The UK data regulator has come under heavy fire for consistently delaying much-needed action, privacy groups say.
Before the advent of the internet, advertising was a complex process that required a lot of time and effort, and was often a luxury that was only accessible to the biggest, most successful companies.
Thanks to the explosion of e-commerce, the industry saw its first major shake-up in the 1990s with the advent of 480x60 banner ads that advertisers could choose to display on specific websites. This remained a manual process, though, and involved researching, checking metrics, and choosing which websites would bring the maximum return on investment (ROI) for advertisers.
The second major transformation came later that decade with the arrival of the first ad server software that would, as its name suggests, automatically serve ads. This software, which later became the Google Ad Manager, saw the advent of advertising technology – or AdTech. This is a term used to describe the tools and software used by advertisers to run, deliver, manage, and optimise advertising campaigns.
How has AdTech evolved?
The AdTech ecosystem comprises two major entities; the advertiser (demand-side) and the publisher (supply-side), and each has different goals; the former use AdTech to boost their campaign, zero in on their target market, and maximise their ROIs, while publishers use AdTech to optimise revenue generated from their ad inventory.
AdTech has evolved significantly since the debut of the first ad server in the late 1990s, and most platforms are now connected in some way to the programmatic advertising ecosystem – a series of technologies that allow ads to be bought and sold automatically.
One of these technologies is real-time bidding (RTB), which has been the source of much contention since it came to market in 2014. This technology has disrupted the media buying industry by introducing a far more efficient way to purchase advertising, bypassing media buyers, publishers, and ad networks.
RTB uses demand-side platforms (DSPs) to buy impressions among a marketplace of publisher sites, while targeting specific users. As an impression is loaded on a user’s web browser, information about that user and the page they’re on is passed to an ad exchange, which allows advertisers to bid in real-time for those impressions.
“It’s important to recognise that brands, agencies, and publishers are all benefiting from the rise of scaled contextual technology,” Tony Marlow, CMO at Integral Ad Science (IAS), tells IT Pro. “For advertisers, understanding context helps them build more impactful connections with their audiences by finding the optimal adjacencies for their campaign messaging. For publishers, smarter and more granular content classification means that they can package their inventory to be more relevant for both advertisers and consumers; this in turn unlocks extra yield.”
Why is RTB the source of such controversy?
Attitudes towards RTB and programmatic buying are becoming increasingly polarised. While, for advertisers, these technologies act as a convenient way to reach a target audience at scale and cost-effectively, for privacy campaigners, they act as a tool for the mass exploitation of user data.
As laid out in a recent report by the Irish Council for Civil Liberties (ICCL), RTB relies on personal data – including a user’s location information, device details, and browsing habits – to personalise ads. On average, per day, a person’s data is shared 747 times in the US and 376 times in Europe, the ICCL report found. Combined, this comes to an average of 294 billion broadcasts per day in the US, 197 billion a day in Europe, and a staggering 178 trillion per year in the US and Europe combined.
These auctions generated over $117 billion in 2021 in the US and Europe, the report claims – and other estimates expect the RTB market to grow a further $16.52 billion by 2026.
These statistics have caught the eye of regulators, too. The Information Commissioner’s Office (ICO) published a report in June 2019 identifying a range of issues in AdTech that amounted to critical data protection violations.
It found the multi-billion dollar industry, which is overwhelmingly dominated by Google and Facebook, doesn’t gain consent from users when processing personal data, which includes information on sexuality, political leaning, and race. RTB was highlighted as the central tool through which personal data was being misused.
This represents a violation of standards set under the General Data Protection Regulation (GDPR), and the UK's Data Protection Act (DPA) 2018, according to the report published by the UK data regulator.
"Under data protection law, using people's sensitive personal data to serve adverts requires their explicit consent, which is not happening right now," said the ICO's executive director for technology policy and innovation, Simon McDougall, at the time. "Sharing people's data with potentially hundreds of companies, without properly assessing and addressing the risk of these counterparties, raises questions around the security and retention of this data."
