Publishing & /Advertising After 25 May ADPR Day
Publishing & Advertising After 25 May – GDPR Day
Convener: Doc Searls
Notes-taker(s): Scott Mace
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Wendell: IAB has put together a standard so that advertising can work. Another group of publishers represents the supply side of publishers. Jason Kint is one of their louder members, DCN, Digital Content Next, has been very negative about this whole proposal. It falls out on the lines of it will never fly.
Doc: Tell us what supply and demand are.
Wendell: We have this joke around the office. The activists were entirely right. The eyeballs are the product. This has been true ever since newspapers were made. As a publisher you’re creating something you can sell to an advertiser. Ameliorate with subscriptions. You can have a demand side platform. But advertisers want coveted demographics.
Doc: Advertising, if you’re P&G, you wanted to get everyone who reads the New Yorker, but it carried what was called an economic signal. Different discipline called direct marketing (junk mail) wanted to be personal. It wanted to be interactive in the sense the IAB wanted to be interactive. Digital world came along. DM wanted to target people personally. Banner ads died. I don’t want a publisher. I want to target eyeballs. Now it’s all direct marketing. The GDPR comes along. In spirit we want to protect the privacy of these people. It’s still important to have in our minds that there is this distinction between tradiitional brand-time advertising and direct marketing, which is now called advertising. People like me are saying it was wrong on its face to follow people even if you could get good results. The other part of me says maybe there is still room for sponsorship. The reason we have fake news and why it’s easy for Russian bot makers to make money is that this system rewards content. It doesn’t reward journalism. It rewards the maximum production of content. Newark Star-Ledger was advertising not for reporters but for content producers. Mentioned in the New York Times. The rise of ad blocking completely parallels the rise in tracking. It’s all correlation. You can’t prove they are related but the correlation is so high. It’s retargeting. What I’m hoping to see, is there anything you’re doing that’s useful to what we’re doing on our side, Customer Commons, 1.7 billion people blocking ads. That is a massive signal in the marketplace about a dysfunction. LJ has the luxury of being a publication that can figure this out.
Wendell: I read Project VRM. They’ve had this idea to signal consent. The question with those ideas was how to implement them and how to go get everyone to use them. The government of Europe has ordered this thing to happen. The trade groups have assembled a solution, some reference implementation, we at Oath adopted that.
Q: GDPR is about the European view of privacy. Advertising is only one pain point.
Iain Henderson: It’s the EU’s response to Silicon Valley. Competing for the sustainable future. EU isn’t going to win in a world where data is free.
Wendell: EU privacy commissioner at IAPP conference, the purpose of this law is to put these companies out of business. Quoted in quite a number of places. We are a large publisher. Guaranteed selling and audience buying was new and exotic. We were going to serve both sides. Obviously that didnt work out. Now our business focuses on our publishing shop. For the past year I’ve been working on making DM GDPR conformant. We have worked with other companies that exited Europe. Back to Doc’s ideas, I and others saw this as an aligned concept with Doc’s VRM ideas where the consumer could say what they want to have happen with their traffic. There was a proposal through the W3C to extend the DNT work to take this into account. They had a much longer runway but the W3C process is very consensus driven. Industry, browser vendors. Still an opportunity but it didnt happen. So they went with technology we control as publishers. Store consumer responses in a database, cookies, server side in the cloud. I see this is an incarnation of all the VRM ideas. Sense of purpose may not be sliced correctly or expansive enough in scope. Quantcast developed enough functionality without consumer consent fatigue. These consent solutions will have to name all these companies. Part of the art here is how do you solicit consent as a publisher before they consume media, while being compliant. Doc’s magazine outsourced subscription management. Under GDPR, that has to be disclosed.
Arthur Coleman, Acxiom: You’ll see a rush of people to reduce the number of pixels, and the number of people you have to flow consent through, so it’s terrifying the industry.
Iain: What you see now is a very much cut down version of the regulation through lobbying. Privacy regulators meet twice a year. In Jerusalem October 2011 the idea came up to update the regulation. In that first discussion, the idea of the individual as their own data regulator was absolutely there. Worldwide audience, not just European regulators. The next meeting was in Paris March 2012. That concept was gone. My theory, that was lobbied out between October 2011 and March 2012.
