Targeted Advertising, Retargeting and Privacy: What Companies ...
Transcript of Targeted Advertising, Retargeting and Privacy: What Companies ...
© 2015 LOEB & LOEB LLP
Targeted Advertising,
Retargeting and Privacy:
What Companies Need
to Know
Andrew Elman, Re:Sources USA, A Publicis
Groupe Company
Nathan Hole, Loeb & Loeb LLP
Brian Nixon, Loeb & Loeb LLP
May 24, 2016
Greater New York Chapter Association of Corporate Counsel
2 © 2015 LOEB & LOEB LLP 2 © 2016 LOEB & LOEB LLP
Targeted Advertising - Today’s Topics
• The Legal Landscape
• In Practice
• General Enforcement Trends
• Keys to Compliance & Best Practices
• What’s On the Horizon
3 © 2015 LOEB & LOEB LLP 3 © 2016 LOEB & LOEB LLP
[graphic that represents the intersection
of data and analytics]
More online/digital activity
+ More connected devices
= More data
4 © 2015 LOEB & LOEB LLP 4 © 2016 LOEB & LOEB LLP
5 © 2015 LOEB & LOEB LLP 5 © 2016 LOEB & LOEB LLP
Interest-Based Advertising
Web pages visited over time …
Based on user’s online
activities, relevant ads
are displayed on a
publisher website
6 © 2015 LOEB & LOEB LLP 6 © 2016 LOEB & LOEB LLP
Visit a website for online shopping…
An ad for an item previously viewed on a prior website then appears on a subsequent webpage visited later in time
Retargeting
7 © 2015 LOEB & LOEB LLP 7 © 2016 LOEB & LOEB LLP
Online and Mobile Targeted Advertising
Increasingly Use Programmatic Buying
Programmatic buying refers to a wide range of technologies that
automate the buying, placement and optimization of advertising, often
through ad exchanges.
• Real-time bidding for online display ads is just one type of
programmatic buying.
• Established ad exchanges already exist for online and mobile display
and video.
• It’s similar to buying stocks on the stock exchange.
8 © 2015 LOEB & LOEB LLP 8 © 2016 LOEB & LOEB LLP
The Players in Today’s Eco-System
Ad Agency Buys ad inventory
directly from publishers and from ad networks and ad
exchanges
Demand-Side Platform
A centralized interface for
managing digital advertising
Ad Exchange Provides
automated, real-time bidding on ad
inventory
Ad Network Buys and repackaged
ad inventory from many publishers
Data Aggregator
Collects data from multiple sources and
“cleans” it for downstream users
Publisher Controls the
websites where ads
are displayed
9 © 2015 LOEB & LOEB LLP 9 © 2016 LOEB & LOEB LLP
Advertiser #1: I offer $2 for this impression because the visitor
abandoned a shopping cart on my site 2 hours ago.
Advertiser #2: I offer $1.80 for this impression because the visitor is a 15- to 22-year-old male with an interest in sports.
Advertiser #3: I offer $1.60 for this impression because this is
an authoritative movie and gaming site.
2. Ad Exchange makes
available details of
visitor, Publisher site,
and ad unit to
participating
advertisers/agencies.
4. Visitor sees ad from
highest-paying
advertiser. Complete
process takes place
while web page loads.
3. Ad Exchange selects
the highest-paying
advertiser and sends
corresponding creative
to Publisher website.
1. Visitor enters Publisher
website URL. Publisher
sends request to Ad
Exchange for 1 ad of
particular spec (e.g., a
banner).