Why is the ICO under fire over RTB?
Since this report was published, the ICO says it’s been "encouraged" by steps the industry has taken, and has agreed on a range of new principles with the Interactive Advertising Bureau (IAB), a trade association for AdTech businesses. In that vein, the watchdog has yet to act or enforce any further regulation.
This led the Open Rights Group (ORG), a UK-based organisation that works to preserve digital rights and freedoms, to threaten legal action against the ICO for taking “minimal steps” to enforce the law against the “massive data breaches” in the online ad industry.
"The ICO is a regulator, so it needs to enforce the law,” says the ORG’s executive director, Jim Killock. “It appears to be accepting that unlawful and dangerous sharing of personal data can continue, so long as 'improvements' are gradually made, with no actual date for compliance.”
Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties and former Brave chief policy officer, went a step further and, in 2020, launched legal action against Google, Facebook, Amazon, Twitter, and AT&T in Germany.
Under pressure from these different quarters, the ICO restarted its probe in January 2021. McDoughall said at the time it will also be reviewing the role of data brokers, which plays a large part in RTB, in the AdTech ecosystem.
Society is becoming more privacy-conscious
It’s not just digital rights advocates that have sounded the alarm about the AdTech industry, as consumers, too, are becoming more concerned about the trading of their personal information online.
Ossie Bayram, country director at the mobile AdTech firm Ogury, tells IT Pro that normal practices are crumbling under pressure from privacy-conscious users and regulators. People are becoming far more aware of the value of their own data, and they’re much more resistant to tracking. “As a consequence, traditional players, who continue to deliver ID-based and cookie-based campaigns, although representing a large proportion of the market, are bound to disappear in the coming years.”
Toby Evans, director of publisher and platform partnerships at SoPost, agrees, telling IT Pro that Facebook’s Cambridge Analytica scandal was a turning point in consumers’ attitudes towards online privacy. “What once seemed fairly harmless – and, to be fair, is still what keeps the worldwide web free to use – has increasingly become distinctly sinister around the edges,” he says.
“We’ve known for years that something is amiss: the Cambridge Analytica scandal of 2018 was a highly publicised case in which the mass of data mined from Facebook gave the company the ability to know more about Facebook users than they even knew about themselves. And when knowledge reaches that level, it can easily be used for manipulation – which is exactly what Cambridge Analytica did.”
Finding a way out of the AdTech warzone
This widespread kickback has led some big-name tech companies to act. Apple, for example, introduced changes that allow iPhone users to choose which apps can track their behaviour across other apps, while Google will phase out third-party cookies by 2023.
“Apple’s privacy changes and Google’s upcoming deprecation of third-party cookies have had a huge impact on the viability of many ad-targeting mechanisms – even if the more cynical of us may say that, given the scale of these businesses’ access to first-party data, their true aim is less altruistic and more akin to a power grab,” Evans adds. “But, in any case, hopefully we can soon all welcome a world in which a privacy-aware public can enjoy greater transparency and a fairer value exchange, the results of a kinder, fairer means of marketing.”
Many believe, as a result of these moves, the exploitation of cookies and advertising IDs will soon become obsolete. This would particularly apply with the creation of cookieless alternatives that’s seen AdTech platforms turn to contextual and semantic targeting.
“Companies with the right cultural mindsets often look for alternative solutions that achieve the same goal using a more privacy-friendly approach,” Dr Sachiko Scheuing, European privacy officer at Acxiom, tells IT Pro. “These companies are moving towards contextual advertising, online advertising using trusted third parties (having a company in between to anonymise the data), and advanced encryption techniques for a safer digital ecosystem.”
However, Scheuing believes that the ultimate solution is accountability from the AdTech companies themselves. “Consent is seen by many as the solution to AdTech regulation, but it is not a panacea for increased compliance,” she says. “The solution instead should be to have a stronger emphasis on accountability-based data protection, which can be furthered when AdTech companies think of the impact their products and services have on consumers’ right to data protection.”