As the decade draws to a close, ExchangeWire has invited thought leaders from across the industry to share their predictions and insight into what 2020 will hold for the ad tech and martech industries. Under the spotlight today is privacy. The topic dominated 2019, following the release of the ICO's update report on ad tech and real-time bidding in June, and is set to continue at the forefront of industry conversation in 2020 with the implementation of the California Consumer Privacy Act (CCPA) on January 1st.

Actions, not words

In 2019, we’ve considered how personal data is used within Real-Time Bidding. During the year we’ve seen a growing acceptance from the ad tech industry that things need to change. Many of the current practices are opaque, and there is a disproportionate amount of information used in many ad auctions.

2020 will be about actions, not words. We expect the ad tech industry to be developing different ideas on how to manage advertising auctions, in ways that are more transparent, and more secure. This is an energetic and innovative market – we hope to see some of that energy channelled into initiatives and products, that link advertisers and publishers in less privacy-intrusive ways. At the same time, we will need to consider if the industry is moving fast enough to address our concerns.

We are going to continue working on these issues and we know the industry is going to do the same. Regulatory cooperation and consistency of approach will be critical as we enter the new year.

Simon McDougall, executive director – technology and innovation service, ICO

Turning the corner on regulator perceptions

IAB Europe predicts that 2020 will be the year we turn the corner on regulator perceptions of digital advertising, delivering on the GDPR's promise to provide transparency and control to users about the processing of their personal data, and let them choose which online services they pay for and which they access for free.

As our recent dialogue with the ICO has shown, there’s been doubt post-GDPR about whether the new rules left space for programmatic advertising. Even we were not sure at first about how you could get opt-in user consent, in real-time, for data processing to deliver an ad using RTB, when users’ fingers cannot press keys in nanoseconds. The ICO’s damning Update Report on Adtech in June evinced serious concerns. How can users have confidence in how their data is handled if they don’t even know who is handling it, or make meaningful choices in the absence of adequate information? What about the sheer scale of it all?

But what we hope has surfaced in the course of that dialogue is that RTB can be done in a GDPR-compliant way. Not because we have developed an app to make fingers move faster, but because we have created an open-source, cross-industry standard, the Transparency & Consent Framework (TCF). This enables users to decide up front which companies they are OK to have processing their data and for what purposes, impose those choices on the ecosystem in a way that makes everyone in the chain accountable and can be audited by regulators, and change their minds at any time if they want to.

We are grateful to the ICO for the rich discussions we have had with them, in partnership with our colleagues at IAB UK. And with the TCF and other initiatives, we are working hard to be the change we want to see in the industry.

Townsend Feehan, CEO, IAB Europe

Welcome to a smarter ad tech

Regulators will force significant operational change throughout ad tech, but from the outside, the marketplace will look largely the way it does now. The "GDPR apocalypse" will be a dud, and will instead be a prompt for evolution. Welcome to a smarter, safer, more responsible ad tech.

2020 will be the year of "Consent Fatigue." Visiting a website will be like installing an application. Despite every effort to produce clear and meaningful notices, consent UIs will have the same recognition and retention metrics as terms and conditions, and consumer consent rates will support the view that consent buttons are being jammed to get to content. We will all need to adjust our perspectives on the role of consent in effective privacy protection. If consent is requested everywhere, at all times, it will not produce meaningful consent anywhere. Or even more dangerous to the consumer, some will argue that they are receiving consent everywhere, for everything.

The immediate marketplace disruptors will be the major platforms, who will begin to choke off marketplace participation based on their interpretations of GDPR and related laws. They will move suddenly, and with immediate effect, transforming marketplaces more completely than any regulator could in a short window of time.

Chrome will increasingly feel like an outlier in third-party tracking tolerance. They have already announced changes to begin closing the gap, in particular against fingerprinting and with increased policing of cookies. But these moves have largely left the third-party ecosystem intact. They will announce further changes in 2020 that will begin to make ad tech squirm.

The US, having adopted GDPR-lite in CCPA, and seeing the impact of CCPA once in force, and in horror after other states attempt to outdo California (including California itself, with further amendments and referenda) will adopt their own, uniquely exceptional, GDPR.

Colin O'Malley, founder, The Lucid Privacy Group

Fill the addressability void

The next decade will be defined by a tectonic shift towards first-party data globally. GDPR has irreversibly changed how companies doing business in the EU store and share data. This will imminently be the case in the US, thanks to the California Consumer Privacy Act (CCPA), and elsewhere, as further regulation follows this lead.