Online Ad Exchanges
© 2015 LOEB & LOEB LLP 10 © 2016 LOEB & LOEB LLP 10
1000 Main St. 1001 Main St.
Traditional TV
© 2015 LOEB & LOEB LLP 11 © 2016 LOEB & LOEB LLP 11
1000 Main St. 1001 Main St.
Female
26 years old
Interest in
beauty
care
Male
38 years old
Interest in
clothing
Addressable Television
© 2015 LOEB & LOEB LLP 12 © 2016 LOEB & LOEB LLP 12
13 © 2015 LOEB & LOEB LLP 13 © 2016 LOEB & LOEB LLP
14 © 2015 LOEB & LOEB LLP 14 © 2016 LOEB & LOEB LLP
15 © 2015 LOEB & LOEB LLP 15 © 2016 LOEB & LOEB LLP
Methods of Targeting or Tracking
Mobile device
location
Audio fingerprinting
Bluetooth low-energy /
beacons
16 © 2015 LOEB & LOEB LLP 16 © 2016 LOEB & LOEB LLP
FTC Warns 12 App Developers re: SilverPush
• SilverPush enables mobile
device to hear audio beacons
embedded in TV programming
and create a log of what users
have watched
• March 2016: FTC sent warning
letters to 12 app developers
whose apps included
SilverPush
17 © 2015 LOEB & LOEB LLP 17 © 2016 LOEB & LOEB LLP
Methods of Targeting or Tracking
Device identifiers (web or mobile)
Vehicles Linking purchases to
digital activity
18 © 2015 LOEB & LOEB LLP 18 © 2016 LOEB & LOEB LLP
Card-Linked Measurement / Targeting
Ad measurement / targeting Connecting digital ad impressions to offline purchase activity
Consumer consent Sensitive financial
information
© 2015 LOEB & LOEB LLP 19 © 2016 LOEB & LOEB LLP 19
Social Media + Digital On-Demand
Services
© 2015 LOEB & LOEB LLP
The Legal
Landscape
21 © 2015 LOEB & LOEB LLP 21 © 2016 LOEB & LOEB LLP
U.S. Approach to Data Collection and Privacy
Virtually every piece of data has strings attached – rules about how it can be
used, shared, protected, stored and destroyed.
• There is no single comprehensive privacy law in the U.S.
• Data collection and optimization is governed by:
Patchwork system of state and federal laws
Self-regulatory frameworks and industry guidelines
Platform Terms of Use and Privacy Policies
Contracts with vendors and partners
Your own privacy policies
22 © 2015 LOEB & LOEB LLP 22 © 2016 LOEB & LOEB LLP
Selected Federal Laws That Regulate the Collection and
Use of Consumer Data
• FTC Act
• requires companies to comply with their own privacy policies
• Gramm-Leach-Bliley Act (GLB)
• limits how consumers’ financial information may be used
• Health Insurance Portability and Accountability Act (HIPAA)
• limits how covered entities may use health information
• Children’s Online Privacy Protection Act (COPPA)
• limits the collection of children’s personal information and requires parental notice and consent
• New U.S.–E.U. Privacy Shield Program (replaces the U.S.-E.U. Safe Harbor Framework)
• Places limits on data transferred between the U.S. and E.U.
23 © 2015 LOEB & LOEB LLP 23 © 2016 LOEB & LOEB LLP
California Continues To Lead on Privacy Issues
• Dozens of privacy laws - typically
provide more protection to the
consumer than federal laws
• Recently enacted a “do not track”
law and a law limiting the use of
recordings made by a voice-
activated connected TV
• California laws = minimum
requirements for online companies
24 © 2015 LOEB & LOEB LLP 24 © 2016 LOEB & LOEB LLP
Spokeo, Inc. v. Robins, No. 13-1339 (2016)
For standing to challenge a statutory
violation plaintiff’s must suffer
particularized and concrete injury
- Personal and individualized
- Real, not abstract
• Bare procedural violation is
insufficient.
