Disruptions to the digital advertising system have been underway for a while. Privacy-concerned consumers have pushed both regulators and businesses into action. Governments across the world have implemented stricter privacy laws, most notably the EU, UK, and China. The perhaps most notable change are new restrictions on using cookies – small amounts of data generated by a website and saved by the browser to store and communicate user information. While cookies remain allowed for basic functionalities of a website (e.g. for logins and shopping carts), their use for analytical and advertising purposes now requires explicit consent. This applies to both first-party cookies (set by the server of the visited website) and third-party cookies (set by third-party servers, e.g. ad servers behind display ads). Some web browsers (Safari, Firebox and soon Chrome) go beyond this restriction and block third-party cookies by default. That is, because third-party cookies allow the building of user behavior profiles across several websites, and thus are most privacy-invasive.

The lack of third party cookies will strongly reduce the targeting accuracy of display ads. Ads will be less personalized, and thus less effective. We will evaluate the alternative options for advertisers in light of these changes.

Focusing on first-party cookies

While first party cookies are less privacy-invasive, they too can be used to personalize ads, based on data collected about the user on the website. Many marketers thus advocate an increased use of first-party cookies. This is a valid option for large platforms and publishers, such as Google, Amazon, Facebook and the New York Times. These have an abundance of users that willingly create accounts, accept the privacy policies, and log in when using the platform. This provides enables the collection of an abundance of first party data, even across user devices (phones, tablets, laptops etc.). Smaller websites, however, will find it more difficult to collect abundant first-party data. Their users are less likely to create accounts and stay logged in, thus accepting the company’s privacy terms. Instead, they must rely on the acceptance of consent banners by users.

The requirement for consent banners, on the other hand, will prevent many first-party cookies whose purpose are analytics and advertising. Seeing little benefit in accepting such cookies, many users reject them. Even when accepted, many browser vendors limit the lifespan of such cookies. Apple, for instance, limits these to 7 days. This makes it very difficult to track users across several visits and attribute the impact of marketing campaigns accurately. Again, big platforms are at an advantage due to their users remaining logged in.

Small advertisers do have some options though. To enable conversation attribution and remarketing without third-party cookies, Google and Facebook have developed first party cookie solutions that may replace the previous third-party cookies. These first-party cookies carry unique identifiers that are limited to users of a advertiser’s site. This helps to more accurately attribute conversions with these major platforms.

In short, first-party cookies have lost their usefulness as well, but they do remain a useful tool for marketers. Let’s look at the other alternatives.

Cookieless Advertising – Digital fingerprinting

Some analytics companies offer digital fingerprinting as a tracking method instead of cookies. Browser fingerprinting identifies individual users based on their IP, browser settings, and device settings. For websites to display correctly, browsers provide information about their device, including screen resolution, operating system, location, and language settings. Trackers assemble this data into a digital “fingerprint” and use this identifier to trace the browser across the web.

While analytics companies often proclaim this technique to be more privacy-compliant than cookies, there are various concerns: In particular, fingerprinting is less visible to the user. Moreover, fingerprints cannot be cleared from the browser like cookies do. This gives users less control about their data. Recent developments allows cross-browser fingerprinting to successfully identify users 99% of the time, even if multiple privacy precautions are taken, such as masking IP addresses through a VPN and deleting or blocking cookies.

The discussion about the GDPR compliance of fingerprinting goes beyond the scope of this article. In short, a digital fingerprinting technique would only be allowed if user data would anonymized in way that is impossible to reverse with reasonable measures. The threshold for this is very high and regulators have not yet agreed to an acceptable technique (even the hashing and salting of user data does not suffice, as a hash function is considered pseudonymization, and thus results in personal data).

Thus, digital fingerprinting would require the same consent as cookies do. Having collected consent, however, we may as well work with first-party cookies.

Cookieless Advertising – FLoC

Ad-dependent companies such as Facebook and Google are scrambling to come up with alternative tracking solutions. Google’s Federated Learning of Cohorts (FLoC) is the most prominent example. It aims to give advertisers a way of targeting ads without exposing details on individual users. It does this by grouping people with similar interests together: football fans, retired travelers, etc. These groups are called cohorts. They are generated through algorithms, which put consumers in a different cohort each week. Cohorts that are too small get grouped together until they have at least several thousand users, to make it harder to identify individual users.