Arthur: So what exactly is Oath’s response?
Wendell: I can announce we will be doing two things. We will be reconsenting all users (Yahoo, AOL) into the Oath brand. That is independent of GDPR. Consumer consent goes with the brand. That will happen. It turns out for reasons of calendar, they will be close to GDPR. We will do the consent event for that and we’re going to do something for the rest of the world like GDPR lite. Too hard to figure out where people live. Worldwide you will have access to your data. It will be all your data. Systems go and grab it out of everywhere, a nice summary dashboard. If it’s all your mail, you know where to get that. If it’s your cookie settings and screen width in Yahoo Finance, that’s no fun but you will get that.
Arthur: GDPR asks to show where you are sharing your data.
Wendell: You will get a representation of where it’s been shared to. [Following proof of ID]. There’s a need for a DSAR portal, standalone, for small publishers. We run big ad tech. Imagine you run a little WordPress site. You want to log in. Now you have GDPR obligations. There ought to be a WordPress scale standalone open source implementation for GDPR compliance for small publishers in the same way Quantcast built this consent management scheme and contributed it to the IAB and the world.
Doc: If somebody goes to the Daily Beast or Buzzfeed on May 26, what are they going to see that’s new?
Wendell: I would expect every publisher on the planet that serves European readers will have a roadblock that says do you consent. The purposes in the ads industry are fairly small. Analytics. Reuse of data for targeting. Reuse of data on another site. Precise geolocation. They will ask for that.
Arthur: When a European is here in the United States, we have to identify them and they are under GDPR.
Wendell: The company publishing may also be registered as a European entity. If you intend never to have anything to do with Europe again, you can blow this off. But that’s teensy. Professors who have data about conferences, papers, they are now subject to these requirements. Need to support Access, Erasure, Objection, Restriction, Rectification.
Q: Destroy logs? Now you ask for consent. If pooled together and not personally indentifiable, that’s okay.
Wendell: You can ask people to reconsent. Or deidentify the data you’re no longer allowed to keep. There is no grandfathering. They can come in with auditors. If they find user data you didn’t report, you’re illegal.
Iain: We’re expecting to get rid of 75% of the customer records.
Arthur: Individuals have to opt out for each purpose, for each vendor. Consumer will never get to any of it. It’s really got to be simple. How do you know your audit trail is good?
Wendell: We built a chain of custody system. It’s not a blockchain because we have our own audits and trust ourselves. I used information labeling techniques. Even city-level or IP-level targeting.
Wendell: Network addressing is considered imprecise, even with IPv6.
Doc: What Google came out with this morning. Is it possible on G Day when all these sites had no front door, people will say I hate all this?
Arthur: There is research on that. The lack of opt-in is 70%. Depends on how you do it. Many small publishers will turn away from tracking and make brands bring the consent with the data.
Wendell: NY Times may get your name and address. Some other place you might not let have anything.
Iain: Big minefield. You must provide an equivalent service without consent.
Wendell: Other ways publishers will get the ability to have user data. Pay walls will grow up. Maybe micropayments. Non-money kinds of things. If you’re doing ad tech, you need consent and chain of custody. If you’re doing a newspaper, why not just have a paywall. The regulators are going to make a decision about whether your paywall is real or not. As Joyce presented yesterday, none of this has been actually focused grouped. It should have been focused grouped for years, walked through many different levels. For various reasons, it wasn’t. And now here we are. It is 55 days. What are we doing. The number of phone calls of business people who don’t have answers yet is stunning.
Q: Some words don’t pass the 8th grade reading level, like rectification.
Arthur: The industry focuses on ourselves. Now we have to pay attention. I go to hundreds of sites a day. Little publishers will take all tracking all tracking off your site and go to contextual targeting and let the brands bring in the data. The Internet may become unusable.
Q: Consent form blockers?
Dave Husedy, Hyperledger: What are you doing for data integrity? Would you open source your chain of custody?
Wendell: Those are more ideas.