广告行业的隐私 — 应对监管挑战.pdf

《广告行业的隐私 — 应对监管挑战.pdf》由会员分享，可在线阅读，更多相关《广告行业的隐私 — 应对监管挑战.pdf（25页珍藏版）》请在三个皮匠报告上搜索。

1、PRIVACY IN THE ADVERTISING SECTOR:NAVIGATING REGULATORY CHALLENGESAlex DixiePartner,Head of AdtechBird&BirdOran KiziamVice President,PrivacyParamountBecky TurnerDPOTrainlineCatherine RhindGlobal GC,Marketing,Media and dCommerceUnileverWELCOME AND INTRODUCTIONSPrivacy&AdvertisingKey regulatory challe

2、nges for the advertising sectorConsiders the Transparency and Consent Framework(TCF)TC String considered personal dataHeld IAB Europe to be data controller of TC String and Joint Controller more broadly under TCFVarious follow on GDPR breachesDecision being appealed aspects now referred to ECJ.Uncer

3、tain currently as to status of the ruling as a whole.Ruling due to be published on 7 March.APD(BELGIUM)V IAB EUROPEAs a result of the APD case,IAB Europe updated TCF with version 2.2.Implementation deadline was 20 November 2023.Key changes:Can no longer rely on legitimate interests for purposes rela

4、ting to advertising and personalising content.Improved terminology,descriptions and explanations of purposes.Standardisation of vendor disclosures on global vendor list,including categories of data collected and retention periods for each purpose.Number of vendors to whom consent is being provided t

5、o be displayed on first layer of CMP.Various technical specification changes.Expect compliance audits from IAB!TCF V2.2Criteo is one of the worlds largest adtech platforms,focused on the retail sector.HQ in France.Fined 40m by the CNIL in June 23.Criteo relied on publishers to obtain consent for coo

6、kies but failed to verify that this consent was actually being obtained.Key pointsNeed to have a verification right in publisher contracts,that is actually enforced.Transparency in privacy policies remains key.Joint controllership for adtech?Make sure fully compliant contracts covering all of Articl

7、e 26.CNIL willing to issue significant fines still(even where not FB/Google)this fine was 2%of worldwide turnover.CRITEO DECISIONCNIL enforcement priorities now shifting from desktop cookie compliance to the mobile ecosystem.Continuing large fines for cookie non-compliance-150m against Google,60m ag

8、ainst FacebookParticular focus on ease of withdrawing consent/rejecting cookiesSimilar regulatory focus in Germany,the Netherlands and BelgiumHowever,concern over discrepancies in decisions across EU regulatory decisions/lack of harmonisationEDPB taskforce established Sept.2021 specifically in respo

9、nse to NOYB complaints.Underwhelming content published to date.BROADER ENFORCEMENTDraft guidelines issued in November 2023.Consultation ended mid-January 2024.Incredibly expansive interpretation of the application of Article 5(3)ePrivacy.If followed,almost every interaction with a device or use of i

10、nformation relating to a device(such as IP address)requires consent.Particularly concerning for cookieless solutions(including those used for contextual advertising)many will not pass new high bar set by the EDPB.Also note the potential impact on affiliate networks;unique identifiers(even if site-ba

11、sed and not user-based)will be caught and require consent.EDPB COOKIE GUIDELINESNew EU data laws also contain privacy-impacting rules and requirements.Advertising is a common feature of these new data laws,with particular focus on the concentration of power within the advertising market with very la

12、rge platforms.Can result in both direct and indirect obligations being placed on companies:e.g.DSA ad repository requirementse.g.DMA targeted advertising restrictionsCurrently lack of standardization of approach each gatekeeper/VLOP determining its own approach/interpretation of the relevant legal r

13、equirements.NEW EU DATA LAWSOne key point across the adtech ecosystem remains the appropriate lawful basis for targeted advertising.Recent decisions,although not explicitly ruling out the use of legitimate interests,have stated the difficulties with required balancing tests falling in favour of the

14、controller.Further,decisions such as Meta Norway and its extension through EDPB/DPC removed contractual necessity as an available lawful basis.New data laws explicitly require consent in a number of scenarios.TCF changes remove legitimate interests as an available lawful basis for certain advertisin

15、g activities.LAWFUL BASISSo is the writing on the wall for legitimate interests as an appropriate lawful basis for targeted advertising?Not necessarily but LIAs and balancing tests are becoming more difficult.Generally,can still be appropriate in a first-party scenario(e.g.using advertising to monet

16、ise your own platforms),provided processing and data involved are necessarily limited(e.g.using contextual advertising).Potentially challenging for third parties to establish balancing tests.Certainly consent is direction of travel.LAWFUL BASISQuasi-regulationCommercial changes on the horizon with q

17、uasi-regulatory impact?Death of cookies Google Topics,Apple ATT,Privacy Sandbox extending to Android Associated growth in cookieless technologies(more in a moment).Similar privacy first movements across the sector(e.g.VPNs,private relay,hide my email)BIG COMMERCIAL CHANGES ON THE HORIZONPRIVACY SAND

