Blog

Blog

The Article 17 Series Part 1: How Did We Get Here?

Posted May 11, 2020

Digital privacy is the #1 most important issue in the mobile advertising industry today, and it will be over the next five years. Yet it’s the topic that most of us know the least about. The Article 17 series takes a look at privacy considerations for mobile publishers and advertisers together with Alan Chapell, founding partner of a law firm focusing on privacy for tech companies, providing his fact-based POV on the current state of privacy regulations.

Where did this all come from? 

The first rumbles of privacy legislation started a decade ago, triggering the avalanche we’re seeing today.

AdColony: We first reached out to you in part because the Federal Trade Commission in the U.S. made some significant changes to the Children’s Online Privacy Protection Act (COPPA) and, as a mobile games marketplace, we needed help navigating those changes. Can you explain what exactly shifted? 

Alan Chapell: Yes, so COPPA regulates the collection and use of personally identifiable information (PII) gathered from persons under the age of 13 via online services. It’s actually been in existence for 20 years, but in 2012 the FTC updated COPPA in part to incorporate the idea that “personally identifiable” should be defined a little bit more broadly. 

Under the first version of COPPA it was really focused on what I sometimes refer to as traditional PII such as email addresses and telephone numbers. Under this new updated version, we are talking about IP addresses, cookie IDs, etc. 

Prior to the new rules, COPPA sought to regulate PII collected from kids when they went onto AOL to instant message, for instance, or Friendster or MySpace. And if they indicated that they were under 13, the company had to ask their parent’s permission to collect the email address and other PII. It was also more the concern of the Disneys and the Nickelodeons of the world, who had sites that were specifically targeted towards children. 

But the FTC grew increasingly concerned about the potential for engaging in behavioral targeting on children’s sites. And the original version of COPPA only applied to information such as email and postal address, not pseudonymous information that is typically collected via behavioral targeting. (Although it’s worth noting that industry self-reg had addressed the creation of children’s segments for behavioral targeting). In any event, when recrafting COPPA, the FTC broadened the definition of “personal data” to include pseudonymous data points like IP address and cookie ID when collected from child-directed sites and used for anything other than the internal operations of the website/app it was collected. 

AdColony: What did that mean, then, for mobile game publishers? 

Alan Chapell: Well, let me ask you: Is Angry Birds for kids? 

I can say with a fair amount of confidence that at least half to perhaps three-quarters of the people who’ve used Angry Birds are over 18. The average age is probably more like 33. But, because it uses cartoon characters, the FTC said, well, no, that’s a child-directed app. 

So now suddenly the mobile app space went from being regulated mostly by industry self-regulation to falling under COPPA, which meant that all data collected from a “child-directed app” – which now many of them were considered –  could only be used for the internal operations of the app. So you could do basic ad serving but you couldn’t do anything resembling interest-based advertising or enhanced targeting. 

It was really a fundamental shift of the mobile marketing space. In some ways, that was probably the harbinger of what was to come over the last two or three years.

AdColony: What kind of impact did this make on publishers? 

Alan Chapell: It necessitated a whole complex industry, a programmatic mechanism where publishers had to indicate if they were “child-directed” and ad tech companies would see that somewhere in the bid stream and would block any type of targeting technique for child-directed apps. Many in adtech simply passed on child-directed ad slots as a result of the rule change. 

The net result of that was that a lot of the child-directed publishers saw a pretty significant drop in their ad revenue because adtech companies would just pass on even bidding for the ad impression. And in the desktop space, many DSPs just stopped; they just ignored child-directed content because they can’t make enough money from it to deal with the compliance challenges.

AdColony: So that was the first major shift – about eight years ago – where personal data was defined so as to include pseudonymous data, like a mobile ad ID. How did this influence the next wave of privacy regulation? 

Alan Chapell: It really set us up for Europe’s GDPR (Ed Note: General Data Protection Regulation). Prior to May 2018, most ad tech companies claimed that their models did not necessarily implicate EU data protection law. Adtech companies generally collect only pseudonymous data such as IP address or mobile ad ID. For a long time, there was an open question regarding whether or not the EU Privacy Directive of 1995 even applied to pseudonymous data. The EU Court of Justice eventual held that an IP address was personal data. However, there was still an open question regarding mobile ad IDs and cookie IDs. 

But GDPR basically says, “No, everything that you touch is personal data,” it fundamentally changed the landscape because the digital ad industry had to rethink their entire approach. They needed to build out their data governance practices and adopt privacy by design. It forced companies to ask questions about every piece of data they acquire, like:

  • What are the risks associated with processing that data? 
  • How have you allocated for the risks? 
  • How long would that data be stored and under what circumstances? 
  • Has there been an analysis around both the relative risks and the business impact of storing data for different periods of time. 

Even outside the EU, the expectation these days is that when a regulator asks you questions, that you will be able to demonstrate that you’ve thought through these things and set and come back with responses that say, well, you know, here’s how we evaluated the risks around storing data for certain periods of time.

Because now, you’re only supposed to collect the exact amount of data you need. Whereas back in the day, the culture at many digital ad companies was to get every single data point that they possibly could, whether they needed it or not, because the only thing really governing it was storage costs. Now, before you start collecting data, you need to be thinking about the impact. That’s a groundswell for companies who – prior to GDPR – just never really thought about that. 

AdColony: And now, with the California Privacy Act (CCPA), there’s even more reason to think about data before you start collecting it. How has the industry reacted to what feels like an avalanche of regulation over the past few years? 

Alan Chapell: Well, with COPPA, I had said that publishers would pass those signals upstream, whether or not they were child-directed. Now with GDPR and CCPA, there has been a need for much better cooperation across the ad supply chain because now companies need to partner with each other in order to pass certain compliance signals upstream and downstream in a way that nobody had thought about before. 

GDPR, for example, requires at the very least an indicator of the legal basis and potentially the type of consent that you get. That means if there are eight companies involved in serving an ad or measuring an ad or doing attribution for an ad, all eight companies need to have access to at least a portion of the data stream. And so there’s a fair amount of additional coordination going on.

Similarly, there’s information that’s going to need to be passed, at least in the programmatic sphere, pursuant to CCPA. So we’re seeing a fair amount of collaboration and coordination in ways that were previously unheard of. I don’t want to oversell it, because there are still significant challenges in our industry, but the level of coordination is pretty mind-blowing compared to where it was.

Next Time on the Article 17 Series
The continuation of our conversation with Alan on what the latest changes to privacy laws and regulations, especially CCPA, mean for mobile app publishers and advertisers seeking to take advantage of the power and reach of mobile apps and games. 

About Chapell & Associates
Alan Chapell serves as outside counsel and chief privacy officer to digital media companies. Since 2003, Chapell has advised well over two hundred different companies, from venture backed startups to some of the largest media, technology and telecommunications companies in the world. Chapell’s mission is to help clients navigate regulatory, public policy and other marketplace challenges to maximize the value of their products and services.

For more information, please reach out to achapell@chapellassociates.com or visit Alan’s LinkedIn profile here. Chapell is often asked to write for industry trades, and some of his writing may be found here.

Join the Conversation
Questions about mobile publishing privacy compliance for your app? Tweet us at @AdColony. For the latest AdColony mobile news and updates, follow @AdColony on Twitter, like us on Facebook, or connect on Linkedin.

Jonathan

Latest at AdColony