To survive among first party behemoths Google and Facebook, publishers will have to fill an audience addressability void. Efforts to learn about and track readers through logins will take on a new urgency, and a ‘known audience’ will become the advertising gold standard.

Looming over this fight for addressability will be fears over compliance. The resulting impact of the regulatory wave is difficult to understate. From 2020, third-party cookies will be toxic territory for publishers. We’ll see a stampede toward first-party data solutions, data transfer agreements, and data privacy assessments, in a race to remain compliant. Companies must find a new way to work in the age of compliance, to lower the burden of compliance while protecting data subject rights, which will define whether they thrive, simply survive, or die.

Richard Foster, CRO, InfoSum

Test cases and CCPA copycats for 2020

I. GDPR Test Cases
GDPR was expected to change the landscape dramatically with regard to privacy and advertising by requiring greater disclosure and transparency. For the most part, that change did not materialise. Participants in the advertising market claimed to change their policies and procedures to comply with GDPR disclosure and consent requirements, but interpreted the letter of the GDPR narrowly, disappointing GDPR regulators who had hoped to see fundamental shifts in the specificity of disclosures in keeping with the perceived spirit of the law.

This disconnect was the result of the unique legislative process that produced GDPR. When exact consensus on thorny issues proved elusive, the drafters resorted to vague language open to various interpretations, with the assumption that regulators would fill the void. While discussions between the regulators and the regulated community continue, recent initiatives suggest an impasse on certain fundamental issues. Advertisers claim that if the more aggressive interpretations are adopted, their business models cannot survive. In private, EU regulators will confess to be unmoved. One of the primary (but usually unspoken) motivations for the passage of GDPR – the overwhelming concentration of economic power in US tech companies in both the search engine and cloud computing spaces - remains unchanged, which continues to roil the EU regulatory community.

As a result, we are seeing more aggressive interpretations advanced by EU Supervisory Authorities, such as the much-publicised UK’s ICO report regarding Real Time Bidding (“RTB”). The ICO’s position suggests to some that the regulators are interpreting GDPR as “the law which they wish they would have gotten, rather than the one they did get”.

II. Copycat CCPA.
Similar to the changes in the EU, state and even local regulators in the United States are escalating their regimes, often with the thought of mirroring CCPA. Depending on the legislative power of privacy proponents, we may even see more aggressive regulatory schemes, including in the advertising space. Contrary to the common assumption that US regulatory changes will be “GDPR-light”, some progressive US jurisdictions may attempt to rewrite the RTB space by making disclosure requirements more proscriptive, or use the concept of monetising personal information to require compensating consumers in the RTB process.

Finally, recent actions by tech companies to move operations to the United States are likely to prompt tests of extraterritorial application of GDPR to US companies where back office activities do not directly touch EU jurisdictions. A recent aggressive interpretation by the European Data Protection Board especially bears watching.

As a result, we may see more classic regulatory arbitrage within the regulated community, especially including the advertising space. As interpretations become more precisely defined, regulated companies may start to tailor not according to the economics of the market place, but to avoid perceived onerous regulatory overreach.

Robert Cattanach, partner, Dorsey & Whitney LLP

Evolve, or die

2019 has so far been a massive year for online privacy from both a legal front,  CJEU’s ruling on cookies and the ICO’s statement on personal data in RTB, and a technical front, with stricter versions of Safari’s ITP and Firefox’s blocking of third-party cookies by default.

Both advertisers and publishers have been hit hard by this, particularly by the privacy settings in web browsers like Safari and Firefox, which have wiped out 40% of third-party cookies. With Google Chrome’s changes to third-party cookies set to be introduced in February 2020, this will only exacerbate the problem.

The industry won’t be able to continue in this unaddressable world, something has got to change.

I predict that online advertising in 2020 and beyond, from targeting to measurement, will be built on first-party data where proper consent has been given.

Despite what many believe, I don’t think that contextual targeting will be the method of choice as it won’t help advertisers in their quest for reaching their target audiences nor will it help publishers achieve their ad revenue goals and maintain high CPMs.

Instead, contextual targeting will likely be used as a backup when addressability isn’t available because the user hasn’t provided consent.

When it comes to privacy in 2020, the writing is on the wall for ad tech — either evolve or die.

Maciej Zawadziński, CEO, Clearcode and Piwik PRO

Rise of conscious consumers and the lean data movement

For marketers, it is easy to look at people as a set of data in a database rather than as human beings. That leads to blindly trying to capture as much consumer data as possible. The results are lazy marketing practices, multiplying costly martech solutions, and consumer trust declines.

