The ad tech ecosystem keeps Jessica Rich up at night.
“The current models just aren’t working,” said Rich, who until recently sat on the front lines of advertising regulation and enforcement as director of the Federal Trade Commission’s Bureau of Consumer Protection.
Rich resigned her post last week after a 26-year career at the commission spanning the dawn of personal computing to the ubiquity of smartphones.
She leaves a long legacy behind her, having built the FTC’s privacy program in the early 1990s, helped develop the Children’s Online Privacy Protection Act, founded what became the FTC’s Office of Technology and Research Investigations, populated the commission with tech-savvy staff and brought enforcement actions as bureau chief that led to around $14 billion in fines against everyone from Amazon and Apple to Vizio and Volkswagen.
Rich still isn’t sure what her next move will be, but it will definitely involve consumer protection and/or privacy.
The problem is that privacy policies usually do more to obscure that to educate and only a glutton for punishment – or a lawyer – is likely to read through to the end with any level of understanding.
“You could spend your whole day reading privacy policies if you want to and it wouldn’t work, because even if you tried, you wouldn’t know most of the companies that are collecting your data,” Rich said.
That puts a serious kink in the notion of notice and choice.
“We need tools that will truly drive the marketplace,” Rich said. “That was the idea behind Do Not Track. I know Do Not Track was a failed effort, but the goal was good: to try and make it easier for consumers to make choices.”
The ad industry reacted to Do Not Track in much the same way as it’s reacting to ad blockers – as a threat.
“If you can just toggle something and turn off a whole lot of activity, it’s a lot easier for consumers,” Rich said. “But it also shuts down some of the activity that a lot of businesses want to engage in.”
And the activity that businesses engage in – data collection and data-driven advertising – often funds the activities that consumers want to engage in.
Which begs the age-old question: Do consumers actually care about their privacy?
“I’m not sure we’ll ever get a definitive answer,” Rich said. “In all of the surveys, consumers say, ‘Oh, we care about our privacy,’ and then they constantly seem to make choices that suggest they don’t.”
The disparity between statement and action exists because it’s so difficult for consumers to exercise choice or, as Rich put it, “to vote with their feet.”
It’s “ridiculous” to expect consumers to manage their privacy by asking them to stop and read a privacy policy every time they want to take an action, and it’s especially ridiculous to ask it of them in a mobile environment “where there are devices everywhere collecting data from you,” she said.
But when consumers are presented with clearer information and choices, they do react. Social networks are a good example.
“When big companies like Google and Facebook change their privacy policy, we see a huge uproar [and] consumers actively engage with the permissions and settings to control who gets their information,” Rich said.
Consumers will make choices, if those choices are easy to make. Privacy researchers and policymakers are working on tools to make disclosures simpler for consumers, many of which have been explored at the FTC’s annual PrivacyCon event, including machine-readable type policies, universal opt-outs and automated mechanisms that predict preferences and make choices on behalf of consumers.
“Some of this is controversial in that consumers should be able to make choices for themselves,” Rich said. “But the idea of company-by-company disclosures, even if they’re made really brief and better, is becoming insane because there are so many companies collecting data and so many of them are invisible to consumers.”
Invisible and possibly harmful. “Harm” is often the litmus test for an FTC action, and there have been examples of potential harm caused by digital ad tracking without permission, said Rich, pointing to the FTC’s actions against InMobi and Turn.
In InMobi’s case, the mobile ad network was fined for tracking geolocation, including children’s data, without permission. Demand-side platform Turn settled with the FTC for allegedly tracking users with Verizon’s unique identifier header even after they’d opted out.
“If consumers are deceived or tracked against their wishes, that’s harmful – deception is harm,” Rich said. “The marketplace is supposed to be a place where you can make choices.”
