“Private eyes
They’re watching you
They see your every move”
That was FTC Commissioner Mark Meador’s rather droll choice for walk-on music when he spoke at the Marketecture Live event in New York City earlier this week.
Nothing like a little Hall & Oates to get you in the mood to talk about cookie-based opt-out mechanisms and whether self-regulation has become obsolete for online advertising.
The reality of self-reg
But for anyone still treating self‑reg as air cover, Meador’s comments were a lot less playful. It can be a useful tool, but it’s not much of a shield.
Self‑reg in ad tech has always been a bit of a patch job. The NAI, the DAA and various other bodies espousing principles, frameworks and codes of conduct have tried to paper over the absence of a federal privacy law, with decidedly mixed results.
Still, Meador said industry self-regulation “is always going to have a role to play,” even alongside state and federal laws, provided it’s anchored by a neutral third party that has industry buy-in and enough authority to do something about complaints, including referring matters to the Federal Trade Commission when needed.
He name-checked the National Advertising Division of BBB National Programs, which regularly escalates complaints to the FTC. And “we take those very seriously,” he said.
The NAD reviews whether national advertising is truthful and substantiated and sends cases to the FTC if advertisers refuse to change or pull misleading claims. “There’s a model out there that can work when it’s done well,” Meador said.
But he was just as quick to point out – it’s “the antitrust lawyer in me,” he said – that the picture gets more complicated once you zoom out and consider competition.
“We also want to make sure that any venue for self-regulation doesn’t inadvertently become a venue for collusion and coordination,” Meador said.
He added that there’s a fine line between self‑regulatory efforts aimed at punishing bad actors and resolving concerns and those that “turn into large incumbents … using self‑regulation as a pretext to keep out a new upstart competitor.
(“Well, that could never happen in the ad space,” deadpanned privacy attorney Alan Chapell, who was interviewing Meador on stage.)
‘No technology is perfect’
From there, the conversation shifted to cookie-based opt-out mechanisms, which have essentially been the industry’s default online privacy tool for the past 25 years. But they’re far from perfect.
As Chapell noted, cookies are technically fragile, they frequently get deleted, they don’t persist across devices and they’re invisible to most consumers. “Other than that, they’re great,” he said.
Given these limitations, do cookie-based opt-outs meet the bar for meaningful consumer control?
Meador didn’t dispute the well-known drawbacks, but he reached for the lawyerly answer, with apologies: “It depends,” he said.
For the FTC, Meador said, the issue isn’t whether cookies are elegant but whether they work well enough in practice compared to the alternatives.
“No technology is perfect,” he said. “When we’re looking at it from a law-enforcement perspective, whether the use of any technology amounts to an unfair or deceptive practice, that’s a very contextual question.”
And just as with self-regulation, there’s a competition caveat.
Meador noted that the FTC is “aware that there have been competition concerns about the degradation of cookies” and also “whether the shift to a platform ostensibly oriented around increasing privacy isn’t simply [another] pretext to lock up a browser market or access to critical data.”
Well, that’s one way to say “Google” without saying “Google.”
Don’t let perfect be the enemy …
But after all the caveats, Meador offered something closer to a carveout on age verification.
There’s been “a lot of technological development in the age-verification space,” he said, including AI systems that can tell kids from adults just by analyzing their hand gestures.
“It’s something you would never think of,” Meador said, “and it’s a minimal data burden or personal privacy burden.”
More importantly, though, he stressed that the FTC doesn’t want COPPA – the Children’s Online Privacy Protection Act – to be the reason companies avoid building reasonable and innovative age checks.
Last month, the FTC issued a policy statement clarifying that if companies collect a small amount of data solely for age verification – and they’re also careful to minimize how much they collect, ensure it’s not retained and that the data is not being used for any other purpose – then they don’t have to worry about getting hit with an FTC enforcement action.
“We don’t want COPPA to be an impediment to the adoption of feature innovation,” Meador said.
🙏 Thanks for reading! As always, feel free to drop me a line at allison@adexchanger.com with any comments or feedback. Also, I think this cat has private eyes and they’re watching you.
