The complexity of issues surrounding data ethics and advertising were front and center at the ARF’s first Town Hall on the topic, held on April 26. With probing questions such as “Who owns your data?,” “How will GDPR affect U.S. practices?,” and “What are the merits of new laws vs. self-regulation?,” the session surfaced a range of views and generated healthy discussion.
Presentations and panels during the afternoon addressed:
- How the industry might incorporate the voice of the consumer in thinking about standards
- What does the industry do to improve and maintain its self-regulation
- The impact that GDPR may have on U.S. advertising industry data practices
- What should be considered as the ad industry tackles updating data standards
The ARF’s meta analysis of examined data policies across advertising trade associations, research companies, social media, technology/ad tech companies, as well as GDPR. The review found that:
- Associations tend to have policies based on similar principles. While strong, they are generally traditional and do not deal with the growth of technology in the advertising sector.
- Research companies tend to focus on protecting survey respondent PII. However some of the policies are a bit old and fail to recognize methods like pop up surveys.
- Social media companies offered transparency in their policies. However, some policies are long and complex, raising the question of whether consumers read and understand them.
- Ad tech companies also demonstrate wide variation in their policies, based on the different business models they may have.
- The current basis for many social and ad tech policies are principles established originally by the Digital Advertising Alliance in 2009 but updated and extended to mobile in 2011 and cross device in 2015. While many of the principles are still valid, they do not reflect some of the features of ad tech in 2018. Therefore they represent a natural starting point for enhancing today’s policies.
GDPR assumes that data protection is a “human right.” In contrast, in the U.S. decisions are more sector specific and often result from outcries when crises occur vs. an overall view of who should own data.
—Ben Hoxie, Director of Product Management at mParticle
Highlights from other presentations and discussion included:
- According to Allie Bohm, Policy Counsel at the non-profit Public Knowledge, consumers are overwhelmed by the complexity of most data policies and, as a result, agree to them without reading or understanding them. She encouraged companies to take three steps to address this: provide meaningful notice and consent (i.e., have simpler, more understandable privacy policies); employ robust security safeguards; and offer meaningful redress. To provide redress Public Knowledge advocates removing forced arbitration clauses from companies’ privacy policies which would prevent class action suits.
- The panel discussion – which included Rick Bruner, ICOM’s Vice Chair, USA; Rolfe Swinton, Director, Data Assets, at GFK; and Tania Yuki, Shareablee’s Founder & CEO – regarding the role of the consumer elicited a range of views regarding how to encourage and enforce data ethics: some panelists and presenters believe that self-regulation is the best route; others believe that some legal instrument is needed to root out bad actors or for consumers to actually own their data. Currently, a terms of service agreement is like a contract where both parties may own the data. Any law needs to recognize the difference in practices that may result in major societal issues such as elections and consumers’ health and credit records vs. those that affect advertising, which tend to have far narrower repercussions.
- Regarding the impact of GDPR in the United States, Ben Hoxie, Director of Product Management at mParticle, noted a key difference in the Europeans’ philosophy about data: the GDPR assumes that data protection is a “human right.” In contrast, in the U.S. decisions are more sector specific and often result from outcries when crises occur vs. an overall view of who should own data. He added that GDPR is a general law, affecting all companies that touch data. ePrivacy regulations, on the other hand, will have more direct application to the advertising and marketing industries. Later discussions by the panel generated comments that indicated that GDPR may affect U.S. laws, but similar laws are not likely to be enacted in the U.S. any time soon.
Both ARF members and non-members were encouraged to voice their input in person or via livestream, regarding the following issues and more:
- What ethical standards should apply to “secondary data?”
- What are consumers’ rights about approving the uses of their data?
- What responsibilities do researchers have in protecting consumers from harm that may come from misuse of their data?
- Existing guidelines were discussed, as well as POVs from consumer advocacy groups and experts on GDPR.