18、BOX&DEATH OF COOKIESBig commercial changes on the horizon.A sector that is on the verge of significant change,pivoting from existing approaches.Death of CookiesGoogle is implementing privacy sandbox within ChromeActs to block all third-party cookies.Revised timetable moved implementation back signif

19、icantly but now beginning to go live.New approach by Google was initially FLoC but has now been replaced with TopicsAlso extending to Android.Third-party cookies/identifiers set and read across different websites/apps.Granular profile of user created by advertising platforms.Targeted advertising dir

20、ected to that user based on granular individual profile.Topics are calculated on-device for each user based on app usage and browser history.Broad interests presented to advertising platforms no user-level identifiers available.Targeted advertising directed on the basis of the users interests.Curren

21、t ApproachNew ApproachTOPICS APITOPICS API:CONCERNS&CONSIDERATIONSLack of individual-level insights and dataPrevents standard techniques such as frequency capping,ad sequencing or attributionMomentary data onlyCannot map movements between interest groups over timeOnly works in-browserPrevents cross-

22、device,cross-browser and matching with offline dataTargeting is very bluntInterests are by design genericCOOKIELESSADTECH1.Unlinked First Party Audiences1.Publishers use their own techniques to identify and manage their own first-party data records of their users(for example,associating unique ident

23、ifiers to logged-in user emails).2.Publishers curate audiences based on this first-party data into demographic,interest and/or behavioural segments and communicate these segments to demand partners within bid requests.3.As these segments are created by publishers on the basis of their own first-part

24、y data only,and no underlying data is made available to demand partners,there is no ability to link the publishers audience to the advertisers audience,regardless of the buying method.4.This approach does not require the exchange of any user identifiers between the various parts of the adtech ecosys

25、tem and,in particular,stops the requirement for publishers to push individual identifier data from their DMPs into DSPs and SSPs,along with segment information on those identifiers.5.The exact mechanism for this approach can vary by publisher but the IAB has established a standardised technical spec

26、ification for exchanging this information through the OpenRTB protocol known as Seller-Defined Audiences(“SDA”).COOKIELESSADTECH2.Browser-or Operating System-Linked Audiences1.This describes environments where the browser or operating system does the audience linking,such Privacy Sandbox and SKAdNet

27、work in particular.2.This approach relies on the relevant browser or operating system to perform user-specific analysis and report only the aggregated,non-identifiable result to the advertiser.3.This takes various forms,such as on-device machine learning through frameworks such as Privacy Sandbox an

28、d Topics API to analyse app and web behaviour and create interest-based segments that are presented to advertisers,without any ability to access underlying individual-based identifiers.4.As these technologies are on-device by definition,there can be challenges with cross-device matching.Further,thes

29、e types of techniques include specific protections to prevent indirect identification of individuals,including through preventing the tracking of movement between interest groups or segments or time-delaying any aggregated reporting.COOKIELESSADTECH3.1:1 Linked Audiences1.This describes environments

30、 where publisher and advertiser audiences can be linked using a token mapped through identity resolution and data management platforms.2.This type of approach commonly makes use of user-provided information(such as email address,name,address),provided at the point of sign-up for accounts with the re

31、levant publisher.3.Use of specifically-provided data from users can result in good data accuracy.However,this can result in limited reach as these solutions generally require active participation from authenticated users only.4.Examples of these technologies are UID 2.0 and User-Enabled ID Tokens.CO

32、OKIELESSADTECHPanel thoughtsFIRST-PARTY DATA STRATEGYGOVERNANCE CHALLENGESCOMPLIANCE VS NEED FOR SPEEDDECODING THE MARKETING JARGONCOOKIELESSADTECHBe aware of approaches that seem intended to circumvent either regulatory or commercial rules through technological“tricks”.Any benefit from these types

33、of solutions will likely be short-lived,and they come with a significant associated risk that regulators and/or commercial entities responsible for enforcing the respective rules on cookies and the use of identifiers will view the use of these approaches as attempting to deliberately take a non-comp

34、liant approach,with associated consequences.A final thoughtFIRESIDE CHATPatchwork approach(industry-led governance)Roles(joint control)Lawful basis(consent or LI)PETs(the silver bullet?)Global considerations(CCPA“sale”,US state privacy)Alex DixiePartner,Head of AdtechBird&BirdOran KiziamVice Preside

35、nt,PrivacyParamountBecky TurnerDPOTrainlineCatherine RhindGlobal GC,Marketing,Media and dCommerceUnileverTHANK YOUHOW DID THINGS GO?(WE REALLY WANT TO KNOW)Did you enjoy this session?Is there any way we could make it better?Let us know by filling out a speaker evaluation.1.Open the Cvent Events app.2.Enter IAPP DPI24(case and space sensitive)in search bar.3.Tap“Schedule”on the bottom navigation bar.4.Find this session.Click“Rate this Session”within the description.5.Once youve answered all three questions,tap“Done”.Thank you!