The Third-Party Data Crisis: How the Facebook Data Breach Affects the Ad Tech
In April, all the media was on air with the Facebook data breach and the consequent third-party data crisis. Facebook’s biggest sin is, in fact, the case of Cambridge Analytica.
What is it for the ad tech world? The financial success of the most famous social network is advertising. That’s how Facebook made $16 billion in profit on revenues of $40.7 billion in 2017. And that’s how the whole digital advertising ecosystem works; it’s a $330 billion market worldwide.
Zuckerberg explains that Facebook doesn’t sell user data, but rather delivers the advertisement to the addressees by its own means. Although until recently Facebook let the developers collect this data by themselves.
The data breach scandal already has its consequences. The Mozilla browser’s blog says that the company refused to advertise on Facebook because of the recent user data leak. Mozilla highlighted that they “will consider the return” of advertising in social networks after Facebook “takes more decisive action” and improves the settings the default privacy for third-party applications.
Data Protection Regulations
Right now, Facebook is desperately trying to wash off the stain from its reputation and to strengthen the protection of the user personal data. Meanwhile, the public may start looking at the problem of collecting personal data and privacy threats from the different angle.
The Internet is loaded with such an incredible amount of data that traditional demographic lists or voter registries reside in the shadows. Much of this data is systematized in anonymous order, but not all of it. And few people are even aware of how much personal data they actually give away out of a free will.
Engadget says that tougher regulation of Facebook is inevitable since the mistakes and a lack of transparency have left few other options.
Security breaches that have exposed personal data are ever more common – consider such companies as Saks, Lord & Taylor, Orbitz, Uber, and Equifax, to name just a few. Lawmakers have introduced many privacy-oriented bills during the last decade, but they’ve all been narrowly focused and hardly any of them passed. Most of such bills apply only to a limited type of data, like social security numbers and health or financial information.
After the Equifax hack in late 2017, which compromised the personal information of nearly 148 million people, lawmakers introduced bills that would give consumers more control over the data that credit reporting agencies can collect on them, require businesses to inform consumers of data breaches and impose fines. In the same year, the Browser Act was introduced which would require web-based services to let users opt in or out of having their data collected.
As for now, there are a few data security standards (PCI DSS, ISO 27001, NIST). But the problem with them is that they are not universal, and all are designed for different purposes, industries or geographies.
- The PCI DSS compliance standard outlines 12 data security regulations for organizations that process and store payment card details.
- The ISO 27001 standard is a less technical, more risk management-based approach that provides practical recommendations for companies of all types and sizes in six defined phases.
- NIST Special Publication 800-53, Revision 5 proposes a catalog of 20 different privacy and security control groups to help U.S. federal agencies and organizations better manage their risks.
- The 20 CIS Critical Security Controls are independent of industry type and geography and provide a priority-based and a rather technical approach for immediate, high-impact results.
This year companies in EU have been actively preparing for the General Regulation of the EU on the protection of the personal data, so they are now calm about the data collection. Until recently, the General Data Protection Regulation (GDPR) appeared likely to have only limited benefits for people outside of Europe. Now, the law’s reach could be much bigger. Privacy experts say it’s becoming more likely that a new law would mark a change in the way the federal government approaches privacy regulations. Facebook CEO Mark Zuckerberg says Facebook already complies with parts of Europe’s GDPR, but it won’t comply with all of it worldwide.
Zuckerberg also highlighted his support for digital-advertising regulations like the Honest Ads Act, a bipartisan bill that proposes online advertising be regulated the same way print, radio and television ads are.
Much of advertising relies on programmatic behavioral targeting using customer data, so ongoing privacy revelations around Cambridge Analytica will surely impact the ad tech industry. In an interview with Bloomberg, Facebook’s Chief Operating Officer Sheryl Sandberg said that “a few” advertisers had already paused their ad spending.
The GDPR is also going to change how Facebook targets ads. The social network is drawing stricter boundaries around its work with certain advertisers and political campaigns. For the recent years, marketers used DMPs to store and analyze customer data and deploy it for highly targeted advertising. DMPs, or Data Management Platforms, work mostly on third-party data, which comes from various sources and is sold by a third party. DMPs collect, classify, and categorize data, then the segment and use it.
For now, processing third-party data through cookies without any consent is legal. However, The Cambridge Analytica scandal, together with the GDPR, is going to change that, together with the way marketers access the sales funnel. The GDPR classifies both cookies and IDs as personal data, which means that this restriction can extinguish most of the cookie data. By some estimates, GDPR will remove access to up to 75% of third-party data, and what is left will be more expensive. Those advertisers who use Facebook will face more limited audience reach and analytics tools. Without access to this data, targeting will be limited mostly to advertisers’ first-party data sets, in addition to context and demographics, which can still be provided by Facebook. Paid media posting and advertising will still work, but it could become much more expensive to run advertising campaigns on a social network like Facebook. It’s very likely there’ll be much fewer data inputs to work with.
Handling the third-party data is the DMPs’ biggest drawback with regard to GDPR, and promises to become more complex and problematic. But the good news is that it also has a potential to empower advertisers to take customer privacy seriously.
How to Keep Away from the Privacy Scandals?
The business of online advertising is in combining first-party data with third-party data to create a detailed picture of the target audience. Online publishers and social platforms that sell advertising have to balance between the two – they need to monetize data about their customers, and at the same time to protect that data.
Today’s modern advertisers should probably take a closer look at Facebook and catch up with what they’re doing right now. Facebook is now making an effort to be transparent. While they won’t change the way data is accessed and curated by the organizations directly advertising through Facebook, their marketing partners and developers will need to adapt significantly to new measures.
For any business trying to stay on top in an ad tech world, ensuring GDPR compliance becomes necessary. Consumers clearly need to rely on more than good faith to protect their interests. But while it isn’t required while you aren’t in the EU, doing so would set you on a right track regarding the growing concerns of your potential customers on their privacy. And, in the ad tech, such trust is vital. Therefore, make sure that you comply with the GDPR requirements.
Inform your customers of the kinds of data you’re collecting, what you’re doing with it, and who else will see it. Also, ensure that your privacy settings are at the highest level.
Business leaders can get ahead of compliance regulations, no matter which security compliant framework they choose. It’s a chance to build lasting trust with customers by targeting a higher standard for data protection. Data is a significant asset for organizations. It’s time to start acting like it because there’s a lot more than fines at stake.