Alysa Hutnik was on #SimplifyForSuccess, a podcast series presented by Meru Data and hosted by Priya Keshav.
Alysa discussed the upcoming changes and challenges in the ad tech industry. She spoke on several topics, including the Belgian DPA’s recent decision on IAB, first-party data, dark patterns, personalization, and more.
Listen to the entire conversation here:
Thank you to Fesliyan Studios for the background music.
*Views and opinions expressed by guests do not necessarily reflect the view of Meru Data.*
Alysa Hutnik was on #SimplifyForSuccess, a podcast series presented by Meru Data and hosted by Priya Keshav.
Alysa discussed the upcoming changes and challenges in the ad tech industry. She spoke on several topics, including the Belgian DPA’s recent decision on IAB, first-party data, dark patterns, personalization, and more.
Listen to the entire conversation here:
Thank you to Fesliyan Studios for the background music.
*Views and opinions expressed by guests do not necessarily reflect the view of Meru Data.*
Priya Keshav:
Hello everyone, welcome to our podcast around simplifying for success. Simplification requires discipline and clarity of thought. This is not often easy in today's rapid paced work environment. We've invited a few colleagues in data and information governance space to share their strategies and approaches for simplification.
Today, we'll be talking to Alysa Hutnik. Alysa is a partner at Kelley, Drye and Warren in Washington DC. Alysa focuses on privacy, data security and advertising law, including unfair and deceptive practices, electronic and mobile commerce and data sharing. Alysa is a past chair of ABA’s Privacy & Information Security committee. She was also the editor in chief of ABA’s Data Security Handbook, a practical guide for data security for legal practitioners.
Today, we are going to talk about ad tech and the impact of privacy on ad tech. Ad tech is on top of the mind for many of us in the field of privacy and we plan to cover a broad range of topics.
Hi Alysa, welcome to the show.
Alysa Hutnik:
Thank you for having me, glad to be here.
Priya Keshav:
Of course, we can't talk about ad tech without discussing the recent ruling of the Belgian DPA against IAB. So, we just saw IAB Europe decision where IAB was ordered to appoint a data protection officer, given a two-month deadline to get its tech into compliance. Maybe it's a good place to start to talk a little bit about and provide some context into why that is happening, and also go a little bit more into real time bidding, but do you want to talk about the IAB decision?
Alysa Hutnik:
It's a concerning decision that has a lot of companies on edge, because while we know that with GDPR and a lot of just the direction of enforcement on ad tech in Europe has been pretty intense, this decision is an inflection point on what is the future of digital advertising for companies in Europe. Will they be able to engage in digital advertising? What will it look like? And to your question, it really comes down to that programmatic real time bidding advertising, where to go into the bid stream, you have so many other parties, right? That's the whole point of having those auctions to get the right price at the right place.
And if CFE was the efficient way to make that happen and still at least intent with the intent was that it would satisfy GDPR requirements and so now the feedback is that's not enough. There's too many can't do rely on legitimate interest, and there's too many companies for that truly to be an informed consent. So, it's yes IAB Europe is appealing it, I'm very interested they're having a town hall, so I'm curious to hear what some of the future plans are. There's the appeal path, but then there's also if the appeal doesn't work, what does that future Plan B look like?
To both respond to the decision and have a framework that would comply in Europe for digital advertising, so there's a lot more that's not known right now, which as a privacy lawyer, I think we're starting to get very comfortable with being uncomfortable all the time because there are not a lot of clear answers. And it does mean making a lot of risk-based assessments and then having some grounding in the back that from a very practical lens I don't think digital advertising is going to be outlawed in Europe. But it is going to look different, and I think we're still trying to figure out what that means and what changes need to happen.
Priya Keshav:
So if you're an average consumer, or even if you are a company trying to kind of understand and unravel all of this, so how do you even explain the process, the data flows that happen when it comes to digital advertising? It is very complicated. So how do you even explain that? But before you explain, you have to understand. So how do you understand it so that you're able to explain it to an average consumer?
