“Industry experts” is a new category I’m introducing from, well – today. I’m gonna speak with, guess who, industry experts. Jokes aside, the goal is to spark the conversation about hot topics in marketing, ad tech, data analytics, or tech in general. You see, tech and marketing go together nowadays.
Not a long time ago you had storytelling, today you have data-driven storytelling. I hope you get me as Facebook and Google get you (pun intended).
My first guest is data privacy expert Duje Kozomara. The format is simple. I am asking the questions and Duje is answering. So, let’s cut the bullshit and begin the first one – “The future of Digital Advertising is Private”… or is it?
First things first, who is Duje Kozomara?
That one calls for a wide answer, but I’m fairly sure we’ve gathered here to talk about the GDPR and privacy – so I’ll try to skip the part where I babble about music, video games, the amazing city of Split, and all the other things that shaped me as a person.
I’m a young guy (not if you ask my mother) who was always pretty passionate about technology and its development. At the same time, during my law studies, I’ve realized the importance of protecting privacy as a fundamental human right. The problem is, in recent years, these two areas have been in intense conflict, so my focus is on exploring the possible solutions: how can technology move forward and enrich our daily lives without unjustifiably invading our privacy.
In terms of everyday work: As a founder of Consent, I help organizations in solving GDPR headaches and guide them through building a culture of privacy. I’m also a co-founder of Politiscope, the first Croatian privacy watchdog NGO, focused on digital rights.
Okay, let’s get to the point – people like me usually run away when you mention the magic 4-letter acronym “GDPR”. But should we really fear it or take it as an advantage?
I guess you should be quite afraid if you’re, let’s say, the CEO of a company that earns billions by unlawfully exploiting people’s personal data. Hi Mark!
On the serious side, I always try to explain to my clients that GDPR doesn’t need to be a source of fear and they shouldn’t try to be compliant just to avoid large fines – the real reason why an organization needs to care about data protection is to increase the trust of clients and employees, as well as to enhance the reputation of the business entity.
At the same time, it seems like a pretty good idea to try reducing the risks of a data breach – while some studies also show that over 70 percent of organizations claim they receive significant business benefits from privacy, such as operational efficiency, agility, and innovation.
From the digital advertising perspective, I’m convinced that today’s ad tech model isn’t sustainable in the long term and we’ll all gain benefits from its improvement.
Why’s that?
The real-time bidding system currently used for online behavioral advertising means that each day, thousands of companies illegally receive our data from a bid request – which includes up to 595 different data types:
- ID codes that can identify a specific person,
- their gender,
- a device they’re using,
- IP address,
- and even the exact GPS coordinates.
There is no technical way to limit the way that data is used after it’s received by a vendor.
The most interesting thing – studies have shown that having hundreds of additional data points to use for targeting ads doesn’t actually deliver a measurable increase in business outcomes. With problems like supply chain costs, data quality issues, ad fraud, and viewability issues – seems that dollars spent in programmatic ad tech channels often yield negative ROI.
There are already numerous positive stories of companies that have decided to completely ditch tracking of their users for digital advertising – which actually resulted in an increase in their revenue.
Dutch public broadcaster NPO got rid of advertising cookies altogether and opted for contextual advertising. In January and February 2020., its digital ad revenue was up 62 percent and 79 percent, respectively, compared to the year before.
Even after the coronavirus pandemic jolted the global economy and caused brands to drastically scale back advertising—NPO’s revenue was still double-digit percentage points higher than last year.
Privacy by design browser Brave, which boasts specific opt-in, privacy-preserving ads, has published use cases that show up to a 15.8% click-through rate and impressive engagement. The future of digital advertising includes respecting citizens’ privacy – and that’s a fact.
The almighty cookiepocalypse is ready to hit the fan. Your thoughts?
I guess it’s not 100% ready just yet, since Google has for some reason decided to delay the third-party cookies phase-out on Chrome for 2023.
But the fact is – all the other important browsers are already blocking them and Google won’t be able to delay it forever, so we’re definitely saying bye-bye to those pesky little third-party bastards – that isn’t even close as sweet as their name suggests.
I definitely see the „cookiepocalypse“ as one of the numerous positive privacy-friendly trends that happen lately. Most of the people browsing the web still aren’t aware at all that almost every website that we visit shares the data about using it with numerous third parties.
That phenomenon can be genuinely problematic: for example, if we visit sites related to mental illnesses, cookies share that information with big-tech companies – whose algorithms make conclusions about who we are based on that fact. Do we really want to have that kind of personal data shared around with hundreds of companies just so they can be able to serve us an ad at some point?
Thanks to third-party cookies, a simple visit to a website can also reveal our sexual orientation, political views, religious views – all kinds of sensitive personal data that might actually cause an individual to be discriminated against – or worse.
Now, here’s a small teaser for your readers: Consent and SplitX will soon present a tool that should help Croatian organizations at making their websites GDPR and ePrivacy compliant while offering visitors a genuine choice to give valid consent to any kind of tracking only if they wish to.
It will be the first software of that kind made completely in the Croatian language, with Croatian customer support, coming along with a couple of options that web developers will definitely appreciate as well.
However, are there any other, more nefarious, and dangerous tracking methods out there?
