six-month deadline set by the ICO for the ad tech industry to address its concerns expires in December. Meanwhile, in the U.S., the California Consumer Privacy Act (CCPA) comes into effect in Jan. 1, 2020. With the clock ticking down toward those deadlines, expect to hear a lot more noise from the broader online ad market regarding privacy changes, said Ross Noach, head of marketing at ad tech company Rezonence.
“[The ICO] said it wants to see concrete movement from the industry to show that it has a plan to change,” Noach said, adding that announcements like Google’s are likely, at least in-part, an attempt to convince regulators they are working toward such a plan.
Google’s ad policies already prohibited advertisers using its services to target individuals or build out profiles based on “sensitive” categories — an area highly scrutinized by data protection authorities when assessing GDPR compliance. The ICO said earlier this year the sharing of sensitive, “special category” data — such as data that refers to a person’s ethnic origin or their health or sex life — requires explicit consent from users.
Ari Paparo, CEO of ad tech firm Beeswax, said despite its pre-existing policies, Google’s move to restrict sharing of contextual data could be interpreted as a step to avoid any potential issues in the “sensitive category” area.
“The definition of what is sensitive might be subjective,” Paparo said. For example, “marijuana use” might not be viewed as sensitive but “marijuana use for medical reasons” could be.
In an emailed statement, an ICO spokeswoman said its report on the real-time bidding space in June outlined a range of concerns, “including the use of sensitive personal information and the security controls used by the organizations involved.”
“Google’s announcement is an important statement of intent, and we look forward to seeing what practical impact it will have on Google’s operating model and the industry more widely,” said the spokeswoman.
The impact on the wider market is unclear. Ad tech execs said many buyers and demand-side platforms don’t currently rely on Google’s contextual category information anyway and instead use the services of contextual-targeting providers like Oracle-owned Grapeshot, Comscore and Peer39.
That’s the way the cookie crumbles
Advertisers, ad tech vendors and publishers are awaiting Google’s decision on how Chrome will treat third-party cookies. Industry observers have predicted Google won’t go as far as Safari and Firefox given its ad-focused business model.
At its Chrome Dev Summit held in San Francisco last week, Google reiterated that it will begin to make its third-party cookie controls more visible and said that it’s experimenting with a control toggle on the incognito new tab page.
Michael Kleber, a Google software engineer who works on privacy and tracking prevention in Chrome, outlined the company’s plan to move toward a web without tracking. He suggested shifting from cookies to “more right-sized APIs” that don’t allow for unfettered tracking of individuals across the web, and discussed how Chrome is exploring the use of federated learning of cohorts (Digiday has a handy explainer here) to continue to allow interest-based ads on the web.
“We need a web that is powerful enough to support those vital third-party use cases [such as analytics or non-human traffic-detection software] without relying on a too-large tracking mechanism that gives you way more information than what you really need,” Kleber said.
Kleber said he didn’t want to predict the future of the cookie, but standing on stage in front of a presentation slide that read, “We need your help to reach a world without tracking,” he encouraged developers to “help us imagine a world without third-party cookies or other tracking vectors.”