Long Read - The advertising industry cautious and confused by looming data and privacy laws

Jason Pollock
By Jason Pollock | 20 June 2024
Photo by Alina Grubnyak on Unsplash.

The advertising industry may have collectively exhaled a sigh of relief on the news that Google was pushing back third-party cookie depreciation to 2025 but many are holding their breaths in anticipation of the draft bill for Privacy Act amendments due in August

While the exact form of the changes remains unknown, it is likely to address the issues of transparency, consent and definitions of personal information as well as a focus on enhancing privacy and consumer protection, particularly in digital advertising. 

This could involve stricter guidelines for both first-party and third-party data collection, mandating explicit consent from users to use that data for advertising and marketing.

The recently released eighth interim report from the ACCC Digital Platforms Inquiry highlighted that “consumers are not aware that a range of data firms collect their data from a variety of sources”.

Or that the privacy policies and collection notices include vague terms as to who those data partners are.   

The IAB’s recent Data State of the Nation report found that 94% of the advertising decision makers/influencers surveyed rated the usage of data as critical or very important for commercial success in digital advertising. 

Henry Innis, the founder of marketing investment analytics company Mutinex, said the government is in principle regulating against data being used in ways consumers would not reasonably expect and he expects the focus to be around that. 

“I don't think Australians reasonably expect their data to be traded around to improve ad outcomes, but it is,” he said.

“First party data will become an explicit use case I imagine, and I can see how they will flat-out stop third party data being traded around like oil, which it isn't - it's people's personal information."

InfoSum’s GM for ANZ, Richard Knott, expects to see significantly enhanced consent requirements that are voluntary, informed, specific and unambiguous. 

“Transparency (or the current lack of it in terms of ambiguous language used in privacy policies) will be a key focus and presumed consent will be a thing of the past. Instead, what is ‘fair and reasonable’ will be the key test; underscoring the importance of transparency, justification, and accountability,” he told AdNews.

“It’s also expected that the definition of ‘personal information’ and ‘de-identified data’ will be significantly broadened to include a much larger scope of data.”

IAB’s director of policy and regulatory affairs, Sarah Waladan, said changes are expected to be broadly in-line with the proposals outlined in the government’s Privacy Act Review Report released in February 2023.

“This will include an updated definition of Personal Information; an overarching requirement that collections, uses and disclosures of Personal Information be ‘fair and reasonable’, regardless of consent; and new requirements applying to ‘targeting’ – an activity that hasn’t previously been regulated,” she said.

“It will also include stricter rules on ‘trading’ of personal information and stricter rules on the collection of personal information from a third party; for example - where companies do not collect information directly from an individual, they will then have to take reasonable steps to ensure that the information was originally lawfully collected.”

Industry body ADMA (Association for Data-driven Marketing and Advertising) says privacy reform is most likely going to mark a shift to greater accountability for marketers and that collection notices and privacy policies be clear, up-to-date, concise and understandable.

“Transparency alone won’t be enough and therefore the Reforms will also address businesses obtaining more meaningful consent where required especially when sensitive information may be concerned,” said ADMA director of regulatory and advocacy Sarla Fernando.

“The introduction of the fair and reasonable test will also have an impact when it comes to businesses sharing third party data. Under the proposals ‘the circumstance of any third-party collection (including the relationship between the individual and the original collecting entity)’ would be relevant in determining what ‘reasonably identifiable’ information is.

“Additionally, the definition of personal information will likely expand to include de-identified data, acknowledging that this data is more fluid in that it can be re-identified. This may impact how marketers share data in clean rooms."

How prepared are advertisers?

IAB’s Data State of the Nation report found that on a scale from 1 to 10 (where 1 means no understanding at all, and 10 means an expert level of understanding), half (51%) gave themselves a score of 6 or more for their understanding of the impending Online Privacy Code and Privacy Act Review in Australia.

Eight out of ten (79%) are at least somewhat confident that they will have the capabilities to competently leverage contextual targeting opportunities over the next year, while three quarters (74%) are also at least somewhat confident in having direct customer relationships to tackle data related opportunities and challenges.  

IAB said there are things companies should be doing to ensure they meet best practice standards on privacy and to prepare for the coming changes.

