Max Schrems, Johnny Ryan and the necessity of "privacy insurance"
Brian O’Kelley, a legend of the ad tech space, highlighted yet another privacy fail this week. In a blog post on BOKonAds he detailed how he was remarketed with a cancer drug after researching a treatment that was prescribed to a family member.
It was a classic retargeting tactic. How pharma brands are allowed to market dangerous prescription drugs on the open web would baffle any sane person. What annoyed BOK most though was that there was no obvious way to opt out of this process.
Archaic and, in many cases, illegal practices are being regularly called out by senior ad tech figures, journalists and advocates. Apple’s ongoing privacy marketing blitz is also putting data-driven marketing in the spotlight. These are indeed challenging times for an industry in flux.
Johnny Ryan, the uber advocate, continues to “join the dots”
There are some in ad tech who dislike Johnny Ryan’s in-your-face tactics. I am not one of them. Johnny simply wants to protect user rights in the EU.
His latest crusade is as grandiose as ever, claiming that the IAB Tech Lab is responsible for the ‘world’s largest data breach’. He has filed a suit with a German against the standards body. The thrust of the case focuses on the “illegal” profiling of users using the IAB Tech Lab’s open source taxonomy.
It’s a clever angle to target an industry umbrella group in a privacy-friendly jurisdiction. It effectively ropes in, by association only, all ad tech companies.
The case is fairly speculative, but Johnny has managed to generate lots of negative publicity around current targeting practices. And it serves to heighten existing user paranoia about data use in digital marketing.
This will likely have unintended consequences, such as the growth in data requests. Under GDPR legislation, individuals have the right to request a copy of any of their personal data which is being ‘processed’ (used in any way) by ‘controllers’ (those who decide how and why data is processed).
I am fairly confident in saying that our industry is still not prepared for any of this, and continues to live dangerously.
Oh dear... here comes Max Schrems, looking to automate consent compliance
Max Schrems has declared war on the consent banner. He describes it as “the scourge of the open web”, with most not having a clear “YES” or “NO” option.
Schrems has announced he is building an automated solution to assess if sites are complying with GDPR regulation on opt-ins. He outlines the process here on his noyb.eu site:
“Automated system to produce up to 10.000 complaints. To address this extremely wide-spread issue, noyb has developed a system that automatically discovers different types of violations. The noyb legal team reviews each website, while the system automatically generates a GDPR complaint. Companies are served with an informal draft complaint via email and even get a step-by-step guide (PDF) on how to change software settings to comply with the law. If companies choose not to change their settings within a month, noyb will however file a complaint with the relevant authority, which may issue a fine of up to €20 million.”
I am afraid this may only be the start of this action. I have seen a number of solutions that are also automating GDPR requests on sites operating across Europe. There are plugins for Chrome and Mozilla coming to market that enable anyone in the EU and UK to generate and track GDPR request-for-information at the click of a button.
This is potentially a nightmare scenario for any marketer, publisher or ecommerce operation with no workflow mechanism or full-time DPO (Data Privacy Officer).
You have no choice: time to invest in data governance
Data governance seems like the last thing any digital based business would think about in terms of investment. But in an age of GDPR, CCPA, and an increasingly privacy literate public, can you really afford not to be ready?
Laws continue to evolve across the world. New legislation is being introduced almost on a weekly basis. Investing in the necessary workflow and personnel is a considerable cost for most companies. But with crippling fines and reputational damage a real possibility for lack of compliance, how can this not be a top priority for industry leaders?
FirstPartyCapital believes that technology can help address these critical business issues. This is why we invested in Wult, a Danish startup that helps digital businesses with compliance and auditing.
I call it “privacy workflow”. The platform provides the perfect auditing process for companies operating in the marketing, media and commerce space.
As Wult continues to roll out more functionality on its platform, Rune and team are seeking to build the necessary data governance infrastructure that enables companies - particularly those in the ad tech and martech space - to work in this new privacy-first age.
So don’t be caught unawares when Max Schrems, Johnny Ryan, the German courts, the Califormian courts, government agencies et al call to your door questioning your compliance. Have your data governance in place. Get your “privacy insurance” in order. Trade in confidence; speak to specialists like Wult.