However, a number of privacy advocates have pointed out problems with FLoC. As it groups users in clumps of thousands, ad tech companies may still find ways to identify individual users using additional tracking methods like fingerprinting. Moreover, none of the other browser developers has committed to implementing FLoC. They might never do, unless FLoC get a lot more transparent and secure from privacy perspective. It’s also not clear if FLoC passes GDPR data regulations in the EU.

At this point, it remains to be seen whether FloC will provide a suitable alternative to cookies.

Cookieless Advertising – Contextual Targeting

The aforementioned tracking methods – cookies, logins, fingerprinting – are needed for behavioral targeting, i.e. the serving of ads based on the user’s browsing and purchasing behavior. However, there is another targeting approach that does not require knowledge of the users’ pervious behavior, and thus no tracking: contextual targeting. Instead of the user’s behavior, it displays relevant ads based on the content of the web page the user is on. This is of course similar to non-digital advertising, e.g. on billboards, magazine, radio and TV. An example would be ads for wedding suits on the wedding announcement pages of the New York Times.

Modern contextual targeting, of course, is still digital and allows for automated processes where algorithms select the advertisements based on keywords and other metadata included in the content.

Contextual Targeting for Display & Social Ads

Contextual targeting for display ads is already available, with the largest player being Alphabet and its AdSense platform. AdSense allows a publisher to insert code throughout a site where ads are served by AdSense. The site is crawled for keywords and context and relevant ads are placed. The site owner can customize certain features, such as where and how ads are displayed, and the types of products or services advertised. Advertisers provide the topics of the campaign (e.g. “Autos & Vehicles”, “Trucks & SUVs” etc.) as well as keywords  for more precise targeting within the selected topics. This including negative keywords, which will help the network match ads to website content. Google will then analyze the content in each display network web page to match ads with relevant content. It takes into account text, language, page structure, link structure, while taking your keywords into account, on top of other targeting.

Furthermore, YouTube recently unveiled “advanced contextual targeting”, which allows for quite granular contextual targeting. It understands, for instance the difference between luxury travel and budget travel, and it understands the specific interests within categories such as home and garden or interior design. Its machine learning analyzes YouTube videos frame by frame, looking at images, sound, speech and metadata connected to specific videos. While YouTube already has 300 pre-packaged video lineups matched to specific interests, brands can also work with a YouTube rep to create their own. This capabilities are complementary to Youtube’s behavioral targeting (advanced audience) solutions, which lets advertisers know what YouTube watchers are generally interested in, based on what they watch.

While display and social ads are improving their algorithms for contextual targeting, it highly unlikely that their ads will ever be as personalized and effective without behavioral targeting.

The most effective contextual targeting is likely to remain search advertising, e.g. on Google or Microsoft. As each ad matches a search query, it is based on the explicit need of the users in the moment (while often still using previously collected information about the user). This, naturally, increases the likelihood of clicks and conversion. While expensive on a per click basis, often they still provide the best return on advertising spend.

Conclusion

We do not believe that the alternatives for cookies are strongly enough at this point to replace the cookie. Digital fingerprinting, while bypassing some privacy-focused browser controls, does not evade the restrictions of privacy regulations.

At this point, brands must accept a certain loss and make the best use of consented data. Supporting this trends, Google announced “Consent Mode” as a beta feature to help advertisers remain compliant with regulations in Europe. Consent Mode automatically ensure that Google tags do not read or write cookies for advertising or analytics purposes in cases where the user did not consent to being tracked. The settings can be varied by region to always collect as much data as possible.

Understanding that advertisers have a measurement gap due to the loss of data, Google has further announced that Consent Mode will also allow for conversion modeling to help fill those gaps. Consent Mode will enable conversion modeling to recover the attribution between ad-click events and conversions measured in Google Ads. Google’s data shows that Consent Mode can recover more than 70% of ad-click-to-conversion journeys that were lost due to user consent choices.

Advertisers using Consent Mode will now see their search, shopping, display and video campaign reports within Google Ads updated with modeled conversion data in the conversions, all conversions, and conversion value columns. Modeled conversions will be integrated into Google Ads campaign reports in the same way and at the same level of granularity as regular conversion so that it can be leveraged within Google’s bidding tools in the same way as existing conversion data.

Advertisers already using Consent Mode will start seeing gradual improvements as what-would-have-been-lost-conversions are captured through modeling. Advertisers in the European Economic Area or the United Kingdom that are interested in implementing Consent Mode and are using Google Ads conversion tracking can get started here or can work with one of Google’s many consent management platforms.

The post Digital advertising in a privacy-first world appeared first on CERTAINCE.

