Everything You Need To Know About Programmatic Buying and Behavioral

Advertising

Presented by:

Monique Bhargava & Robert Newman

Today’s eLunch Presenters

Robert Newman Partner Chicago

rnewman@winston.com

(312) 558-8125

Monique Bhargava Associate Chicago

mabhargava@winston.com

(312) 558-3732

2

Overview

• The Problem • What is Online Behavioral Advertising? • What is Programmatic? • The Law and the Risks • Self-Regulation • Enforcement • Mobile, Offline, Cross-Device, and the Internet of Things • Data Protection and Retention

3

Notice

Choice

Transparency

Access

Collection and use

limitations

Security

4

Working with Marketing: What Are You Doing? Can Consumers Choose?

The Problem

• Working with the marketing group to: • Increase efficiency • Optimize digital marketing dollars • Provide more meaningful advertising experiences for consumers • Get and leverage more data

• While balancing risks associated with:

• Expectations of privacy • Security of personal information • Creepiness • Fraud and difficulties in tracking conversion rates • And more

6

What is Behavioral Tracking and Why Bother?

What is Online Behavioral Advertising (OBA)?

• Tracking of a consumer across time and across multiple sites and/or services for the purposes of serving that consumer with an ad based on perceived interest

• Predict and infer interests to tailor your ads

• Gives consumers better experiences online

8

What Isn’t OBA?

9

What Isn’t OBA?

10

Contextual

• Based on content of site you are visiting

Behavioral

• Based on activities over time and across multiple websites

Geo

• Based on real-time location

11

BIG Data

Consumer Profile

Brick and mortar

shopping

Online browsing

Payment information

Employment information

Mortgage information

Address information

12

What Data? Whose Data?

• First Party Data: A first party is the entity that is the owner of the website or has control over the website with which the consumer interacts. First parties usually have a direct interaction with the user

• Third Party Data: An entity is a third party to the extent that it engages in OBA on a non-affiliate’s website. User data that is collected, repackaged, and processed by companies that track and analyze consumer characteristics and preferences. Information collected and stored by publishers after the user visits a digital property

13

How Does it Actually Work?

How Does it Work?

15

Cookies

• Very small text file that a site saves to your computer using your web browser

• Cookies make the personalization of your web experiences possible

• Cookies can help sites remember items in your shopping cart, your log-in name, or your high game scores

16

Cookies

• Visit a site: cookie is placed on your computer’s browser by an ad network

• If you use that browser to visit other websites that ad network has a relationship with, the cookie also collects information about those visits

• The ad network can then assign the viewing behavior from a particular browser to different “interest segments” and then the ad network will serve different ads to different interest segments

17

Flash Cookies, Beacons, and More

• IDFA/Google Advertising ID • AD ID • HTML5 • LSOs • Flash Cookies • Beacons • Digital Fingerprinting

18

Buzzword Watch: “Programmatic”

Programmatic

• Data-driven automation of media buying and selling

20

The Basic Players

• Publisher made “inventory” available

• Advertiser bought blocks of “impressions” directly from the publisher

• Publisher had a bunch of leftover inventory. Gave rise to:

Ad Network

Advertiser/Agency Publisher

21

The Ad Network

• Ad Network – Sales broker, buying unsold inventory from the publisher • Aggregated that data and applied technology to create packaged

inventory • Sold those packages to the advertiser/agency buyer • Helps advertiser/agency target who they want

• Too many ad network players and inefficiencies gave rise to ad exchange

22

Ad Exchanges

• Allows buyers and sellers to trade audiences rather than inventory

• A marketplace where media is bought and sold • Buyers bid on audiences

23

Why Programmatic?

• Deliver the right ad, to the right person, at the right time

• Eliminate manual inventory-specific negotiation

• Real-time

• Optimize efficiencies

24

Optimizes Real-Time Bidding (RTB)

• Allows marketers to participate in an auction for the purchase of individual online ad impressions in “real time” as a webpage loads

• Bid based on audience segments

• Match the ad to a specific moment in time

25

Who Are the Players?

Brands/Advertisers

Agency

Agency Trading Desk

DSPs

DMPs

Ad Exchanges

Ad Networks

SSPs

Publishers

App Developers

OS Developers

Platform Providers

Mobile Carriers

26

27

Agency Trading Desk

• Audience-buying division of agency or agency holding company

• Analyze behavioral and demographic data of audiences to

help client target ads

28

Demand-Side Platforms (DSPs)

• Demand-Side: Advertisers

• DSPs: systems that serve ads on behalf of the advertiser in real-time based on specific rules

• Rules are based on data both from advertisers and publisher inventory sources (including Ad Exchanges and Sell-Side Platforms or SSPs)

• May use behavioral targeting data to determine if the audience segment and content should be targeted

29

Data Management Platforms (DMPs)

• Data warehouses for gathering, storing, and analyzing aggregated data • May link offline and online data