Our own research has shown us that the number of consumers making values-based decisions about how they spend their money is rising. These ‘conscious choosers’, as we call them, represent a segment of the market who engage with brands because of their reflection of the consumer’s values. When your product is as good as your competition, the deciding factor for which product they use is based on how much they see their values reflected in the values of your organisation.

With increasing consumer and regulatory pressure in 2020, marketers will have to consider other and better practices when interacting with their customers online. My hope is that we’ll see the "lean data" movement grow. Advertisers are starting to steer away from sharing or selling their users’ data to third parties or collecting the data they don’t need, and they are becoming more open and transparent about their data and subsequently their marketing practices. Not every organisation will adopt "lean data" practices by the end of next year, but the tide is definitely turning.

More companies will take control of their own data strategies and get rid of the wasteful and disingenuous digital practices that have plagued the industry. Behavioural advertising is on the extinction list: it’s one of the least effective tools advertisers can use, with its ROI nowhere near what people hoped it would be. More than half of Fortune 100 companies will stop using this practice in the next couple of years.

Jascha Kaykas-Wolff, CMO, Mozilla

Much to be gained

It’s no secret that throughout 2019 we’ve seen a definitive crumbling of the third-party cookie as GDPR enforcements continue to rise, and large internet browsers are cracking down on data collection. And, as we’ve seen with the ICO’s latest discoveries in the direct processing of special category data, the regulator isn’t shy of taking a hard-line approach to those flouting the rules.

Whilst it’s true that the digital ad industry will struggle to adapt to this shift, not all is lost; in fact, there’s much to be gained. Businesses must start to think smarter and better in order to establish a sustainable, long-lasting marketing future - especially when it comes to the use of customer data.

So, as we head into 2020, there are a few things that businesses will have to consider. With a limited yet enriched data pool available, there will be a renewed focus on making this data work much, much harder. Many businesses will be heading back to the future of contextual targeting, searching for ways to inform with first-party data, and enhance with artificial intelligence. We will also likely see a more pressing need for measurement, as businesses seek to better understand their digital assets and the value they provide. This surge in new technology and enhanced machine learning means both skill and trusted experience will be paramount. It’s time to re-focus on what marketing should be about: driving inspiring connections between people and experiences in a safe, respected way.

Ian James, CEO, Silverbullet

Personalisation and privacy is achievable

2019 has been the year of transparency and the call to put the consumer first is resonating throughout every part of the digital marketing industry. As an individual, we often don’t know how our data is being used and this is at the heart of the issue. Consumers are demanding increased control and a better understanding of how their data is used. For brands and media owners, it is increasingly competitive to engage with users and win the battle for their attention against the new giants of Amazon, Apple, and Netflix.

End users spend 90% of their mobile time on their apps which means that ensuring that your app is actively engaged with in a meaningful way is top priority for media owners, brands, and broadcasters alike. Concerns over privacy have led many companies to move away from personalisation for fear of legal action over compliance. The good news is that personalisation with privacy is achievable and the two can actually co-exist in a way that heralds a new era of targeting and personalisation.

For many, GDPR has made it harder to track and engage on a one-to-one basis with the individual user, unless they have given their complicit consent. It has therefore never been more essential for brands to find a solution which delivers personalisation in a truly compliant way.

Sarah Lawson-Johnston, CCO, Covatic

Opening the door to transparent dialogue

2020 will kick off with increased industry regulation as CCPA comes into play in the US. Publishers must put measures in place to monetise their content in a time of increasing data protection. It’s important to understand that by ensuring compliance with the regulations, publishers can also open the door to transparent dialogue with their audiences on user preferences. When managed well, this direct conversation protects an individual's data rights according to their consent choices, and also allows the publisher to provide a better user experience and develop a more sustainable approach to monetisation

Ben Barokas, co-founder and CEO, Sourcepoint

US to feel the effects of the crumbling cookie

As California's Consumer Privacy Act (CCPA) brings GDPR style data protections stateside on January 1st, this will be the year the United States truly begins to feel the effects of the "crumbling cookie". However, while our research supports that nearly 97% of Internet users report being highly privacy conscious, users continue to desire increased personalisation in digital advertisements. As a result, advertisers will increasingly turn to modelling first-party data, advertising IDs (like Google and Apple use), universal login information, and device-based statistical information, to understand their users. In order to create rich data sets and highly targeted audience segments, we are likely to see significant growth and investment in "know your customer", or KYC, technologies for advertising, similar to what has happened across fintech.

