Sometimes I write myself notes when I can’t sleep. They’re often nonsensical, but some end up as bleary-eyed social media posts.
I was recently going over a few thoughts I had scribbled down during restless nights. And I realized they center on two competing forces in the debate over data privacy: the priorities of legislators and the priorities of browser companies.
Both of these forces are hurtling in a similar direction, which is increased consumer protection. But legislators and browser companies have radically different agendas and tools to enforce those agendas.
These competing agendas are limiting the tools publishers have at their disposal in ways that aren’t always primarily motivated by user privacy. And I find myself wondering if there will ultimately be any acceptable way for businesses to apply user data in future ad campaigns.
Here are the five things keeping me up at night these days when it comes to privacy in digital media:
1. Google and the blunt object of consumer choice
Google said it’s going to give consumers the choice to reject third-party cookies, rather than disabling them in Chrome by default. But how, exactly?
I confirmed that Google is going to offer the choice at the browser/account level and not on a site-by-site basis.
Unlike GDPR cookie banners or even iOS’s ATT (which involves users granting app-by-app consent), Chrome’s consumer choice will feel more like Safari’s data restrictions, which turn off cookies for all websites by default … and we know how much that sucks. 👎
2. Consumer protection laws vs. privacy laws
Most lawsuits we see today over mishandling user data stem from violating general consumer protection laws, not state privacy laws.
The New York Attorney General recently issued a “Business Guide” for how to steer clear of violating these consumer laws, since NY doesn’t have its own comprehensive privacy law. The #1 culprit that leads to violations, according to the guide, is faulty consent management platform (CMP) setups, and #2 is a tag manager not being configured correctly.
3. You’re doing your CMP wrong
Janky CMP installation puts businesses at significant risk for lawsuits of all kinds. It’s easy to spot when a CMP is slapped on a site with no additional effort or consideration (just ask, I’ll show you some examples). At best you have minimal compliance, but more likely the publisher’s language and settings don’t jive, and thus their overall approach to compliance is flawed or even faulty.
4. Let’s see some ID
New state laws ratchet up publishers’ and platforms’ responsibility for verifying ages before collecting data that may belong to a minor or before allowing access to certain content or products. On top of that, the definition of a minor in digital land is shifting from age 13 up to 18 in many states.
Age verification isn’t inherently bad; however, there are some major technical hurdles for reliably verifying a user’s age. Furthermore, there is a fundamental conundrum involved in handing over identification to verify that you should remain anonymous.
There is not a good solution for this yet, and a moving target of age definition means certain pubs’ monetization strategies and opportunities will remain in limbo.
5. Universal opt-out mechanisms
Here’s another acronym for you: UOOMs (pronounced “you-oh-oh-ems” or “you-ooooohms”) are already here (Global Privacy Control, anyone?). But their proliferation is going to upend the entire flow of data collection – not only how consent is granted, but also where it is granted.
Regulating consumers’ consent at the OS or browser level will categorically reduce the data capabilities of a site owner, regardless of their consent relationship with their visitors.
California tried to pass AB3034, which would have mandated that browsers and operating systems offer a native universal opt-out mechanism to convey the user’s consent status to downstream partners. California Governor Gavin Newsom vetoed the bill last week, arguing that a universal opt-out isn’t viable for mobile operating systems and that opt-outs already exist at the browser level. But if it had passed, it would have created competing types of opt-out signals that site owners would have had to comply with to curtail on-site data collection.
What this all means
At the end of the day, governments and tech platforms may indeed be overreaching in their crusade for privacy. Governments are dictating when and how data can be collected and how it can be used. And browsers/operating systems are breaking functionality that would allow a publisher to operate within those government regulations.
Going forward, third-party cookie access will be controlled in this waterfall: operating system > browser > site. That means the connection to a consumer’s data may be severed well before they arrive at the publisher’s site.
In the future, there may be very little of a user’s data left for a publisher to collect or apply in its advertising business. Third-party info will also be harder to find, and the only “good” data may be the small stores of first-party data gathered by publishers and their curator friends.
Despite the pain that privacy compliance brings to media owners, data scarcity may actually be a good thing for publishers. Rebalancing data availability can weaken DSPs’ power grasp on market liquidity and strengthen the publisher’s value in media markets. While that struggle has yet to play out, it’s ready for the main stage in 2025. Stay tuned!
“The Sell Sider” is a column written by the sell side of the digital media community.
Follow Scott Messer and AdExchanger on LinkedIn.
For more articles featuring Scott Messer, click here.