everything you need to know about programmatic buying …...or access location info of android users...
TRANSCRIPT
Everything You Need To Know About Programmatic Buying and Behavioral
Advertising
Presented by:
Monique Bhargava & Robert Newman
Today’s eLunch Presenters
Robert Newman Partner Chicago
(312) 558-8125
Monique Bhargava Associate Chicago
(312) 558-3732
2
Overview
• The Problem • What is Online Behavioral Advertising? • What is Programmatic? • The Law and the Risks • Self-Regulation • Enforcement • Mobile, Offline, Cross-Device, and the Internet of Things • Data Protection and Retention
3
Notice
Choice
Transparency
Access
Collection and use
limitations
Security
4
Working with Marketing: What Are You Doing? Can Consumers Choose?
The Problem
• Working with the marketing group to: • Increase efficiency • Optimize digital marketing dollars • Provide more meaningful advertising experiences for consumers • Get and leverage more data
• While balancing risks associated with:
• Expectations of privacy • Security of personal information • Creepiness • Fraud and difficulties in tracking conversion rates • And more
6
What is Behavioral Tracking and Why Bother?
What is Online Behavioral Advertising (OBA)?
• Tracking of a consumer across time and across multiple sites and/or services for the purposes of serving that consumer with an ad based on perceived interest
• Predict and infer interests to tailor your ads
• Gives consumers better experiences online
8
What Isn’t OBA?
9
What Isn’t OBA?
10
Contextual
• Based on content of site you are visiting
Behavioral
• Based on activities over time and across multiple websites
Geo
• Based on real-time location
11
BIG Data
Consumer Profile
Brick and mortar
shopping
Online browsing
Payment information
Employment information
Mortgage information
Address information
12
What Data? Whose Data?
• First Party Data: A first party is the entity that is the owner of the website or has control over the website with which the consumer interacts. First parties usually have a direct interaction with the user
• Third Party Data: An entity is a third party to the extent that it engages in OBA on a non-affiliate’s website. User data that is collected, repackaged, and processed by companies that track and analyze consumer characteristics and preferences. Information collected and stored by publishers after the user visits a digital property
13
How Does it Actually Work?
How Does it Work?
15
Cookies
• Very small text file that a site saves to your computer using your web browser
• Cookies make the personalization of your web experiences possible
• Cookies can help sites remember items in your shopping cart, your log-in name, or your high game scores
16
Cookies
• Visit a site: cookie is placed on your computer’s browser by an ad network
• If you use that browser to visit other websites that ad network has a relationship with, the cookie also collects information about those visits
• The ad network can then assign the viewing behavior from a particular browser to different “interest segments” and then the ad network will serve different ads to different interest segments
17
Flash Cookies, Beacons, and More
• IDFA/Google Advertising ID • AD ID • HTML5 • LSOs • Flash Cookies • Beacons • Digital Fingerprinting
18
Buzzword Watch: “Programmatic”
Programmatic
• Data-driven automation of media buying and selling
20
The Basic Players
• Publisher made “inventory” available
• Advertiser bought blocks of “impressions” directly from the publisher
• Publisher had a bunch of leftover inventory. Gave rise to:
Ad Network
Advertiser/Agency Publisher
21
The Ad Network
• Ad Network – Sales broker, buying unsold inventory from the publisher • Aggregated that data and applied technology to create packaged
inventory • Sold those packages to the advertiser/agency buyer • Helps advertiser/agency target who they want
• Too many ad network players and inefficiencies gave rise to ad exchange
22
Ad Exchanges
• Allows buyers and sellers to trade audiences rather than inventory
• A marketplace where media is bought and sold • Buyers bid on audiences
23
Why Programmatic?
• Deliver the right ad, to the right person, at the right time
• Eliminate manual inventory-specific negotiation
• Real-time
• Optimize efficiencies
24
Optimizes Real-Time Bidding (RTB)
• Allows marketers to participate in an auction for the purchase of individual online ad impressions in “real time” as a webpage loads
• Bid based on audience segments
• Match the ad to a specific moment in time
25
Who Are the Players?