“This includes understanding the data that their organisation holds and existing practices in relation to that data; working with their legal teams to identify and minimise any potential risks; and in particular, any areas or practices that may give rise to risk under the proposed new ‘fair and reasonable’ test; and ensuring that privacy policies and notices are clear, up-to-date, and accurately reflect the organisation’s use of data,” said IAB’s Waladan.

Knott said that if companies haven’t already done so, there’s five key steps they should be doing in preparation for the Privacy Act changes.

“Run an internal privacy audit around the data you are currently harvesting; map out where all your data is currently located, including internal locations, external locations, tech vendors, geographies, etc; determine who can access your data and what they can do with it; review your tech and data stack with a Privacy-by-Design lens; and think about how you can explain all of this in a way that consumers will understand,” he told AdNews

Fernando said the new definitions and notice requirements will require some preparatory work, which means conducting thorough data audits to map out what data they hold and how it’s used, updating privacy notices to be clear and comprehensive and working with legal and technical experts to understand the new definitions and requirements. 

“This proactive approach is essential to avoid being caught off guard. Marketers don't need to be lawyers or tech-experts, but they need to feed the right information and expectations in to ensure compliance and the right technical solutions,” she said.

Innis said that most companies have complex ecosystems built around privacy-breaking tracking protocols and the uncomfortable truth is most of the digital ad operations - be it customer data platforms, targeting or measurement - rely on the ability to trade data around an individual. 

“Companies are woefully exposed to this as it breaks them down at a decision level. This is challenging. Most of them will need to focus far less on tracking individuals, and far more on organising their business data,” he said.

“I suspect most companies over the next 12 months will need to focus more on tracking what their business does week to week to model it, versus trying to know everything about their consumers week to week.”

A study by digital advisory group Arktic Fox recently found that only 38% of those surveyed believe their executive group understands the importance of adapting to privacy changes.

Eyeota, a Dun & Bradstreet company, said one crucial step is to prioritise the cultivation of first-party data. 

“By fostering direct relationships with consumers and obtaining explicit consent, brands can build a robust foundation of first-party data that will be instrumental in maintaining targeted advertising capabilities through smart data use and enrichment,” said Eyeota's head of APAC Trent Lloyd.

Lloyd said that collaboration between brands and agencies, with the help of their data partners, becomes pivotal in this transitional phase. 

“Agencies should work closely with their brand partners to explore and implement alternative tracking and targeting methods, along with data enrichment,” he said. 

“This collaboration extends to clean rooms and data platforms, where brands can blend first-party with alternative IDs, and layer on rich consumer attributes and insights to drive reach, expand scale and improve addressability of their marketing. 

“Additionally, investment in contextual advertising, which focuses on the content and context of a webpage rather than individual user behavior, can offer a privacy-compliant alternative for targeting relevant audiences. 

First party data strategies and future-proofed approaches

IAB’s Data State of the Nation report found that Market Mix Modelling (MMM) and contextual targeting are the two most adopted tools already implemented to manage the changes from signal loss and impending new privacy legislation. 

Of those tools being explored or tested to manage the changes, new forms of attribution measurement, data clean rooms and AI/machine learning/modelling emerged as the most common, according to the report.

Mutinex’ Innis said that targeting and measurement are the two key areas he sees advertisers and marketers utilising to combat signal loss.

“I suspect targeting will go back to contextual targeting (eerily similar to magazines in 2000s). For measurement, to me it's obvious Multi-Touch Attribution (MTA) was a broken, barely functioning mess that didn't reflect how marketing grew brands anyway. Signal loss just makes that more obvious,” he told AdNews.

“I expect more uptake of MMM, but I think the focus will be on MMMs that are more granular, fast and reliable predictively with easy-to-use data stacks. It's the only way companies can scale an alternative measurement solution fast enough to plug the gap left by the loss of MTA's data.”

Eyeota’s Lloyd said that he predicts AI and machine learning will play a significant role in data optimisation and audience segmentation as the technologies are increasingly relevant and more robust than ever when it comes to their capacity to extend the value of privacy-safe data in meaningful ways across channels.

“AI can enable predictive audiences based on first-party data, as well as more efficient campaign planning and optimisation, while AI and machine learning can help marketers improve their data collection and analysis processes while providing deeper insights into audience behaviour and interests,” he said.

“The integration of AI in data processing and analysis facilitates real-time adjustments and optimisations. AI-powered systems can continuously monitor audience interactions, campaign performance, and market dynamics, enabling marketers to make data-driven decisions on the fly.”