To protect personal information and privacy, the Chinese Communist Party issued the Personal Information Protection Law (PIPL) on August 20, 2021. It complements the the Cybersecurity Law (CSL) and the Data Security Law (DSL), which came into effect in 2017 and 2021, respectively. While China has been drafting a series of other related implementation regulations and national standards, these three are considered the cornerstones of the overall data protection and cybersecurity legal regime in China.

The requirements regarding personal data collection are surprisingly similar to the European Data Protection Regulation. Any company serious about the Chinese market should take these regulations serious and consider them part of the investment needed to succeed China along with a physical and legal presence. In this Article, we’ll cover the basic scope, risks, and risk mitigation measures companies need to be aware of.

For sales and marketing, the main principles can be summarized as follows:

1. Personal data must be stored in Mainland China; transfers abroad must obey strict rules
2. Data collection must be limited in scope and lifespan, and requires explicit user consent
3. Data protection measures must be put into place

Affected Companies & Data

Like the European Data Protection Regulation (GDPR), the law defines personal data as any data that enables the identification of a person, either on its own or in combination with other data. Examples include name, identification number, birth date, email address, phone number, or IP address. This affects most digital sales and marketing tools, e.g.:

• Marketing automation tools, e.g. for sending of email and SMS campaigns
• Login and registration areas on your website (e.g. member/client areas)
• Contact forms
• CRM systems, e.g. Salesforce
• Electronic payments
• Ecommerce: order management, shipping and handling
• Reservation Systems for event bookings
• Online customer service tools
• Any online membership database
• Web analytics tools that detect personal data such as IP addresses

Similar to the GDPR, the CSL distinguishes between two kinds of data processors: Critical Information Infrastructure Operators (CIIOs) and Network Operators (NOs). CIIOs are organisations that

• Belong to strategic sectors such as energy, finance, etc.
• Operate an IT infrastructure platform
• Collect and process high data volume (exact values to be defined)
• Incur high monetary damages in case of a data breach (exact values to be defined)
• Process data on behalf of a CIIO (the same requirements apply)

A Network Operator, on the other hand, is any company operating a network of interconnected computers. Most manufacturers and distributors fall under this category. They have to follow less strict requirements regarding data collection, security, and usage.

Without differentiating between the ‘data controller’ and ‘data processor’, the PIPL instead allocates liability and compliance requirements to a ‘personal information handler’, which refers to any organisation or individual that independently determines the purpose and method of processing in their activities of processing of personal information. This definition suggests that the term ‘personal information handler’ under the PIPL resembles the concept of ‘data controller’ under the GDPR.The following article will focus on this type, as it is more relevant to our clients and readers.

Key Risks

Companies that break the new law despite initial warnings may face various penalties:

1. Fines and confiscation of illicit gains.
2. Website and online systems suspension for rectification
3. Revocation of business licence in China
4. Detention

While the fines are lower than specified the GDPR, a website shut down or business license revocation of course pose major risks. As for the risk of detection, highly visible multinationals are of course most likely to be investigated. SMEs should beware of possible future rewards for whistle-blowers.

Risk Mitigation

Let’s look at the specific requirements under the main principles:

Personal data must be stored in Mainland China; transfers abroad must obey strict rules

Under the PIPL, personal information can only be transfered personal information overseas when if the operator meets at least one of the following conditions:

1. having passed the security assessment organised by the national cyberspace authorities;
2. having undertaken personal information protection certification conducted by professional agencies in accordance with the regulations of the national cyberspace authorities;
3. having signed a contract with the overseas receiving parties in accordance with the standard contract formulated by the national cyberspace authorities, to stipulate the rights and obligations of the parties, and supervising their personal information processing activities to ensure that the personal information protection levels under the PIPL are met; or
4. meeting other conditions stipulated by laws, administrative regulations or the national cyberspace authorities.

It must further take any necessary measure to ensure that the processing of the personal information carried out by overseas recipients meet the standards of personal information protection provided in the PIPL. They must also obtain consent of the data subject, providing the information to be processed, the processing purpose and method, the contact information of the overseas recipient, and how they can exercise their rights against the recipient. Furthermore, cross-border transfer of personal information is also subject to a personal information protection impact assessment.

It is therefore recommended to keep personal data on a locally hosted infrastructure in China, for instance on a local CRM system. Many companies still fail to comply with this regulation, as they use popular cloud services with servers outside China, e.g. Salesforce. To get prepared, multinationals like Apple are already moving their hosting to China.