Alysa Hutnik:
We're all super busy. When you go to search for something online, for example, I don't have a lot of time with what I'm looking for and the evolution of digital advertising has been to personalize both my searches and personalize the ads they see and the results and that whole experience to make that journey a bit more efficient for me, but also maybe expose me to options from companies I may never have thought of, right? Not the top three brands, but maybe some of the small businesses that otherwise I would not know. And in fact, it's exactly what I wanted and the way that I was able to shortcut that journey of finding just the right thing that I was interested in comes back down to the data that you used for my search patterns and what I'm looking at and my traveling across the Internet or apps on TV, right? Multiple devices to get to that ultimate purchase point. And that's a lot of data.
And early on, I think there is just a cultural adjustment that if it's not your name, right. If it's not specifically your name, but it's an identifier, it's a cookie that's collecting some of your Internet searches that's not personal information, and I think just what is personal information? It's taken and it continues to take I think a lot of companies to open their eyes and say yes, the privacy laws treat that as personal information, even if it's not a name you really have to look at. What is the data that we are collecting to create inferences, create a profile to create action right? To motivate a certain event, and if that's tied to an IP address that's tied to a household, it's tied to a person or device that the privacy laws treat that as personal information. Even if it means in your role in the supply chain of digital advertising that you may not be able to do everything that privacy law wants you to do, because your role is just at this point, and that's OK, but it doesn't mean that privacy law doesn't apply, and so that's some of the tug and pull that I think I still face in a lot of the conversations that I have with companies. I would say it's a hashed identifier, it's not personal information. So, I don't have a responsibility in that, and that's an old way of looking at it.
Priya Keshav:
No, I agree, and I think you said it aptly right. Like you basically said there are some things that we've all sort of accepted as personal information-your name, email address. Yes, I agree that it's personal information, but this is a 14-digit hash code. How does it relate to me? No it doesn't, but it does because of the fact that it can track previous behavior and behavior to a computer, possibly know a lot more about me than maybe I know myself, right? So that's an interesting point, right? And I do believe we haven't still fully accepted it. It's probably gaining some acceptance, but if you look at a lot of the decisions recently and a lot of back and forth, I think, we haven't still fully accepted that as personal information yet. Do you agree?
Alysa Hutnik:
Fully agree. I mean I was not exaggerating when I said of everyday when I am talking with clients or I'm talking to opposing counsel and we're negotiating contract terms, we're arguing over the fact that an identifier in whatever use case is personal information versus non personal information. That's a key point.
Priya Keshav:
When we talk about ad tech, there are so many things it's impossible to even come up with what would be the appropriate next thing to talk about, but CPRA sort of expects us to disclose as well as in less than 12 months a consumer will have the right to opt out of cross context behavioral advertising. What does that mean-cross context, behavioral advertising? And what would it take for somebody to truly opt someone out of cross context behavioral advertising, do you think?
Alysa Hutnik:
Well, I might even take a step back because part of this journey, in the US at least, has been with CCPA and Adtech and the way that California law had defined sale and the way that the California Attorney General's office has also interpreted the scope of that term, that many ad tech scenarios that involved interest-based advertising, particularly with real time bidding, where it's going to come into contact with multiple parties who are not strictly your service provider the way that the law defined it, that was a sale and that term “sales” is such as stigma that many companies at first did not want to use. They came up with every which way, not to say that they sold. But then you started to see and part of this was in response to the Attorney General's enforcement that in this context it's a sale, and in fact a lot of companies disclosed it and many consumers did not bat an eye, as transparency, but it did not change behavior. We didn't see huge opt out rates as a result.
So, fast forward to that interpretation of sale to quite some time, and so you have CPRA, which was a ballot initiative, right? The language got drafted before it was really clear how the AG's office was going to enforce, and now it has this new term “share with cross contextual behavioral advertising” that is intended to be at tech and the requirement that a business offers consumers the right to opt out of that, and that essentially means when they are engaged in any kind of profiling that's not strictly within that one company. First party site, so once you go outside of that first party common branding company, that and we are personalizing the advertising that they see across the Internet or other devices that that's going to trigger this obligation, which just means you need to offer them the opportunity to opt out.
