Data privacy has always been a hot topic, but as the age of big data, machine learning, and artificial intelligence gets into full swing, it’s never been more top of mind. Consumers are becoming more conscious about whom they share their information with and why it’s being collected. Perhaps more importantly, governments are becoming more aware that national strategies regarding privacy and data regulation must lead to crucial pieces of legislation that take on our high tech future.
The introduction of the General Data Protection Regulation (GDPR) served to push data privacy into the limelight in 2017, and it continued right into 2019 when the California Consumer Protection Act (CCPA) was announced. The IAB’s development of and subsequent updates to corresponding consent frameworks have continued that conversation into this year.
So what’s to come for data privacy trends in 2020? We’re glad you asked!
The need for contact tracing during the COVID-19 pandemic has brought the issue of data privacy forward in a new and enlightening way, and those in the advertising industry are still reeling from the announcement from Google that the third party cookie is on its way out. So let’s take a look at some of the trends we think are worth keeping an eye on in 2020.
State-by-state introduction of privacy laws
Like California, many states are jumping on the bandwagon of producing their own legislation when it comes to data protection. Maine and Nevada have passed smaller laws, Massachusetts has tabled legislation that is currently on hold, and states like Washington, Texas, and New York are already having serious discussions about data privacy after bills tabled in 2019 were defeated.
The CCPA set a precedent in the US for individual states taking control of data protection for their citizens, and absent a national strategy, we expect more states to get on board. The California Attorney General’s enforcement guidelines for CCPA take effect July 1, 2020.
Speaking of a national strategy…
With more and more states creating their own unique legislation, compliance across the US (and for those of us who do business there) could become a complete nightmare. It’s for this reason that we think that businesses and legislators alike will be clamoring for a national strategy that unifies the industry’s requirements and makes it easier for businesses to make sure they’re compliant. Indeed, 51 of the top CEOs in the US got together and penned an open letter to congress requesting a federal piece of privacy legislation. Granted, their desire for this legislation stemmed more from a fear that the state-by-state approach would leave the privacy landscape incredibly patchy and thereby hard to navigate for big business, but it’s still reflective of a general desire for one, continuous piece of legislation.
As with all things, there may be a bit of one-upmanship happening between countries as well — with countries who are later to the privacy party taking the best parts of early legislation developed elsewhere and creating their own based on knowledge learned along the way.
Adoption of the TCF 2.0 framework
The IAB Europe Transparency &; Consent Framework v2.0 was announced on August 21, 2019, and gave publishers, vendors, and consent management platforms (CMPs) until March of 2020 to make the required updates to remain compliant. So far, this framework implementation has been pushed back twice — once to June 30th, and yet again to August 15th for full migration from the original TCF 1.1.
The purpose of this framework is generally to standardize how businesses (publishers and ad tech vendors alike) comply with GDPR while still running programmatic advertising. Many felt that the first version was biased towards ad tech vendors, so TCF v2.0 has been geared towards closing loopholes, providing more clarity on how vendors can use data they collect, and removing the option for vendors to rely on legitimate interest to set or read cookies. Given that the IAB framework sets an industry-wide standard — and that Google has announced their plan to join the framework — this makes TCF 2.0 a game changer, and something that we should all keep an eye on throughout 2020.
Transparency will be the name of the game
Third-party breaches have been key drivers of privacy legislation (Cambridge Analytica, anyone?), but at the root of all of our data woes is the lack of transparency about who is collecting our data, how it’s being used, whether or not it’s being shared (or sold!), and how it’s being stored. Brands need to be more careful than ever before about which third parties they interact and share data with — many going so far as to create risk profiles, and conducting third-party risk assessments.
Further than that, brands are going to be held to higher standards about what kind of consumer data they’re collecting, and whether they’re using it ethically or not. The elimination of the third-party cookie is just one step that browsers are taking to protect consumer privacy, and the marketing and advertising industry is going to have to keep up. It’s not that consumers don’t want targeted ads — a survey from the IAB shows that 71% of consumers prefer ads that reflect their interests and shopping habits. But they want to control what information they’re sharing, with whom, and when.
Google has erected The Privacy Sandbox where industry professionals can get involved in testing ideas to replace the functionality of the third party cookie without bypassing consumer consent. There’s also considerable effort to mitigate potential workarounds that might similarly affect consumer consent and privacy, which is after all the point of the whole thing. They’re set to start testing some of these options as we speak, and here are a few promising candidates:
Federated Learning of Cohorts (FLoCs)
To put this one simply, it’s a way of using AI to learn about users and their behaviour without the data ever having to leave their device; training a centralized model on decentralized data. The AI has access to the data on your device, does its learning there, and then takes the results of its learning (not your data) back to the centralized server where the AI lives. The best part about this option from our perspective is that it’s encrypted from the beginning, with a key that the server doesn’t even have — something called secure aggregation.
The last part is the key to this method holding any water — we need to make sure that the results can’t be used to reverse engineer the data used to produce them.
Specifically taking aim at the prospect of remarketing strategies in a third-party-cookie-less age, this proposal involves an API where all of the consumer’s private information is stored within their browser. It would allow advertisers to service ads based on genuine interest, but they wouldn’t be able to combine that interest with other information about the particular user — who they are, where they’re located, or what page they’re on.
This thematically appropriate response to Google’s TURTLEDOVE initiative is in the early stages, but shows some promise. The biggest difference between the two is that with SPARROW, the logic and decision-making that happens during an ad auction would happen with an independent third party — what Criteo (the mind behind the initiative) is calling “the gatekeeper”. SPARROW doesn’t, in its current iteration, meet Google’s security standards and critics argue that these gatekeepers could become huge targets for hackers to gain access to users’ stored personal information. That being said, it’s an early version and improvements can definitely be made — therefore we still see SPARROW as one to watch.
Spam and fraudulent actors are always factors when you’re dealing with the internet, and trust tokens are one possibility to address them once third party cookies bite the dust. Basically, each user would have a privacy token specific to them that is cryptographically signed so that it can’t be forged. Third parties would be able to read them, but they are stored in the browser and the data never leaves the user’s possession.
These are just a few of the proposals being suggested by the community that are being tested, and we’ll keep you up to date as more become available!
To sum it all up, 2020 looks to be a year where consumers take back control over their data, and big business and government stand ready to help them by providing relevant legislation. We look forward to seeing how the legislation keeps up with how quickly the technology is evolving!