Data collection must be limited in scope and lifespan, and requires explicit user consent

Consent collection requirements of the new law are very similar to the GDPR. It must be:

• A “clear affirmative action” taken by the subject (user, customer, employee etc.)
• Freely given, not forced
• Explicit, specific, informed, and unambiguous
• Documented in detail
• Easily withdrawn

Pre-ticked checkboxes and implicit consent to collect data and to send marketing communications will not be acceptable anymore.

Furthermore, only data that is absolutely needed to realize the business function (e.g. product delivery) may be collected. For complex situations such as personal recommendations, this is tricky to define. In these cases, it’s best to check for any data point if it was needed for service at the time it was requested. Whenever the necessity is not clear, it’s better to drop the data point.

Data protection measures must be put into place

Where possible, use data collection and analytics tools that can be self-hosted in the Chinese cloud

Consider hosting all data collection systems in mainland China: establish local instances of your infrastructure. Liaise with all your third party service providers and make sure all personal data storage and processing is compliant, switch to compliant providers when required. Use a website IP location online tool to identify the hosting location, e,g, Iplocation. Foreign web analytics vendors (Hotjar, Mixpanel, Google Analytics, etc.) for instance, can be replaced with a self-hosted Matomo on your AWS China Cloud.

Aggregate data for headquarter reporting

If your cloud services (e.g. BI or CRM tools) only collect and receive data aggregates or anonymized information from your Chinese activities, you are likely lawful. Compliance risks start whenever the data contains information that can be directly linked to a specific individual, e.g. an IP address. It is generally recommended to reduce outbound transfers of such data to a minimum. Where needed, outsource the self-assessment to a certified service provider and document the need and level of related risks. Processes implemented in Europe for GDPR are a good baseline.

Avoid collecting data you do not need

Avoid collecting personal data that is not needed for your transactions and for improving your services and campaigns. Also, as long as the anonymization process is irreversible, the data transfer is compliant. For web analytics, avoid cookies that can be attached to a specific individual. In particular, avoid collecting IP addresses. Also avoid sending decipherable email address and other personal addresses in links (this is a general best practice that should be followed anyway).

Collect permission for new contacts and gain repermission for existing contacts

Go through all your data collection systems and make sure the user is fully informed on the scope of data collection and usage. Make sure consent is clearly collected, recorded and timestamped, keep screenshots of the consent form. Ask for explicit consent the moment you want to start collecting customer data. Communicate the process clearly and unambiguously, allowing the data subject to opt-in or opt-out its consent, access and control their own data at any time. Inform individuals of the scope of data collection, timeframe, and which parties the data will be shared with.

Neither the law nor the regulations are explicit for any data collected prior to the CSL. But like the GDPR in Europe, we can reasonably assume that the obligations apply retroactively to your existing database. You must then either

• Delete all pre-existing personal information records, or
• Repermit: go back to the individuals whose personal data you have stored, and collect their explicit consent

There is plenty of documentation on repermission techniques for email databases in context of the GDPR.

If you have been binding personally identifiable data to WeChat follower profiles, you can send a broadcast message asking for consent to all of the followers in this situation, just as you would do for email or SMS channels. But with low opening rates on average, we recommend more interactive methods such as automated conversations.

Finally, update your privacy policies to cover all points required by the law.

Make sure data is stored securely

Encrypt all data and use HTTPS for all your web properties and sFTP for file transfers. Set up a backup & system redundancy policy, encrypt backups and “cold store” them (disconnected from any network).

Set up network protection systems (such as firewalls, antiviruses etc.) to protect against the leakage / modification / destruction of data. Keep records of all network accesses (logs) and security incidents. Write down an internal security policy and train the employees accordingly (e.g. password rotation rules). Name in your organization an IT security manager in charge of defining and applying the processes, or outsource security management to a specialized provider.

The best protection is to setup clear, documented processes internally to ensure compliance: risk assessment checklists, training procedures and materials, establishing working groups and so on. These will show good will on your part should a check happen, maximizing your chances to only receive a warning and a rectification order should the authority interpret some of your activities in violation of the regulation.

All data must have a precise shelf life, limited to the shortest time needed to realize the purposes it was collected for. After the period has expired, the information shall be deleted or anonymized. We recommend auditing each tool with your marketing, IT, and legal counsel to understand what data is collected and if it’s processed and stored in a compliant way.

The post The Chinese Cybersecurity Law and digital marketing appeared first on CERTAINCE.