And I think, part of the struggle and we're still trying to figure out is do you attempt to harmonize that for operational ease with how Virginia and Colorado have interpreted interest-based advertising where there are some nuances, there's some distinct differences with those definitions, and yet companies cannot have 21 flavors of opt outs. The real estate gets really cramped on the website, so I think that’s one of the big questions up in the air is whether you go, you take the strictest interpretation, or you have some California approach and in everything else approach in the US. And I think the jury is still out really on where the masses are going to go on that.
Priya Keshav:
So I'm going to backtrack a little bit on the sale, I almost gave up trying to kind of even talk about it, right? Because everybody’s interpretation on what constitutes as sale was so different, and unless it was monetary somehow, mentally we could not kind of, conceptualize the idea that you're selling personal information, and even now I think that's been tough. I know that the AG's office has brought some enforcements and there have been some changes that you see. Maybe you want to talk a little bit about how the sale definition has changed. At least the points of contention because it's been an area that seems to have so many different interpretations and so many different points of views.
Alysa Hutnik:
Or so, so one I will say I handled some of the AG investigations on this issue so I had some first party experience with how that office was looking at the issue and it comes down to you, the business, right? The company whose relationships they have and the way that the Attorney General's office would look at it is well, who are your service providers the way that that is construed under CCPA and the regulations on service provider in particular were really narrow about how personal information can be combined with respect to creating profiles. So that it was so narrow and the guidance in the final statement of reasons, that's legal terminology for just more contexts around the AG's view was that at least for analytics or targeted advertising when you are sharing that through our TV the real time bidding in the bitstream.
That's a lot of participants that you cannot beat. By definition you cannot. They can't all be your service providers. And so the intention there was, if that's not a sale, then you're essentially not giving consumers the choice and they would look to, well, you have this industry optional right? A self-regulatory opt out that businesses offer so, so we are in fact offering a choice and the AG's view as first of all, that's just an opt out of interest-based advertising by those companies that choose to participate. Some of those don't even work, and by the way, it's not geared to be an opt out of sale.
And as the AG's office were enforcing CPE, which means you as the business need to offer the option to opt out of sale and. They pushed in a lot of these investigations looking at the actual contract terms for all of the partners that there was a connection with on digital advertising, and if it did not walk and talk and look like a true service provider the view is that's a sale by default, so I think it's hard if you've not had one of these investigations firsthand, and certainly no company wants to volunteer and have one of those, and you kind of want to stay with the herd and not be singled out, but it’s really playing against the clock that this is the direction privacy law is going, and if you can get kind of beyond the needs of CCPA, CPRA, Virginia, at the end of the day, it's offering consumers the choice to opt out to not be tracked if they don't want it. And to do that in a way that's pretty user-friendly and effective for the consumer who wants that option.
Priya Keshav:
So let's talk about we are jumping, but just there's so many topics. One of the things that keeps coming up is that oh, third party cookies are going to be problematic, real-time bidding is going to be problematic, sharing of data is going to be problematic, so let's just make sure that we collect more first party data because first party data is going to be less problematic. What are your thoughts around first party data?
Alysa Hutnik:
So I'm going to take those in two different steps. There's certainly a rush to first party data because of some of the industry changes with Apple's transparency framework, with the ultimate deprecation of third-party cookies by Google i.e. how do you get reached. How are you going to get enough? Of an audience. By consumers who were not in an opt in framework legally anyway, and so how do you do that other than having a large amount of first party data? And for those companies that do have a lot of first party data, suddenly that data becomes really valuable to be their own advertising network right within that platform, so there's certainly some changing dynamics, and you see it in a lot of the mergers and acquisition space.
But I think the second point you made on this demonizing of third-party data, that it's a quick shortcut that I think is being used to rally for either more enforcement, new legislation that that is the evil advertising, and I think it's unfair and unfortunate, right? It's probably the heyday of not having necessarily a clean supply chain, and that there were companies who were using data and sharing it in all sorts of different ways that probably was not in consumers best interest, and so there is some demonizing that's probably now that's supported in some cases.
But it's also like if we think about the benefits, if done properly and done in a way that is reflective of privacy laws and consumer preferences, then we're back to my first example of having effective advertising that show consumers things that they actually might want to see, that they never would have seen before in a lot shorter time so that there is still so much value to that, and that's beyond kind of the one platform, the two platforms, the wild guard.