• Manage and segment audience data

• Analyze an audience segment better tailor your content

to that audience

30

Supply-Side Platforms (SSPs)

• Supplier: the publisher

• Supply-side platforms are tools publishers use to make their inventory available for programmatic buying

• Direct connection to DSPs

31

*Thanks to Holly Grochmal of Pandora Media for this graphic 32

Risks in Programmatic

• Lack of standard industry terminology

• Data protection issues

• Fraud

33

Fraud Is Real

• 2014 ANA & Whiteops study: Advertisers will lose $6.3 billion globally to bots in 2015

34

Contract Concerns

• Reporting • Ad Placement, Prohibited Sites, & Quality

• Editorial adjacencies and competitive separation

• Tracking Tools • Make Goods • Fraud Management • Use of Your Data • Disclosure of Your Data • Indemnification Considerations • Security Breaches

35

Watch Out: Sharing

• Does your vendor share/leverage your data for the benefit of all the vendor’s clients? • If yes, does your privacy policy allow for such sharing?

36

While there may be risks, there are important benefits

The Law and the Risks

Why Should We Worry About OBA? Failure to follow privacy principles and regulations can expose a company to risks of:

FTC Actions

State Attorney General Complaints

Consumer Class Actions

Industry-Specific Self-Regulatory Actions

40

Legal Overview

• Contracts

• Your Privacy Policy

• Federal Law

• State Law

• International

41

Expanding Definition of “Personal”

Sensitive: SSN, financial, health info

Identifiers: Names and addresses, phone numbers

"Other": Zip codes, location-based information

Behaviors: Online activities, mobile app usage

What's next?!

CALOPPA: “…any other identifier that permits the physical or online contacting of a specific individual”

42

De-Identified?

• Does it identify a person or a device?

43

De-Identified?

• Data has been de-identified when an entity has taken reasonable steps to ensure that the data cannot reasonably be re-associated or connected to an individual or be connected to or associated with a particular computer or device

44

Your Privacy Policy

• Be careful about disclosures in your privacy policy; those disclosures can limit what you can do

45

Federal Laws

• Section 5 of the FTC Act: It is unlawful to engage in a deceptive or unfair trade practice

• Wiretap Act (eavesdropping) • Computer Fraud and Abuse Act • Electronic Communications Privacy Act • COPPA (PII includes persistent identifiers like cookies) • Sector-specific laws Like HIPAA and GLBA • CAN-SPAM • TCPA • Laws prohibiting discrimination

46

State Laws

• State unfair and deceptive trade practices laws

• State constitutions • Example: California allows for suit for privacy invasions that are so

“serious in nature, scope, and actual or potential impact as to constitute an egregious breach of the social norms”

• CalOPPA

• Anti-spyware and adware laws

47

CalOPPA

Requires disclosures

• About use of PII and tracking

Defining PII under CalOPPA • Info used to re-contact someone • Includes info used to serve OBA-based ad

48

CalOPPA – What Disclosures?

“Over time and across multiple

websites”

Do not track –responding (yes or no?)

Not all tracking stops if cookies

deleted

What are choices about

tracking?

Third parties on site engage in

tracking

49

FTC and California AG “Guidance”

• Privacy by design

• Simplified consumer choice

• Transparency

• Just-in-time notice

50

The Protection Pillars

Notice Choice

51

Notice and Choice

• FTC’s Self-Regulatory Principles require every website where information is collected for OBA to provide a “clear, concise, consumer-friendly, and prominent” notice regarding the collection practices and explaining a choice that is: • Clear • Easy to use • Accessible

52

Self-Regulation

Self-Regulation

Notice Choice

54

Who?

55

What Isn’t Covered

• Keyword Targeting

• Contextual Targeting

• First-Party Targeting

56

The Principles

• Education • Transparency • Consumer Control • Data Security • Material Change • Sensitive Data • Accountability

57

What Should You Do?

• Provide on your website a clear explanation of your interest-based advertising practices with a link to an opt-out mechanism

• Ensure that real-time enhanced notice is provided each time an ad is served using OBA and on each page on which a third party is collecting data for OBA purposes

• The third party and first party share responsibility for the provision of enhanced notice; requires cooperation

58

Web-Based Opt-Out

• www.aboutads.info/choices

A cookie-based opt-out

59

Websites: The In-Ad Notice

60

Websites: Publisher/Advertiser Notice

61

Web-Based OBA Disclosure

62

Web-Based OBA Disclosure

63

Enforcement

Should We Worry?

