The fate of each ad tech company hinges on whether or not it has a privacy strategy.
Regulators, privacy advocates and web browsers are targeting core capabilities around targeting and measurement, which affects vendor product, engineering and commercial teams.
So TripleLift appointed its first Chief Privacy Officer, Julia Shullman, in January.
Her mission is to make sure TripleLift doesn’t just comply with regulation like GDPR and CCPA, but also approaches privacy strategically, especially as third-party cookies lose viability due to Safari ITP and Chrome’s decision to drop them in two years.
“Privacy is the most pressing legal issue, if not the most pressing strategic issue in our space,” Shullman said. A large part of her role requires spotting how the company can get ahead of potential future privacy issues.
Shullman leads a cross-functional team that includes product, engineering, commercial teams as well as security and privacy experts.
And she’s not a newbie to figuring out how ad tech should navigate privacy. She previously served as VP and general privacy counsel at AppNexus, and later held the same position at Xandr. She also chaired the steering group for the IAB’s efforts around the transparency and consent framework.
She talked to AdExchanger.
AdExchanger: How will the loss of third-party cookies in Chrome affect TripleLift?
JULIA SHULLMAN: Anyone in the space who says they have a perfect answer to that question right now either doesn’t know what they’re talking about or is lying.
Our ecosystem over the past twenty years has become inefficient, complex and misunderstood. On any given ad transaction, there could be upwards of 1,000 parties participating. There’s been a lot of innovation, but in the process consumers have lost trust in what’s happening with their data. That’s what’s driving Google and the device manufacturers to push the ecosystem to rethink how things are done.
Did you expect Chrome to drop third-party cookies?
There are a lot of us that are very surprised people didn’t see the Chrome announcement coming. Or that identity was so tightly intertwined with privacy obligations. People are finally seeing it. It’s important for folks to understand that in order to meet privacy requirements going forward, the whole industry is going to have to partner together to solve issues.
What will cross-industry partnership look like?
The regulations that have been drafted globally were not necessarily drafted with ad tech in mind, and they certainly weren’t drafted by technologists. They require a lot of interpretation. That means that the ecosystem breaks down if one party thinks about the law one way, and the other party thinks of the law another way. There is no way for us to transact together.
How are you thinking about the path forward without cookies?
There is the “staying the path” perspective, which is thinking about what may replace cookies or ad identifiers. The other path is thinking creatively about a better way to make this work, both from an efficiency perspective and from a privacy perspective. We are looking at both.
Why haven’t existing privacy initiatives like ‘Do Not Track’ worked out?
One, I’m not sure that they haven’t worked out. The problem has been the industry didn’t do a good job in two areas. The first is educating consumers and the industry as a whole on how the ecosystem operates and how data is collected and used.
The second reason – and more interesting from a strategic perspective – is that the industry hasn’t recognized the different commercial interests at the table, and how that affects how companies interpret requirements and influence solutions and requirements.
What’s an example of those different commercial interests at play?
Companies are generally incentivized to provide a good consumer experience. But there is conflict between how advertisers use their data to show ads to consumers, and how publishers protect their audience and the value of their content.
Most fascinating are companies that are third parties but also publishers, and control the devices and operating systems that provide the ecosystem with ad identifiers to use, track and measure ads. They are essentially the gatekeepers of those identifiers, so of course they’re motivated to interpret regulations in a way that will benefit them.
How do you counter the idea that lawyers are often a roadblock in a business?
First, [privacy leaders] have to understand the tech, cold. They have to understand the product and how it collects user data, often better than the product team. They also have to understand the commercial interests of the company. More important, they have to understand the commercial interests of all the other companies in the ecosystem, and how that might affect interoperability between partners.
What do you think of the idea of replacing third-party cookies with a hashed but more persistent identifier like an email or phone number?
I think about it from a consumer perspective first. How do they control use of that identifier? As flawed as cookies and mobile IDs are, consumers can control them from their device because they’re device-level identifiers. So how do we effectuate choices for consumers?
Second, I think about it from an ecosystem perspective. How do we interoperate with each other? Or maybe that’s not the right approach, and there is a paradigm shift in how we access information in this space and provide our service. Are we thinking about how things operate today? Or taking a big step back to think about changing the industry paradigm for how everything works?
This interview has been condensed and edited.