This new working group looks to tackle adtech, RTB issues

The U.K. Information Commissioner's Office put the advertising technology industry on notice last summer. The message was simple: The entire industry has been operating illegally. Organizations were not properly gathering consent to serve targeted ads, and the agency cited a lack of transparency in how data is processed and sold in real-time bidding scenarios.

The ICO gave the adtech industry a grace period to shore up its practices.

It also met with stakeholders about these concerns, engaged with adtech organizations to learn about their practices and held a fact-finding forum that covered real-time bidding last November. The industry has responded to the ICO with proposals in turn. Google revealed its "walled garden" approach, which would eliminate third-party cookies and allow everything to be managed by the website provider. The Interactive Advertising Bureau announced a plan of its own to improve the contracts between websites and third-parties.

The latest proposal, however, is the "5th Cookie" working group, which aims to assist the adtech real-time bidding ecosystem via Pseudonymisation as newly defined in the EU General Data Protection Regulation.

The working group was launched by the Information Accountability Foundation, tech vendor Anonos and database marketing company Acxiom. The organizations have begun to accept submissions for those that wish to join the working group.

And take note: representatives from all three entities, as well as ICO Principal Technology Policy Advisor Paul Comerford, will speak during an IAPP web conference Feb. 13 on the 5th Cookie , Pseudonymisation and how GDPR compliant Pseudonymisation can stop reidentification via the "Mosaic Effect," which is when other pieces of information about an individual are used to identify a data subject.

"The 5th Cookie working group is about raising greater awareness and the benefits of it being different with Pseudonymisation versus anonymization," Anonos CEO, Co-Founder and General Counsel Gary LaFever said. "We are hoping to find people who actually see within the concept an area that not only makes sense for ethical and lawful processing of data, but it could actually further their business objectives."

LaFever said a website publisher will have its first-party cookies from the major tech companies, such as Amazon of Google. In addition to those cookies, they would also receive another first party cookie administered from the working group. This cookie would be managed by a "democratic cooperative" made up of one or more trusted third parties that will manage what LaFever calls a "microsegment." Any personal data processed through the working group's cookie would be Pseudonymised and placed into small groups of data subjects who have similar interests and behaviors. 

"The groups are small enough to meet the needs of the advertisers because they want to personalize and customize offerings, but not so small that they are immediately identified," said LaFever. "The data necessary to go from the microsegments to the individuals is under the control of the manager of the co-op, and this is exactly what the GDPR provides under the definition of Pseudonymisation."

Advertisers can bid on targeting those within the microsegments without knowing their identities. The managers of the co-op would be the only ones who have the information and tools to re-identify any given data, however, anyone who seeks to do so would need to prove to the manager why it is necessary.

Who will be making up those "trusted third-parties" and managers, and how will they be chosen? LaFever expressed flexibility on this point. The working group will ultimately take the shape of those who wish to join.

"In order for the 5th Cookie working group to be sustainable long-term, it has to work for all parties who are interested, and that means regulators, legislators, commercial entities, as well as data subjects and society as a whole," said LaFever. "We don’t want to prescribe what it’s going to look like and how its going to morph, because we don’t know."

LaFever positions the working group as an alternate approach to both the Google and IAB proposals. While LaFever acknowledges both tactics have strengths, he also sees some weaknesses as well.

"One of the biggest common weaknesses is, where are the technical safeguards that help to reduce the risk to the actual data subjects involved in the ecosystem? The walled-garden approach still has exposure because ultimately every person is assigned a constant identifier and that identifier is shared and you can find out who the person is," said LaFever. "The IAB approach is relying on contracts, which is good that they’ve improved the contracts, but who is enforcing these hundreds of thousands of contracts?"

The working group does not position itself to solve the adtech problem on its own. Despite any perceived shortcomings, the group states on its website that "it will support and build upon alternative solutions, including those presented in the Google and IAB proposals."

And it might take a lot of work to start taking on the adtech issues raised by the ICO. LaFever said he appreciates that the ICO focused on an industry that needs a lot of help. He believes the agency's interactions with the working group will help to broaden the discussions around adtech and real time bidding. LaFever hopes the 5th cookie can open the eyes of those who perhaps misunderstand the benefits of Pseudonymisation and have not truly embraced the GDPR.

"I think if we can wake people up to what Pseudonymisation is and what it enables under the GDPR and we achieve nothing else, it would be a success. The GDPR can actually be your friend if you take the time to understand it and realize there’s new ways achieve business objectives," said LaFever.

"And what the ICO's focus on adtech makes clear is the way business has been done no longer works. They aren’t saying don’t continue the business, they are saying look for new ways to get it done that are privacy respectful and if the 5th Cookie helps to further that dialogue, it’s a tremendous success."


This article originally appeared in IAPP.  All trademarks are the property of their respective owners. All rights reserved by the respective owners.


Are you facing any of these 4 problems with data?

You need a solution that removes the impediments to achieving speed to insight, lawfully & ethically

to Insight
Are you unable to get desired business outcomes from your data within critical time frames? 53% of CDOs cannot achieve their desired uses of data. Are you one of them?
Lack of
Do you have trouble getting access to the third-party data that you need to maximise the value of your data assets? Are third-parties and partners you work with worried about liability, or disruption of their operations?
Inability to
Are you unable to process data due to limitations imposed by internal or external parties? Do they have concerns about your ability to control data use, sharing or combining?
Are you unable to defend the lawfulness of your current data processing activities, or data processing you have done in the past?
Traditional privacy technologies focus on protecting data by putting it in “cages,” “containers,” or limiting use to centralised processing only. This limitation is done without considering the context of what the desired data use will be, including decentralised data sharing and combining. These approaches are based on decades-old, limited-use perspectives on data protection that severely minimise the kinds of data uses that remain available after controls have been applied. On the other hand, many other new data-use technologies focus on delivering desired business outcomes without considering that roadblocks may exist, such as those noted in the four problems above.
Anonos technology allows data to be accessed and processed in line with desired business outcomes (including sharing and combining data) with full awareness of, and the ability to remove, potential roadblocks.