• Intangible injuries can be concrete
25 © 2015 LOEB & LOEB LLP 25 © 2016 LOEB & LOEB LLP
The FTC has initiated many enforcement actions against online and offline companies for violating the FTC Act by:
• Not complying with a posted privacy policy
• Changing a privacy policy (perhaps to reflect new technology or new partners/vendors) and not giving consumers notice or the opportunity to opt out of the new policy
• Failing to adequately safeguard data
• Claiming to provide adequate security for data and then failing to do so
• Failing to adequately disclose what data is collected and for what purpose
• Failing to honor opt-out promises
26 © 2015 LOEB & LOEB LLP 26 © 2016 LOEB & LOEB LLP
Selected Privacy Guidelines • FTC
• Online Behavioral Advertising
• Mobile Apps
• Internet of Things
• California AG
• Mobile Apps
• Privacy Policies and Do Not Track Disclosures
• Digital Advertising Alliance (DAA)
• Online and Mobile Interest-Based Advertising
• Cross Device Tracking
• Mobile Marketing Association
• Text Message Marketing
• Alliance of Automobile Manufacturers
• Internet-connected cars
27 © 2015 LOEB & LOEB LLP 27 © 2016 LOEB & LOEB LLP
Self-Regulatory Compliance Actions
Compliance Actions have focused on:
• Failure to provide notice on every page where data is collected or used for interest-based advertising
• Opt-out links that did not work
• Privacy policies that did not accurately describe a company’s data collection and use policies
• Failing to honor an opt-out request for five years
28 © 2015 LOEB & LOEB LLP 28 © 2016 LOEB & LOEB LLP
One more thing to keep in mind…
Platforms and app stores have Terms of Use,
Privacy Policies and other guidelines which may limit
how you can use data.
These policies change frequently.
© 2015 LOEB & LOEB LLP
Targeted
Advertising &
Retargeting – In
Practice
30 © 2015 LOEB & LOEB LLP 30 © 2016 LOEB & LOEB LLP
Advertisers reach Facebook users taking own first-
party data (e.g., email address, phone number,
customer name) to create target audience and can
layer Facebook audience segments over this to
refine targeting and deliver a targeted ad.
Facebook ‘Custom Audiences’ works by applying hashes
to the customer data of an advertiser to remove any
personal information, and then mapping that hashed
data to its users with the same or substantially similar
sequence of characters from Facebook’s database.
Additional targeting parameters may be added such as
age, interests, etc. to reach a specific audience.
31 © 2015 LOEB & LOEB LLP 31 © 2016 LOEB & LOEB LLP
• Advertisers can show ads to customers based on data about those customers (e.g., email addresses) that the advertiser shares with Google.
• Currently available on Google’s Search Network, YouTube, and Gmail.
• Option to target similar audiences on YouTube and Gmail based on the advertiser’s created Customer Match audience.
Google AdWords Customer Match works by advertiser uploading a customer data file using AdWords or the AdWords API, either hashed or without hashing the data. Google compares each hashed string (or email address, if the advertiser didn’t hash) with that of Google accounts. For matches, the corresponding Google account is added to the advertiser’s Customer Match audience.
32 © 2015 LOEB & LOEB LLP 32 © 2016 LOEB & LOEB LLP
Twitter TV Targeting
Twitter TV Ad Targeting is a dashboard for marketers that allows them to send a
promoted tweet to someone who tweeted during a television program in which the marketer’s commercial was broadcast.
33 © 2015 LOEB & LOEB LLP 33 © 2016 LOEB & LOEB LLP
DAA 1st Mobile Enforcement Action (May 2016)
• Spinrilla allowed third parties to collect user data for IBA, without providing required notice and enhanced notice.
• Data collected included cross-app data, IFA data (a unique, persistent device identifier) and precise location data
• DAA’s Mobile Guidance requires:
• First party enhanced notice and consumer control for cross-app data collection
• First party notice, enhanced notice and consumer control for precise location data
34 © 2015 LOEB & LOEB LLP 34 © 2016 LOEB & LOEB LLP
Cross Device Tracking
35 © 2015 LOEB & LOEB LLP 35 © 2016 LOEB & LOEB LLP
Buy, sell or transfer tickets. Pay for parking.
Pre-order and pick-up food before event. Order & track delivery to seats.
Access to in-venue mobile video content; multi-angle playback during live event.
Find shortest lines for restrooms, food, & merchandise.
Earn, track and redeem loyalty rewards.
Option to purchase seat upgrades after arriving at venue.
36 © 2015 LOEB & LOEB LLP 36 © 2016 LOEB & LOEB LLP
Cross Device Tracking Issues
DAA issued Application of the DAA Principles of Transparency and Control to Data Used Across Devices (Nov. 2015), requiring • Notice that data collected from a particular
browser or device may be used with another linked computer or device, or may be transferred to a non-affiliate
• Clear, meaningful, and prominent link to a
disclosure linking to industry developed website or choice mechanism, or individually listing the Third Parties engaged in the collection
• Consumer choice (i.e., an opt-out mechanism)
37 © 2015 LOEB & LOEB LLP 37 © 2016 LOEB & LOEB LLP
Michael v. Verizon et al.