Yep, lovely ad tech companies have already found “workarounds” to continue uniquely identifying users, even without using any cookies.
Fingerprinting is the most commonly used method that can be used to identify individual devices or users and track them across multiple websites. As the name implies, a “fingerprint” of the system is created, which serves as a unique identifier – it gathers variables like:
- the browser name and version,
- screen resolution,
- list of fonts and plugins,
- IP address,
- and location.
It’s more invasive than ordinary cookie-based tracking and also more complicated to block.
Regarding Google and their third-party cookies removal, that Latin phrase seems convenient: „I fear the Danaans, even when they are bringing gifts“.
Google obviously being the Danaan guys in this story: to replace the third-party cookies, they started testing so-called Federated Learning of Cohorts (FLoC) technology, which has the potential to be quite harmful to privacy as well.
“iOS 14.5 destroyed my FB Ads campaign” – every goddamn PPC specialist in 2021. Did you follow the story, what are your thoughts?
The App Tracking Transparency feature simply shows that, when given the choice, users don’t really like to be tracked across the internet – a report showed that just 12% of global iOS users and 4% of US ones have allowed app tracking since the update went live.
The problem of third-party tracking in apps is already well documented. Here’s a disturbing example: research by Privacy International has discovered that out of the 36 menstruation apps that were tested, 61% automatically transferred data to Facebook the moment a user opens the app.
This happened whether the user has a Facebook account or not and whether they were logged into Facebook or not. Some of those apps routinely send Facebook incredibly detailed and sometimes sensitive personal data: how they feel, when they had sex, do they use contraception, health data, duration of a menstruation cycle, etc.
Apple has been a pioneer in many fields and I’m convinced implementing privacy by design and by default (a GDPR principle for developing a product or a service) is steadily becoming a trend others will follow as well.
GDPR is not only about digital advertising, even though we mostly read about it online in a digital advertising context. What are the other popular GDPR use-cases?
Definitely, GDPR is all about protecting personal data and giving control of it back to the citizens – which doesn’t have to be related to digital advertising at all.
For example, the highest GDPR fine in Croatia was issued to a bank that refused to provide more than 2500 customers with copies of their credit documentation – a violation of a basic GDPR right to access your own data.
There’s also a pretty famous Croatian case related to video surveillance: last year, when the outbreak of COVID-19 has just started, a gentleman walked into a store and obviously thought that disinfectant gel is actually mass water – so the poor guy crossed himself at the entrance. The security guard who had access to the video surveillance recording was so delighted that he recorded it with his mobile phone, sent it to friends, and in a second it went viral all over the internet. The case ended up with the employer of the guard receiving a 70,000 euros fine: the purpose of video surveillance data collection is obviously not ridiculing people who cross themselves with disinfectant.
In Hamburg, H&M received the second-largest fine ever for comprehensively processing private life circumstances of some of the employees: information on the symptoms of illness and diagnoses of the employees, family problems, religious beliefs, etc. All that data was stored on the network drive, accessible to up to 50 managers of the company, and was used, among other things, to evaluate the work performance of the employees and to make employment decisions.
These are just a couple of examples of practices that GDPR was written and adopted to prevent. Anyone collecting and processing our data needs to do it lawfully, fairly, and transparently, using appropriate technical and organizational measures.
I had to ask you. What’s the biggest GDPR-related fine issue so far?
Google received the biggest one so far, but it’s actually kinda tiny compared to their revenues: 50 million euro. The fine is related to creating a Google account during the configuration of a mobile phone using the Android operating system. The French data protection authority has decided there’s a lack of transparency, insufficient information regarding data processing, and a lack of legal basis.
It’s fairly obvious that won’t be the only one for Google, since numerous cases related to their GDPR violations are still ongoing. At the same time, The Irish data protection authority has received criticism for basically refusing to finish the cases concerning complaints against Facebook – it’s assumed political reasons are behind it. It’s not hard to guess that the Irish government likes all those technical giants paying taxes in their country.
Wall Street Journal has recently reported that Amazon might soon be the new winner in this field – they claim that the online retailer could be fined more than 350 million euros over the way it collects personal data and uses it for marketing purposes.
For the Croatian readers, you can also check my Consent blog post: Five largest GDPR fines so far
Let’s sum it up! It’s time for shoutouts and callouts – who do you love, who do you hate. Don’t be shy.
This might be a good moment to recommend privacy by design services that don’t come with any trade-offs in terms of user experience or convenience.
When beginning the journey of restoring digital privacy, some people get overwhelmed – it seems like too much work. It’s important to understand that you don’t need to do everything right away: with each step in the process, you get more security and control over your personal data, which is a small victory.
Most of the popular services made by big-tech companies that unlawfully grab and exploit our personal data have valid alternatives that actually put our privacy in the first place.
This would be my privacy starter pack:
- Browser: Brave
- Messaging app: Signal
- Mail provider: Protonmail
- Mail client: Thunderbird
Other than services and apps, I definitely have to throw a shoutout to Mr. Max Schrems and NOYB, who are doing an amazing job in the fight for restoring our privacy and the actual enforcement of the GDPR.
Oh yeah, read Shoshana Zuboff’s The Age of Surveillance Capitalism, if you haven’t. It’s an eye-opener.