IAB’s tech lead Jonas Jaanimagi said that there are three main approaches that will remain fully future proofed moving forwards, but each business will need to ascertain how much effort, investment and resources to dedicate to each depending upon their commercial and product strategies, access to first party data and technical competency.

“The first is ID-enabled responsible addressability – activation, targeting and measurement managed via robust and persistent ID solutions to enable identifying consensual users across multiple devices and platforms,” he said.

“This allows advertisers to track user behaviour and preferences over time and deliver relevant targeted advertising. Importantly these persistent IDs are built from consented, anonymised and encrypted PII data and will adhere to any forthcoming regulatory changes if implemented and managed competently.

He said that contextual and seller-defined audiences – leveraging contextual targeting to target, based upon the content consumers have been consuming – will also remain future-proof.

“Thirdly, on-device facilitated personas are a wide range of ever-evolving APIs from the major tech players that are striving to enable the mechanics of digital marketing in a privacy-preserving manner by leveraging the capabilities of browsers and mobile devices as secure environments for consumers, whilst also acting as facilitators of cohort-based marketing solutions,” said Jaanimagi.

“Rather than having demand-side platforms creating targeting attributes through the collection of data via identifiers (such as third-party cookies) - user data will instead remain on-device and be anonymised, aggregated and synced to ad tech vendors via APIs.”

Examples of these on-device facilitated personas include Microsoft’s Ad Selection API for Edge, Apple's SKAdNetwork and Private Click Measurement for iOS and Google’s various Privacy Sandbox APIs such as Topics, Protected Audience and Attribution Reporting.

ADMA’s Fernando said that advertisers and marketers need to pivot to robust first party data strategies, focusing on direct consumer interactions and more transparent data collection. 

“In order to allow a business to have a responsible data strategy that balances privacy protection and the ability to use data in growth strategies - the marketers need to feed into the compliance and tech strategies. If they don't, a business will be at risk of either a data breach and/or holding data that can not be used in the way it was intended to be,” she said. 

“Collaborating with external technology partners to innovate privacy-first targeting and measurement methods will be essential, but they need to be the right tech partners.”

Knott echoed those sentiments, saying that as the value of first-party data becomes key, advertisers and marketers should invest in strategies to maximise its potential, building direct relationships with consumers and collecting first-party data through opt-in mechanisms to reduce their reliance on third-party cookies and gain greater control over their data assets. 

“Advertisers must prioritise a value exchange with the consumer, collecting only the relevant and actionable data points they need. Options will include implementing customer data platforms, investing in a secure data clean room, leveraging advanced analytics to derive insights from aggregated datasets, and utilising identity solutions like Google PAIR & UID,” he said.

IAB’s Data State of the Nation report found that 87% are at least somewhat confident in being prepared to target audiences at scale without third party cookies and identifiers by the end of 2024 and 75% are at least somewhat confident in being prepared to continue to measure and assess advertising without third party cookies and identifiers by the end of 2024. 

Consumers prefer privacy over personalisation 

With a number of high-profile data breaches in the recent collective memory of the country – Optus and Medibank most notable among them - 75% of Australians have said they would prefer data privacy over a personalised experience.

Honeycomb Strategy’s third wave of its national consumer study on data privacy and brand integrity showed that 72% of respondents said they felt a company using their data for an undisclosed purpose was a ‘clear misuse’ of their information, while another 34% said they felt using their data to send them personalised offers was ‘improper’.

Nearly half of Australians (46%) said they distrust brands that are known to sell customer data to third parties, while 44% said they don’t trust companies that have had data leaks or security incidents. A lack of transparency in the handling of customer data is also a cause for concern for many Ausatralians (41%), along with fears about their data being sold (37%).

The ACCC report said that a 2023 OAIC survey saw 3 in 4 Australians who had been involved in a data breach saying they experienced some form of harm as a result.

“The types of harm consumers may experience include financial harm, emotional distress or humiliation, harassment, and a loss of trust in businesses seeking to collect their data in future. They may also face higher risks of being targeted by scams, fraud and identity theft and damage to reputation and relationships,” said the ACCC.

Have something to say on this? Share your views in the comments section below. Or if you have a news story or tip-off, drop us a line at adnews@yaffa.com.au

Sign up to the AdNews newsletter, like us on Facebook or follow us on Twitter for breaking stories and campaigns throughout the day.

comments powered by Disqus