the missing user data platform
25 August 2018
(update 20 Nov 2018: copy edit, add a link to Dr. Johnny Ryan's CNIL article)
Today's web advertising relies on 1990s browser behavior—most browsers fail to protect users from being tracked from site to site, and advertisers are used to taking advantage of that old defect. But because browsers do user research and respond to what users want, that's changing. Browsers are making it harder to track users from site to site without their permission. Along with privacy regulations, this change is creating an opportunity for new, "post-creepy" web advertising that:
works with user privacy principles
has fewer of the negative externalities of targeted ads
gives more market power and revenue to sites that users choose to trust
The big opportunity is in enabling publishers to reclaim control over their own audience data, not in establishing a new choke point such as a cryptocurrency or paid whitelisting program. (If publishers wanted to give up control to a tech firm, they can do that already.) Most of the development that is needed here can be provided by third parties that publishers are already using, because third parties are coming into compliance with privacy regulations. For example, Google Tag Manager already has the required functionality in order to comply with the European GDPR.
The missing piece is a way for sites to collect and enough user data to show advertisers that the site is trusted by human users, in order to make the ads on that site saleable.
In the new environment, user data alone is insufficient—data must be accompanied by the consent required to use it. And that can't be just "click to make this dialog go away and consent to adtech as usual". Both regulators and browser developers are going to require real consent. So the web advertising system needs to evolve away from dependence on large quantities of un-permissioned data towards the ability to use less data accompanied by permission. (Post-creepy web ads won't be able to swim in abundant unpermissioned data with the nutria of the Lumascape. Consent is scarcer than raw data, and only data accompanied by consent is safe to use. Publishers will have to collect and conserve every drop of data, like muad'dib, the desert mouse of Arrakis.) Possible sources include:
Subscription and micropayment systems
Comments and surveys
Miscellaneous e-commerce (tote bags, mugs, clothing...)
Transparency and Consent Framework consent bits
Differences in browser behavior between trusted and untrusted sites
Consent management is a tricky problem. IAB Europe is doing some work toward addressing it, with the open-source Transparency and Consent Framework. Although existing implementations are designed to nudge the user into not-transparent data practices, and are not yet getting real consent, this framework does provide a starting point on which to build consent management that both implements the user's preferences accurately and provides a smooth user experience. (more info: Global Consent Manager. Global Consent Manager is a client-side component that you can try in Firefox now, that can interact with server-side data platforms.)
In principle, privacy regulation and browser privacy improvements have the potential to lower the return on investment on creepy tracking, and raise the return on investment on building reputation and getting consent. But publishers, who have the reputation to get users to agree that they have the right to use data, don't have the development budgets or time to build the tools for data gathering.
User data and opportunities to get to get consent are everywhere, in CMSs, other software, and in third-party services. The missing piece is a platform that will collect data, with permission, from all the above sources and
run either on the publisher's own infrastructure or as a third-party service so that small publishers don't need to touch the CMS or deploy and manage a new service
comply with current and future data protection regulations
work with and anticipate privacy improvements in browsers
provide reports and APIs in a usable format for advertisers and agencies
Many of today's ad agencies, even sympathetic ones, won't come to the new system by choice, because it won't allow for tracking desirable audiences to cheap sites. We can assume that advertisers and agencies will ignore the new system until they see that it’s a way to reach a significant audience that they can’t reach in other ways, today, and the mainstream tracking-protected web audience in the near future.