And I think that there is, from a competition standpoint, and from just ultimate like consumer goods standpoint, there's so much value in that. But the bad rep needs to get overcome with good practices, and I think we're starting to see a lot more emphasis on what does a clean supply chain look like within our tech and that means each point in the chain has responsibilities. And I see it now, I see it in the ad tech players that I'm now counseling that are reaching out to me for the first time. They have no in-house counsel, but they understand that for that to survive and actually be effective and successful, they need to be sophisticated in privacy. You cannot stick your head in the sand and it's now not only nice to have, but it's a must-have you have to know what you're dealing with and have the right contract terms and a clean set of practices.
Priya Keshav:
I absolutely agree, and I think there will be a new normal. It's just I think we're seeing a lot of invalidation, but that's just right now it looks like a doomsday scenario for all of tech, but in in some ways I can tell you, it's in the interests of the consumers as much as it's in the interests of the ad tech to be able to do an efficient search. We don't want to be profiled the way we were profiled, where somebody is constantly kind of looking at every step that some consumer is making, either online or even in the house through all of the IoT technologies. So it's probably gone too far, and we need to sort of change so as to not be that invasive right?
Alysa Hutnik:
Right and the transparency that's happening now with the access request. I think it's really interesting when you find out what segments you are put in, how are you viewed by all of the slicing and dicing, and a conversation with somebody recently where they mentioned we have so many different identities. What is your professional identity? What is your identity as a parent? What's your identity as a friend is that those are different kinds of searches, different components of your personality and your interests. And sometimes when all of this is connected, you don't even have the ability to have separation anymore. And there are some issues that come up with that. So I think this will be a really interesting time as there's a whole lot of sunlight put on just the segment practices, and then what consumers are innate those who are interested at least enough, some people are not, to do something about it.
Priya Keshav:
So let's talk a bit about the choices given to consumers, right? We've heard the term dark patterns again and again, and it started off with Europe. And then you saw California AG mentioning it, and then you see it as part of the Colorado Privacy Act and the FTC has also brought this up. And there are obviously claims that also if you have dark patterns then that could be considered deceptive trade practices which might be taking a little too far, because what if I have an annoying pop up? It doesn't mean that have a deceptive trade practice, but again. Let's talk about dark patterns, what it means? What should we watch out for and where do we sort of cross the line between maybe not a very user-friendly environment to deceptive trade practice.
Alysa Hutnik:
So this is going to be really, really interesting because I've practiced consumer protection law for 20 something years now and there is this common standard under deception law on “is something clear and conspicuous”? And you need to have something clear and conspicuous when it's material to qualify the claim, right? So, in the context of privacy, if there is an important statement that needs to be made and we are, we have a disclosure that is attempting to qualify or in the overall presentation of the claim, we want to make sure that there's not a deceptive take-away. You look at the whole context, right? You look at the colors, you look at fonts, font sizes, contrast. And so what I think the big question is, is what's the material claim right now? And what are we qualifying?
We had the example in Europe with that Facebook and Google decision where the choice is right that the cookie choices you had to do more clicks if you wanted the privacy choice. So that was extra steps and then the language and the choices that were presented were not really clear to a consumer about what choice they were making, and so I think that concept, that's a fair concept. But now it does not mean that does it always have to have parity, right? Do you want this more privacy for a choice or do you want the more personalization choice? I don't think it's a dark pattern to talk about the benefits of the more personalization choice, right? So I mean, we're going to have to see how that works. It's a lot of loud rally cry, but I think the details on this are really going to matter, particularly in the US 'cause we've got a lot of cases on what's deceptive. And just calling it a dark pattern is good marketing from a regulator standpoint, but it doesn't mean that it's in fact unlawful.
So, I think where we are seeing some of the more recent case examples are in auto renewals, so in an advertising context or cancellation, making it really difficult to cancel a subscription, recurring billing and you definitely see some more dark patterns there. When I get asked by clients, it's well compare it to what is the user experience if they have to do 17 clicks and it's really like a find the treasure at the end of the map to like cancel. Versus the one Click to sign up to the subscription then that. That really distorted parity is going to be a factor, and I think with privacy, similarly, if it becomes so difficult to find the option to exercise choice or change your choices, then I think we are going to see some more foundation of that is a dark pattern. Where I see somewhere where we're probably going to go with that is privacy preference centers and big companies have those, but those really weren't the norm and I think the question is, can we make an easy, seamless, dedicated space where consumer knows where they can go to access both revisit and exercise their choices.