Brands/Advertisers
Agency
Agency Trading Desk
DSPs
DMPs
Ad Exchanges
Ad Networks
SSPs
Publishers
App Developers
OS Developers
Platform Providers
Mobile Carriers
26
27
Agency Trading Desk
• Audience-buying division of agency or agency holding company
• Analyze behavioral and demographic data of audiences to
help client target ads
28
Demand-Side Platforms (DSPs)
• Demand-Side: Advertisers
• DSPs: systems that serve ads on behalf of the advertiser in real-time based on specific rules
• Rules are based on data both from advertisers and publisher inventory sources (including Ad Exchanges and Sell-Side Platforms or SSPs)
• May use behavioral targeting data to determine if the audience segment and content should be targeted
29
Data Management Platforms (DMPs)
• Data warehouses for gathering, storing, and analyzing aggregated data • May link offline and online data
• Manage and segment audience data
• Analyze an audience segment better tailor your content
to that audience
30
Supply-Side Platforms (SSPs)
• Supplier: the publisher
• Supply-side platforms are tools publishers use to make their inventory available for programmatic buying
• Direct connection to DSPs
31
*Thanks to Holly Grochmal of Pandora Media for this graphic 32
Risks in Programmatic
• Lack of standard industry terminology
• Data protection issues
• Fraud
33
Fraud Is Real
• 2014 ANA & Whiteops study: Advertisers will lose $6.3 billion globally to bots in 2015
34
Contract Concerns
• Reporting • Ad Placement, Prohibited Sites, & Quality
• Editorial adjacencies and competitive separation
• Tracking Tools • Make Goods • Fraud Management • Use of Your Data • Disclosure of Your Data • Indemnification Considerations • Security Breaches
35
Watch Out: Sharing
• Does your vendor share/leverage your data for the benefit of all the vendor’s clients? • If yes, does your privacy policy allow for such sharing?
36
While there may be risks, there are important benefits
The Law and the Risks
Why Should We Worry About OBA? Failure to follow privacy principles and regulations can expose a company to risks of:
FTC Actions
State Attorney General Complaints
Consumer Class Actions
Industry-Specific Self-Regulatory Actions
40
Legal Overview
• Contracts
• Your Privacy Policy
• Federal Law
• State Law
• International
41
Expanding Definition of “Personal”
Sensitive: SSN, financial, health info
Identifiers: Names and addresses, phone numbers
"Other": Zip codes, location-based information
Behaviors: Online activities, mobile app usage
What's next?!
CALOPPA: “…any other identifier that permits the physical or online contacting of a specific individual”
42
De-Identified?
• Does it identify a person or a device?
43
De-Identified?
• Data has been de-identified when an entity has taken reasonable steps to ensure that the data cannot reasonably be re-associated or connected to an individual or be connected to or associated with a particular computer or device
44
Your Privacy Policy
• Be careful about disclosures in your privacy policy; those disclosures can limit what you can do
45
Federal Laws
• Section 5 of the FTC Act: It is unlawful to engage in a deceptive or unfair trade practice
• Wiretap Act (eavesdropping) • Computer Fraud and Abuse Act • Electronic Communications Privacy Act • COPPA (PII includes persistent identifiers like cookies) • Sector-specific laws Like HIPAA and GLBA • CAN-SPAM • TCPA • Laws prohibiting discrimination
46
State Laws
• State unfair and deceptive trade practices laws
• State constitutions • Example: California allows for suit for privacy invasions that are so
“serious in nature, scope, and actual or potential impact as to constitute an egregious breach of the social norms”
• CalOPPA
• Anti-spyware and adware laws
47
CalOPPA
Requires disclosures
• About use of PII and tracking
Defining PII under CalOPPA • Info used to re-contact someone • Includes info used to serve OBA-based ad
48
CalOPPA – What Disclosures?
“Over time and across multiple
websites”
Do not track –responding (yes or no?)
Not all tracking stops if cookies
deleted
What are choices about
tracking?
Third parties on site engage in
tracking
49
FTC and California AG “Guidance”
• Privacy by design
• Simplified consumer choice
• Transparency
• Just-in-time notice
50
The Protection Pillars
Notice Choice
51
Notice and Choice
• FTC’s Self-Regulatory Principles require every website where information is collected for OBA to provide a “clear, concise, consumer-friendly, and prominent” notice regarding the collection practices and explaining a choice that is: • Clear • Easy to use • Accessible
52
Self-Regulation
Self-Regulation
Notice Choice
54
Who?
55
What Isn’t Covered
• Keyword Targeting
• Contextual Targeting
• First-Party Targeting
56
The Principles
• Education • Transparency • Consumer Control • Data Security • Material Change • Sensitive Data • Accountability
57
What Should You Do?
• Provide on your website a clear explanation of your interest-based advertising practices with a link to an opt-out mechanism
• Ensure that real-time enhanced notice is provided each time an ad is served using OBA and on each page on which a third party is collecting data for OBA purposes
• The third party and first party share responsibility for the provision of enhanced notice; requires cooperation
58
Web-Based Opt-Out
• www.aboutads.info/choices
A cookie-based opt-out
59
Websites: The In-Ad Notice
60
Websites: Publisher/Advertiser Notice
61
Web-Based OBA Disclosure
62
Web-Based OBA Disclosure
63
Enforcement
Should We Worry?
