Gaps remain in industry guidelines for controversial email-based identity tech
As advertisers and publishers struggle to find ways to enable personalized ad targeting and measurement without third-party cookies, there is more interest than ever in cookie-replacing identifiers.
The Interactive Advertising Bureau’s Tech Lab has published a set of best practices for these hyped technologies, but as the digital ad industry faces increased scrutiny of its data use and privacy practices from government and everyday people, some say the proposed guidance from its biggest trade group could have gone further in advising companies on how to gain people’s consent while complying with privacy regulations. A spokesperson for the IAB Tech Lab declined to comment on the record regarding the criticisms.
The IAB’s Best Practices for User-Enabled Identity Tokens address the use of identifiers, many of which work by transforming identifiable data like email addresses into encrypted ID signals to replace cookie tracking. The proposed guidelines, now open for public comment through May 7, are meant to reduce privacy threats as these technologies are distributed across the digital media supply chain.
“These are working documents and early concepts, and several large pieces of the puzzle are still missing — including the crucial piece of consumer reactions and how willing we will be to provide consent,” said Georgie Haig, product lead of identity at programmatic marketing agency MiQ.
When presenting the proposal on March 9 — part of a package of technical standards for privacy, accountability and taxonomy for contextual advertising — IAB Tech Lab CEO Dennis Buchheim said, “We need to create and present options to consumers for privacy and personalization.”
The identity token best practices state that first parties — typically website publishers — that gather email addresses and other personal information to build identifiers must provide people with “transparency and control subject to the relevant legal requirements in the applicable jurisdiction.”
However, they do not provide guidance for how that transparency and control should be made accessible to site visitors beyond stating that the controls “need to conform to the requisite consumer transparency and control features defined by local law and policy interpretation.” That lack of guidance risks creating a situation in which compliance measures vary, with some companies taking such lax approaches that consumer advocates criticize the advertising industry for an overall lack of compliance and government regulators decide to impose stricter requirements.
Rather than forcing the industry in a specific direction, said Mathieu Roche, CEO of identity tech firm ID5, as an industry body, “[the IAB’s] job is say this is the minimum threshold we should hit.” He added, “Transparency and consent haven’t been front of mind for the industry for the last 10 or 15 years.”
The legal landscape around privacy and data is becoming more restrictive as new state laws come on the books in California, Virginia and elsewhere in the U.S. Both California’s updated privacy law and new legislation passed in Virginia give people the right to opt-out of the sharing of their personal information for the purpose of cross-context behavioral advertising.
And as pressure for comprehensive federal privacy legislation mounts — even from the IAB itself — signs indicate that today’s identity tech approaches may not pass muster with regulators. Already these email-based identifiers got the cold shoulder from IAB member Google, which noted in a March 3 blog post that identifiers using PII graphs based on people’s email addresses won’t meet rising consumer privacy expectations or regulatory restrictions.
When companies do address user consent, many identity tech providers and publishers that use these technologies consider the fact that someone has provided an email address in exchange for content to be a form of consent for using that email to create an identifier to track them. And publishers’ privacy policies rarely mention by name the companies, such as identity tech providers like ID5, The Trade Desk or others, with which publishers share people’s information.
Industry needs consumer engagement framework
Today’s approaches to consent for use of emails or other login information to enable identification of users is a “slippery [slope],” said one digital agency executive who spoke on the condition of anonymity with Digiday. “If I have a consent banner on NYTimes[.com] to set a first-party cookie, what they choose to do with it and how to integrate it is up to them,” said this person.
“We look at this as establishing the baseline,” said Travis Clinger, svp and head of addressability and ecosystem at identity tech provider LiveRamp of the IAB Tech Lab’s identity token best practices.
LiveRamp helped draft the best practices along with nearly 300 people from ad tech firms, ad agencies, media outlets and other identity tech providers. “We also need, as an industry, a framework for how to engage with consumers,” he said. LiveRamp requires publishers to name the company in their privacy policies, which is reflected in policies from Newsweek, Salon and iHeartMedia.
Technologist Ashkan Soltani, who helped craft the California Consumer Privacy Act and served in the Division of Privacy and Identity Protection at the Federal Trade Commission, questioned the IAB’s acceptance of email-based identifiers. “IAB’s move to track users via email-derived identifiers seems incredibly tone-deaf in this regulatory climate, particularly as this tracking is even more privacy-invasive than third-party cookies.”
The IAB document does address the need for “technical safeguards that hold industry parties accountable to their preferences, and which allows the actions of 1st and 3rd parties to be reviewable and actionable by consumers.” And it points to a related Accountability Platform proposal for standards for moving user restrictions and preferences along the digital ad supply chain.
Nonetheless, Peter Day, CTO of Quantcast, which offers a consent management service for site logins for identification, said of the IAB’s proposed guidelines — “It would be great to see stronger accountability” for transparency and consent.
Newsletter publishers say they continue to see uptick in revenue despite advertising slowdown
At a time when larger media companies are feeling the pressure of the economic downturn and advertising slowdown, newsletter businesses continue to be in a period of revenue growth.
TikTok’s CEO faces bipartisan skepticism in first Congressional hearing on security concerns
The hearing comes amid calls to remove TikTok from government devices and in some cases even ban it entirely.
Media Briefing: What to expect at the Digiday Publishing Summit
As DPS draws nearer, top pain points for publishers are coming to light.
SponsoredHow advertisers are leveraging omnichannel attribution and measurement to power CTV
Sponsored by MNTN Connected TV advertising has joined and expanded the larger ecosystem of campaigns that advertisers deploy. As such, omnichannel marketing strategies now encompass television and mobile devices, tablets and other screens such as out-of-home. And as customers engage across these different touchpoints, brands are seeking and moving their measurement and analytics efforts to […]
New app launches through Apple hoping to win with ‘zero-party data’ when others haven’t
Caden's new app lets users connect data from their Uber, Amazon, Netflix and other accounts in exchange for money. Will it take off?
‘The next level for us’: The New York Times eyes better retention for games in subscription drive
The games division is focusing on finding new ways to mine the inherent competitive nature of games like encouraging people to play multiple games in a single session or through new achievements and rewards for progression.