Priya Keshav:
So we can't talk about ad tech and not talk about Apple. Obviously, they have influenced a lot through many, many decisions from a privacy standpoint, and that's making a huge impact, obviously. Right now, they're talking about encrypting privacy relay that encrypts the information sent from Safari browser to the website, they're talking about mail privacy protection, where it will be impossible for someone to track your IP address to know if you have received or you have read your emails. They're talking about, maybe even allowing you to have a random uniquely generated email so that emails are not used as identifiers, and every time I log into my phone and getting these messages saying see I have protected you from XY&Z and obviously that also means that I have transparency. Now to understand what app is collecting what from me, so it's making an impact on both sides. On consumer side, it's probably creating more awareness, and of course it's probably giving you some choices in terms of more privacy of their technologies or choices and then from the app provider side, it's creating a lot of confusion because it's blocked out quite a bit of targeting so. Thoughts?
Alysa Hutnik:
Yeah, we're in the toddler years of experimentation and we don't know how this story ends and there's antitrust. There's competition issues here 'cause Apple is certainly not applying that same standard to its own collection and using data, particularly for advertising purposes. So there's that, I think from a consumer experience. Things are breaking down, so sometimes that actually has unintended consequences of not being able to log into certain sites, right? Just like not advertising purposes, but just functional. Sometimes what I've heard some feedback it's a lot of just from the privacy tech compliance tools that they're not even able to function because of some of the privacy steps that Apple has taken.
So, the stickiness of a consumer choice privacy made choice with other companies may not hold because of the way that apple is keeping certain information through the kind of the default VPNs, for example, and not being able to just recognize what state somebody is in. So, I think, there are a lot of things that with a little bit more time are very much a topic of discussion and a worthwhile one on this balance between, you hear this phrase, weaponization of privacy. It sounds really good but what the the consequence of some of these steps that may not have been intended, or may not actually be that beneficial for consumers? And I'm curious to hear more media cover just some of those points because at the end of the day, competition and privacy are two sides of the same coin and it's a balancing act and right now we've been really slow on modernizing legislation and so it's allowed one side to make a whole lot of decisions that certainly have impacts on the privacy side and the competition side. What we don't know is there will be change and how does this change all get reconciled when you have some of the big companies doing this type of self preferencing.
Priya Keshav:
Any other closing thoughts? Or comments?
Alysa Hutnik:
There's so much to talk about, so this is like a great, little snapshot of a conversation, and I bet if we were to talk a week or two weeks from now, there would be half a dozen headlines that have already upended whatever it was we talked about in this podcast. I think you can't chase after every headline or think that the sky is falling right. The TCF decision is a big one, but there's a lot of stuff still happening and I'm an optimist and there will be advertising, there will be good advertising. It's going to look a little bit different in the future than it does today, and so it just means being really plugged in and being able to be flexible and have really good privacy counsel to help, enable your strategies.
Priya Keshav:
No, I agree. I was almost thinking that we should have these chats every week because there's so many topics. There are a lot of topics. So, so it's almost like you can keep doing this again and again and again, and we'll never run out of topics to talk about. And it's fascinating to watch so much change. I think like you said and some things are good in a sense. I am an optimist who I truly believe that we'll probably reach that balance where it's not too intrusive, but we have the right amount of advertising and personalization. Because one thing that is true is it's not like consumers don't want personalization. We don't have time. You mentioned this. None of us have time and we want to be able to get to what we need to quickly, but we just don't want it to become creepy. That’s the difference I think.
Alysa Hutnik:
Yeah, and it's I don't think we’ll ultimately, will have a legal definition for “creepy”, but that ultimately is the standard. We're always trying to reconcile, right? The law might not say don't do this, but should you do that in this space where we really do have access to a whole lot of data that can be really powerful. And judgment goes really long way here.
Priya Keshav:
But it was really good to talk to you. Thank you so much.
Alysa Hutnik:
My pleasure, thanks for having me.