• Verizon tagged customers with a unique code (or “header”) so that it could follow customers as they navigated around the web and their mobile apps. Customers could opt-out of this tracking, but a blogger
revealed that ad companies could use this persistent identifier (called a “supercookie”) to track customers even after they had tried to opt-out.
• Less than two weeks after the New York Times article about Verizon’s supercookies was published, a class action complaint was filed in federal district court against Verizon and Turn asserting claims under the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act.
38 © 2015 LOEB & LOEB LLP 38 © 2016 LOEB & LOEB LLP
Location Technology - Tracking
39 © 2015 LOEB & LOEB LLP 39 © 2016 LOEB & LOEB LLP
FTC Enforcement: Location Tracking
FTC Settlement with Nomi
Technologies (2015)
Nomi Technologies, a company
whose technology allows retailers to
track consumers’ movements
through their stores, agreed to settle
Federal Trade Commission charges
that it misled consumers with
promises that it would provide an in-
store mechanism for consumers to
opt out of tracking and that
consumers would be informed when
locations were using Nomi’s tracking
services.
40 © 2015 LOEB & LOEB LLP 40 © 2016 LOEB & LOEB LLP
Internet of Things (IoT) / Connected Devices
It involves “things” — whether cars, appliances, machines, consumer goods
or personal devices — embedded with sensors and transmission technology so
they can “talk” to other devices and to the Internet.
41 © 2015 LOEB & LOEB LLP 41 © 2016 LOEB & LOEB LLP
Connected Home
Connected Cars
42 © 2015 LOEB & LOEB LLP 42 © 2016 LOEB & LOEB LLP
43 © 2015 LOEB & LOEB LLP 43 © 2016 LOEB & LOEB LLP
Connected
Self
© 2015 LOEB & LOEB LLP
General
Enforcement
Trends
45 © 2015 LOEB & LOEB LLP 45 © 2016 LOEB & LOEB LLP
Recent FTC Enforcement and Other Actions
Silverpush (March 2016) Must disclose audio beacon functionality of app
In the Matter of General Workings Inc., also doing business as Vulcun (May 2016) • Companies must disclose
• Collection, use and sharing of consumers’ information • Consumers’ level of control over their data • Steps to maintain privacy or security • Types of information a product or service will access and
how it will be used
• Express affirmative consent required before the installation or material change
46 © 2015 LOEB & LOEB LLP 46 © 2016 LOEB & LOEB LLP
BBB Compliance Action – 23andMe
BBB’s Accountability Program determined that 23andMe was
engaging in retargeting, but failed to provide enhanced
notice on 23andMe’s web site and in or around the ad
displayed on nonaffiliated web sites
© 2015 LOEB & LOEB LLP
Keys to Compliance
& Best Practices
48 © 2015 LOEB & LOEB LLP 48 © 2016 LOEB & LOEB LLP
Keys to Compliance
Short Form Privacy Policy
Participate in Self-
Regulatory Programs
Coordinate with Ad
Networks & Analytics
Companies
Just in Time Notification
49 © 2015 LOEB & LOEB LLP 49 © 2016 LOEB & LOEB LLP
Applying Privacy By Design in the Real World
KNOW THE PRODUCT
• From what product is the data collected?
• Is it a mobile app, a website, a physical product or
something else?
• What technology does it use?
• How does it connect to other devices and to the
Internet?
UNDERSTAND THE DATA & USE CASES
• What types of data are collected?
• Is sensitive data collected?
• How is the data used and shared?
• What security features protect the data?
KNOW THE TERRITORIAL CASES
• In which countries is the data collected?
• Where will the product using this data be
marketed and sold?
• Where will data processing occur?
• Where will data be store
50 © 2015 LOEB & LOEB LLP 50 © 2016 LOEB & LOEB LLP
What’s on the horizon