A little over a year and a half since GDPR took effect, it's widely considered to have largely been a boon for digital advertisers despite its billing as a potential pitfall. While the scale of the data available has certainly decreased slightly, as users are able to opt out of providing their data, there has been a significant increase in the quality of the data provided. Most importantly, users have quickly shown that they are more than willing to provide information about themselves in exchange for content or services that they deem worthy. This allows companies to actually create a connection with their consumers, when just a year ago seemed like a very unlikely touchpoint. This does require brands handle the data consent request in a creative, brand-focused way.

Furthermore, while the CCPA is being billed as America's answer to GDPR, the bill itself is actually far less stringent for advertisers, with protections that are primarily centred around the notification of selling a user's data and allowing users to object to their data being sold. For most major third-party data providers, this language is already boilerplate so, as long as companies are explicit about requesting consent before gathering data on their users, there should be minimal risk of fines for retailers and advertisers.

Tim McCormack, VP of media and analytics, BigEye Agency

Embrace privacy to win

I’m always reticent about making predictions because I don’t believe I have any latent clairvoyant abilities — and I’ve yet to find a crystal ball that works! However, I don’t think I need either of these to be able to predict that 2020 is going to be about personal data, privacy and compliance.

We know that the ICO have said that they expect to see the industry make some big changes by the end of this year. Although the IAB have made a valiant effort in attempting to bring this about, I don’t think ad tech has made sufficient progress to satisfy the ICO’s own stated requirements.

This can mean only two outcomes: the ICO start investigations, or they let bad behaviour slide by looking the other way or watering down their stance. The second course of action will, I believe, infuriate privacy advocates who might well choose to raise complaints with the ICO or even sue them to force change.

In addition, a tech battle will likely be waged around user privacy. Apple have got increasingly stringent with ITP and are likely to continue this trend by moving into the app space; by either eliminating or rotating app ids. Chrome are under increasing pressure to put user privacy first and might well follow Apple by eliminating tracking using third-party cookies. Google is also likely to come under pressure to eliminate Android app ids too. However, I believe they will move slowly with regards to any changes and the end result will be little change in any functionality that helps trackers.

Finally, the winners in 2020 will be those who embrace privacy and provide solutions regarding compliant data collection and handling while the losers will be those who try and hold on to the status quo.

Prash Naidu, founder and CEO, Rezonence

A new regulatory age

This year we’ve finally seen the consequences of not complying with GDPR regulations, with giants like British Airways receiving record fines of £183m. While data regulation is undoubtedly a positive step, confusing legislation has caused organisations to develop a fear of using their sensitive data, in a bid to avoid potentially crippling fines and damage to brand reputation.

The snag with a data lock down is that organisations require large amounts of sensitive data to tailor and personalise customer messaging, and to create a seamless online journey. With reports that 86% of people are willing to pay more for a better customer experience it’s not feasible to avoid using data - nor to avoid data regulation. Instead, it’s time to embrace a new regulatory age and ensure your employees are educated on compliance, your technology is fit for purpose and you are avoiding working in data silos. Through collaboration, compliance and smart technology it’s possible to deliver a superior customer experience in 2020 and beyond.”

Bob Canaway, CMO, Privitar

The tide has already turned

The future of privacy will increasingly see third-party cookies banished to the past - and rightly so. We’ll see more, and more stringent, government regulations coupled with a doubling-down on privacy measures from Big Tech.

This future is already underway: the European Union’s General Data Protection Regulation (GDPR) will be followed on January 1 by the California Consumer Privacy Act, with federal laws mooted to follow.

2020 is also expected to see the introduction of the EU’s long-awaited ePrivacy rules, further restricting cookie use, though its implementation is (again) in doubt.

In November, member states failed to reach an agreement about the rules’ scope, in part due to ferocious lobbying by some publishers who fear their revenues would nose-dive as a result. A recent Google study suggests that without third party cookies publisher revenues would drop an average of 52%.

Yet the tide has already turned: those who ignore the coming cookie apocalypse are in trouble indeed. The likes of Apple, Mozilla and, it is reported, even Google are taking a privacy-first approach with their Privacy Sandbox that proposes an end to third-party cookies. And they can make changes on a whim, rather than the slow implementation of the regulation. It’s a win-win for them: ‘consumer champions’ who stand to lose proportionally less as a result of changes.

There is another way: publishers who change their business models can thrive in a world where first-party data is king. Publishers have access to rich, valuable data through their reader relationships, at a time when advertisers are increasingly looking to leverage the context around what a user is actually seeing.

The future of privacy dictates, perhaps, the future of advertising itself: a return to a world where context, content, and consumer are in harmony. Where trusted, brand-safe environments are both valued and add value.

Joe Root, CEO and co-founder, Permutive