Background on digital privacy rules

You may ask yourself, how did we get here?

Here’s some background on the privacy rules for digital media. Most of these rules can be traced back to 1999 when technology firm and ad network DoubleClick purchased database marketing firm Abacus Direct. Abacus had a large database that included personally identifiable information.  There’s some dispute about what DoubleClick was actually planning to do with the Abacus PII. For the purposes of this analysis, it is less important what DoubleClick was planning. What’s important is what advocates, regulators and press THOUGHT DoubleClick was going to do with the Abacus PII: namely, that DoubleClick was going to merge the ad serving information collected via DoubleClick’s network of sites with the PII collected via Abacus. To put it mildly, advocates and regulators were uncomfortable with this practice. And the fallout to the DoubleClick Abacus merger was so severe that it sent DoubleClick’s stock price tumbling, among other things.

What become known as the DoubleClick Abacus privacy scandal resulted in the Adtech industry creating a set of privacy rules that were mostly focused on the third-party ad network model (i.e., DoubleClick’s network of sites). Thus, our industry created a set of self-regulatory rules around privacy that so severely restricted the merger of ad serving data with PII that it was tantamount to a prohibition.

Networks Vs. Agents

But the PII merger rules were not absolute. For example, email marketing service providers like Cheetahmail have been collecting digital data such as clicks and visits to websites for nearly 20 years. Similarly, website analytics firms like Omniture have routinely merged PII with website surfing data.

So you may ask yourself: why can one type of tech company merge PII with ad serving data, but others may not?

A key distinction was drawn in the very early days of digital media: ESP’s and site analytics companies were the agents of their advertiser and publisher clients – and generally collected information across a single site. In other words, ESP’s and analytics companies for the most part utilized the data they collect only as directed by their clients. Conversely, ad networks leveraged publisher and advertiser data to create interest segments for use on other publisher and advertiser’s sites. By virtue of the fact that they created interest segments across multiple sites for use downstream, the ad network model was subject to a different set of rules than the agent models utilized by ESPs and site analytics firms. The Network/Agent distinction was as much about intellectual property as it was privacy. Nonetheless, this distinction has governed the digital privacy world since the year 2000. 

But here’s the thing. The marketplace was very different back in 2000. Convergence of ad network and service provider platforms, the growth of social networking, onboarding of first-party offline data, not to mention nearly a dozen gigantic entities collecting first party data in a third-party context across a significant portion of the Internet have stretched the digital ad framework circa 2000 almost beyond recognition.

The marketplace has changed: is it time revisit the digital privacy rule set?