"Data-Driven Thinking" is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Robin Caller, CEO and founder of Overmore.
GDPR and CCPA are still relatively new regulations, although the former was at least 10 years in the making. A lot of work, time, expense and lobbying effort went into them. Even more was spent by companies to comply with them.
And yet in so many ways all the money and effort were wasted as both regulations have failed to accomplish their main goal: to enable consumers – all consumers – to a) understand how their data is collected, stored and used and b) to allow them to opt out whenever they choose. In short, the aim was to make consumers into the sovereign controllers of their own personal information.
But if you think these goals have been achieved, allow me to disabuse you of that fantasy.
There isn’t a single consumer on the face of the earth capable of exercising their rights under GDPR or CCPA. Our ecosystem is vastly complex and in many cases not even industry professionals can explain how all of the different ad tech companies really work.
So, how is a consumer supposed to navigate it?
The regulations assign responsibility to the wrong entities
GDPR and CCPA essentially hold the advertiser responsible for any abuse of privacy data that occurs when they act as the “controller” or the “principal,” respectively. And they can’t contract out that responsibility either. They must do the due diligence themselves.
But how can they? They don’t understand “how things work.” Every player in our ecosystem has a secret sauce – some technology or algorithm that supposedly drives better performance or provides its users with a competitive edge.
Do these ad tech providers reveal that secret sauce in such a way that allows the advertiser to ascertain if the technology runs afoul of the regulations?
Of course not. That would be commercial suicide. Enforced disclosure would kill innovation. Thus, advertisers have no ability whatsoever to live up to the role that the regulators have assigned them.
It therefore follows: Regulations hold the wrong party accountable.
Focus on investors
A trade secret is a valuable asset that can make people a lot of money. But the technology company that developed it must be funded before that spigot is tapped. Here’s where VC and private equity investors come in, keen as they are to get in on opportunities that may make them rich.
Those investors are the only people who are given an explanation of the secret they are being asked to finance. Only they are commercially positioned to evaluate the lawfulness of a new technology – and, of course, they are also financially incentivized to keep that information secret. Yet investors have no regulatory incentive to assess the privacy compliance of the companies they fund.
What if standard due diligence incorporated privacy compliance? What if investors, prior to funding a company, invited the regulators in to conduct a full privacy compliance evaluation as a prerequisite to receiving the money?
I understand that regulators aren’t keen to serve as authorizing parties, but something must be done. As it stands, they’ve pushed responsibility – and punishment – onto the advertisers who have less power than the regulators to establish the level of lawfulness within their tech stacks.
Who funds the regulators?
I accept that this approach raises some thorny questions. Do regulators have the expertise to conduct the necessary privacy due diligence? Are they sufficiently funded?
But how about this: regulators can buy the expertise and pay for it via a levy on an investment deal. The investment ecosystem is already fueled by fees, typically some percentage of the deal that is paid to advisory firms for finding investors.
Advisory banks could be obligated to provide the due diligence that their High Street and Wall Street equivalents are required to provide. Where HSBC is obliged to ensure money is not being laundered, so advisory firms can be held accountable that their fees – and investor gains – are not ill-gotten.
If advisors are well-positioned to advise on the strategic value of the investee then, surely, they are equally well-positioned to deliver the compliance expertise required to assess the new technology’s level of lawfulness. If investors truly believe that the technology is sound, they should be willing to put their money where their mouth is.
And they can well afford it, as the fees that VC and PE firms earn from their investments are astronomical. Take LUMA Partners, which just completed a transaction in which Experian acquired Tapad for $280 million. Let’s say LUMA’s fee was around the industry average of 3% of the deal. That means the firm enjoyed a $7.2 million pay day. Does anyone really believe there isn’t $500K to complete due diligence and certify that Tapad trades lawfully?
These reviews won’t slow deals down either. Certification can commence “predisposal” as part of due diligence in the same way that accounts are audited and eventually become a matter of course. Additionally, the reviews would be conducted by a regulator who is an expert in privacy and knows what to look for.
I want to be clear on this point: I’m not advocating new regulations, per se. I’m simply advocating for a regulatory model that obligates all parties in the ecosystem to protect the consumer so that burden doesn’t almost exclusively fall on the advertiser.
Automotive manufacturers need to specialize in automotive technology, and not be the primary target of penalties should they fall foul of a breach.
Why can’t advertisers be similarly protected?
Putting more companies on the compliance hook will protect consumers. Giving major sectors of the economy a pass only makes the job of compliance that much more difficult.