$22.5 Million $2.4 Million $800,000
$15 Million $450,000 $14 Million
65
FTC Enforcement Activity
Alleged in part that Snapchat misrepresented its data collection practices; privacy policy stated that it did not track or access location info of Android users
Alleged misrepresentation related to handling of Safari browser opt-out
Alleged to have collected personal information from users’ mobile device address books without their knowledge and consent
Alleged to have collected personal information from children through its app without first notifying parents and obtaining their consent
66
Other Enforcement Actions
Consumer Class Actions
• Verizon and Turn: filed in February 2015; alleged that they use “supercookies” that track users for advertising purposes, even after the users delete the cookies
• Quantcast and Clearspring: were accused of using information in Flash cookies to “re-spawn” HTTP cookies to allow the companies to identify users and target advertising to them, even if the users had cleared their regular HTTP cookies, $2.4 million settlement
• comScore: the company allegedly monitored online activity and collected personally identifiable information but did not first get consent; the complaint also claimed that information was sold to third party clients of comScore. The case settled for $14 million
Industry Specific Self-Regulatory Actions
• BlueCava: allegedly didn't clearly disclose tracking across devices, DAA emphasized notice/choice not limited to "cookie based" tracking
• Turn: allegedly didn't have all of the needed OBA disclosures, and didn't send people to opt-out process
67
Bypassing Browser Privacy Settings
• November 2015: 3rd Circuit revives portion of MDL accusing Internet search company of bypassing browser privacy settings to track Internet usage under California Constitution and state tort law
68
Accountability and Enforcement
Since its creation in 2011, the Accountability
Program has issued at least 58 compliance actions
69
Accountability and Enforcement
Five decisions in which Answers Corporation, Best Buy, BuzzFeed, Go.com, and Yelp agreed to provide real-time, “enhanced” notice and choice to website visitors whenever non-affiliates collect information for personalizing ads. Even if there is no ad on the page.
70
May 2015 Accountability Sweep
• Etsy, Imgur, TWiT.tv, and 247 Sports
• Websites must provide their visitors with enhanced notice when third parties are collecting information to learn more about the products and services that might interest consumers
71
Enforcement: Interest-Based Native Advertising
• November 4, 2015 – Administrative disposition against Gravity and Outbrain • Content recommendation widget that placed promoted stories on publishers’
websites without enhanced notice
• First cases requiring the icon (or equivalent) when native advertisements
are geared to consumers’ personal interests
• Native advertising is expected to generate $21 billion in revenue by 2018, up from $4.7 billion in 2013
72
Avoid an Enforcement Action
• When negotiating with vendors, understand what is really happening
• Make sure there is notice • Logo should appear in/on the advertisement itself and when third
parties are collecting information for OBA • Also include notice on your own site
• Provide the ability to opt-out
• Can link from the notice
73
Avoid an Enforcement Action
• Carefully negotiate your contracts
• Require adherence to the Principles
• Consider limits on vendors’ rights to use and share your data
• Think about data protection and confidentiality
74
Mobile, Offline, Cross-Device, and the
Internet of Things
Mobile Sites and Apps
Cookie-based
Small screen
Business as usual (mostly)
Sites Device ID
OS based opt-out
DAA opt-out app
Apps
76
Mobile Sites and Apps
77
App Compliance
• The Digital Advertising Alliance offers a tool for opting out of
the collection of cross-app data on a mobile device for interest-based advertising. To exercise choice for companies participating in this tool, download the AppChoices app here.
78
Sensitive Information
• Health and Financial • Location • Personal Directory Data • Address Book • Photos • Videos • Text/call log • Children
79
Usage Restrictions
• Employment Eligibility
• Credit Eligibility
• Health Care Treatment Eligibility
• Insurance Eligibility and Underwriting and Pricing
80
Accountability and Enforcement
• Beginning in September 2015, the Online Interest Based Advertising Accountability Program began enforcing the Self-Regulatory Principles on mobile browsers and across mobile apps
81
Cross-Device
82
Cross-Device and the Principles
• Entities collecting Multi-Site Data and Cross-App Data from a particular browser or device for use on a different computer or device should provide notice
• Choices made by consumers applies to the collection of Multi-Site Data or Cross-App Data for use on another computer or device that is linked with the browser or device on which the choice is being exercised
83
FTC Workshop on Cross-Device Tracking
November 16, 2015
“Most controls do not allow opt-out of the underlying data collection and linking of identifiers” (FTC Chairwoman Edith Ramirez)
84
Beyond Mobile
Offline Multi-channel
Internet of things
85
Tracking and Data Security
Tracking and the Duty to Protect and the Duty to Destroy
(A terrible example)
87
Investigations, Forensics, Notification Crisis Management Lost Business, Regulatory, Compliance
Breaches!
24%
63%
$5.5 Million
Source: Ponemon Institute
13%
88
Conclusion
Best Practice Recommendations
Analyze practices
Understand vendors
Provide notice
Give choice
Protection procedures
Monitor compliance
90
Thank You.
Robert Newman Partner Chicago
(312) 558-8125
Monique Bhargava Associate Chicago
(312) 558-3732
92