$22.5 Million $2.4 Million $800,000

$15 Million $450,000 $14 Million

65

FTC Enforcement Activity

Alleged in part that Snapchat misrepresented its data collection practices; privacy policy stated that it did not track or access location info of Android users

Alleged misrepresentation related to handling of Safari browser opt-out

Alleged to have collected personal information from users’ mobile device address books without their knowledge and consent

Alleged to have collected personal information from children through its app without first notifying parents and obtaining their consent

66

Other Enforcement Actions

Consumer Class Actions

• Verizon and Turn: filed in February 2015; alleged that they use “supercookies” that track users for advertising purposes, even after the users delete the cookies

• Quantcast and Clearspring: were accused of using information in Flash cookies to “re-spawn” HTTP cookies to allow the companies to identify users and target advertising to them, even if the users had cleared their regular HTTP cookies, $2.4 million settlement

• comScore: the company allegedly monitored online activity and collected personally identifiable information but did not first get consent; the complaint also claimed that information was sold to third party clients of comScore. The case settled for $14 million

Industry Specific Self-Regulatory Actions

• BlueCava: allegedly didn't clearly disclose tracking across devices, DAA emphasized notice/choice not limited to "cookie based" tracking

• Turn: allegedly didn't have all of the needed OBA disclosures, and didn't send people to opt-out process

67

Bypassing Browser Privacy Settings

• November 2015: 3rd Circuit revives portion of MDL accusing Internet search company of bypassing browser privacy settings to track Internet usage under California Constitution and state tort law

68

Accountability and Enforcement

Since its creation in 2011, the Accountability

Program has issued at least 58 compliance actions

69

Accountability and Enforcement

Five decisions in which Answers Corporation, Best Buy, BuzzFeed, Go.com, and Yelp agreed to provide real-time, “enhanced” notice and choice to website visitors whenever non-affiliates collect information for personalizing ads. Even if there is no ad on the page.

70

May 2015 Accountability Sweep

• Etsy, Imgur, TWiT.tv, and 247 Sports

• Websites must provide their visitors with enhanced notice when third parties are collecting information to learn more about the products and services that might interest consumers

71

Enforcement: Interest-Based Native Advertising

• November 4, 2015 – Administrative disposition against Gravity and Outbrain • Content recommendation widget that placed promoted stories on publishers’

websites without enhanced notice

• First cases requiring the icon (or equivalent) when native advertisements

are geared to consumers’ personal interests

• Native advertising is expected to generate $21 billion in revenue by 2018, up from $4.7 billion in 2013

72

Avoid an Enforcement Action

• When negotiating with vendors, understand what is really happening

• Make sure there is notice • Logo should appear in/on the advertisement itself and when third

parties are collecting information for OBA • Also include notice on your own site

• Provide the ability to opt-out

• Can link from the notice

73

Avoid an Enforcement Action

• Carefully negotiate your contracts

• Require adherence to the Principles

• Consider limits on vendors’ rights to use and share your data

• Think about data protection and confidentiality

74

Mobile, Offline, Cross-Device, and the

Internet of Things

Mobile Sites and Apps

Cookie-based

Small screen

Business as usual (mostly)

Sites Device ID

OS based opt-out

DAA opt-out app

Apps

76

Mobile Sites and Apps

77

App Compliance

• The Digital Advertising Alliance offers a tool for opting out of

the collection of cross-app data on a mobile device for interest-based advertising. To exercise choice for companies participating in this tool, download the AppChoices app here.

78

Sensitive Information

• Health and Financial • Location • Personal Directory Data • Address Book • Photos • Videos • Text/call log • Children

79

Usage Restrictions

• Employment Eligibility

• Credit Eligibility

• Health Care Treatment Eligibility

• Insurance Eligibility and Underwriting and Pricing

80

Accountability and Enforcement

• Beginning in September 2015, the Online Interest Based Advertising Accountability Program began enforcing the Self-Regulatory Principles on mobile browsers and across mobile apps

81

Cross-Device

82

Cross-Device and the Principles

• Entities collecting Multi-Site Data and Cross-App Data from a particular browser or device for use on a different computer or device should provide notice

• Choices made by consumers applies to the collection of Multi-Site Data or Cross-App Data for use on another computer or device that is linked with the browser or device on which the choice is being exercised

83

FTC Workshop on Cross-Device Tracking

November 16, 2015

“Most controls do not allow opt-out of the underlying data collection and linking of identifiers” (FTC Chairwoman Edith Ramirez)

84

Beyond Mobile

Offline Multi-channel

Internet of things

85

Tracking and Data Security

Tracking and the Duty to Protect and the Duty to Destroy

(A terrible example)

87

Investigations, Forensics, Notification Crisis Management Lost Business, Regulatory, Compliance

Breaches!

24%

63%

$5.5 Million

Source: Ponemon Institute

13%

88

Conclusion

Best Practice Recommendations

Analyze practices

Understand vendors

Provide notice

Give choice

Protection procedures

Monitor compliance

90

Thank You.

Robert Newman Partner Chicago

rnewman@winston.com

(312) 558-8125

Monique Bhargava Associate Chicago

mabhargava@winston.com

(312) 558-3732

92