The Privacy Apocalypse, Where To Go From Here?
Jason Katz • May 20, 2021 • MarTech & Personalization, Revenue Operations, Paid Advertising & Digital Marketing
Apple and Google have recently announced fundamental changes to the way Ad Tech works that could have an impact well beyond billions, maybe trillions of dollars, maybe more. The timing coincides with a movement of increased consumer data privacy legislation and dominance by Big Tech aka Facebook, Apple, Microsoft, Tesla, Amazon, Netflix, and Google (“FAMTANG”). While the government usually intervenes at times like this, there is a massive knowledge gap whereby they are currently unable to do so. Furthermore, the intellectual property - technology & processes - needed to govern this situation hasn’t been developed yet. There is unprecedented (& fascinating) innovation going on right now as we speak that goes well beyond Apple and Google to address this situation. With so much at stake, it’s critical to understand what identity technically is, how we got into this situation, the details of what’s at stake for whom, where we go from here, and who chooses. Why? Because our livelihoods, investments, and society all depend on it. Like voting, we’ll each play a role and exert some influence. Take a read. Consider all that’s going on. I hope this helps you decide how you’ll participate in this historic era that continues to unfold.
Identity Revealed
All The Identifiers
Our digital existence spans websites, devices, and internet connections with IDs for every single one.
Source: Cookie Types (Digital.com WhoIsHostingThis), # of Websites, IP Addresses, User Agent, Device IDs (Adobe), Device IDs Cont. Advertising Identifiers, Mobile Device Identifiers
Device Graphs
With 4.66 billion internet users and an average 100 sites visited and 7 devices used, there are trillions of identifiers tracked back to individual users via device graphs. Companies like Tapad, LiveRamp, Lotame, Amperity, Drawbridge, Adbrain and Screen6 offer open device graph usage across a large vendor ecosystem. Big Tech players Google, Facebook, and Amazon offer closed device graph usage exclusively within their own platforms. Hybrids are Salesforce and Adobe which offer both open and closed device graph usage. The mastery of these identifiers, stitched together into device graphs is revealing a granular understanding of every user’s digital existence.
Source: Internet Users, Sites Per User, Devices Per User, Total Devices
All Our Behavior
Every aspect of an individual’s behavior is being recorded and used extensively. Companies offer this data openly for use across a large vendor ecosystem such as financial transactions tracked by debit and credit card networks like Mastercard & Visa as well as credit transactions are tracked by credit bureaus such as Experian & Equifax. Companies offer this data exclusively within their own platforms such as Amazon Alexa, Google Home, Apple iOS, Google Android, and Smart TVs are recording unstructured audio conversations 365/24/7, Google and Microsoft are recording written conversations 365/24/7. And sensors are becoming increasingly prevalent for moisture, ambient light, seismic activity, radiation, wind, temperature, air quality, audio, and high-def video. The availability and mastery of this data is literally revealing every internet user’s entire existence including the most personal details (do you have your phone with you during a therapy session or argument with your significant other?).
How Did We Get Here?
Author/Writer Visionaries
Artists predicted the privacy apocalypse a long time ago. On June 8, 1949 George Orwell published dystopian social science fiction “1984” novel which showcased mass surveillance in a totalitarian regime with repressive regimentation of personas and behaviors in society. On October 8, 1993 Silver Pictures released “Demolition Man” film written by Peter Lenkov, directed by Marco Brambilla, and produced by Joel Silver which showcased a “nonviolent” future society and some say makes allusions to Aldous Huxley’s 1932 dystopian novel “Brave New World”. Dystopian entertainment is proliferating across platforms such as Netflix, AmazonPrime, and Hulu on a parallel path of data proliferation which isn’t a coincidence.
VC/PE Funded Digital Services
Digital platforms are growing exponentially. Ecommerce as a % of retail sales is skyrocketing. (Bond Capital)
Freemium products are scaling rapidly (Bond Capital).
The digital economy was worth $11.5 trillion or 15.5% of global GDP according to Huawei in 2017 and is not slowing down. Tech companies were the largest public companies in the US in 2016 and continue to solidify their place (Visual Capitalist). In 2019, 9 of the largest 30 companies or nearly 33% are in the technology sector (Bond Capital).
Despite the pandemic, venture capitalists had a great year continuing on the momentum from over the last decade.
In 2020, venture capitalists invested $148 billion into 10,379 deals in the US, and $300 billion into ~22k deals globally.
120 VC-backed IPOs in the US raised $259.8 billion. Many well known names such as Airbnb and Doordash.
And there were 606 VC-backed M&A exits for ~$52 billion (considered a disappointment because of the prior two years - can you believe that?), and 1,527 for $149 billion globally.
Some of the M&A is below with lots in software like Twilio’s acquisition of Segment, Vista Equity Partners of Pipedrive & Gainsight, Adobe of Workfront, and Facebook of Kustomer (Pitchbook). Venture capitalists aren’t slowing down, increasing portfolio size in 2020 (Crunchbase).
Data Engineering Innovation
The rise in digital businesses is accompanied by a substantial data infrastructure. If we look at the top tech companies, they are all driven by data. The user experiences for Facebook feeds, Google search results, Amazon product serving, Microsoft LinkedIn feed, Apple iTunes content serving, Netflix homepage, and Tesla driving operating system are driven by mountains of data and armies of data scientists guiding it. Cultures are built around data and open access thereto within their walled gardens with the strongest mandates as we saw from Amazon. Models span every corner of these companies.
Data collection is used to amplify users’ own patterns and hypertarget ads.
Audio-visual is converted into data as well. Even clinical health records are converted to data.
Many types of data models are deployed throughout organizations (Snowflake Report).
These data models span many use cases (Algorithmia Report). The number of data scientists is growing in nearly all organizations.
Data infrastructure accompanies this increased use of data. Data footprints span large databases of rich user & content profiles along with streaming pipelines of event data. There were 59 zetabytes or 59 trillion gigabytes or 59,000,000,000,000,000,000,000 bytes in 2020 that are stored in 600 hyperscale data centers (i.e. 5,000 servers) globally (The Conversation). Hosting has moved to the cloud from on-premise for flexibility and scalability. High performance databases house these data assets. Customer data platforms unify data from disparate sources into single profiles. Models are applied to the data. These data assets accumulate as product adoption accelerates and data organizations build there upon.
Data is growing rapidly more generally and in big-tech like amazon.
Cloud deployment is growing rapidly.
In fact, all parts of data infrastructure are growing rapidly (Snowflake Report).
And companies are using this data infrastructure to improve all parts of their businesses, online & offline.
Who Cares? What’s At Stake?
Cross-Entity User Experience (“UX”)
Major life milestones like buying a home or car, applying for credit cards, or a hybrid of the two like buying a Peloton with financing, all rely on credit checks with bureaus like Experian, Equifax, and Transunion who are brokers of nearly everyone’s data. Nearly all business commercialization, sales & business development, rely on business and credit checks with entities like Dunn & Bradstreet. Users don’t opt in but they also receive a benefit when approved (and the opposite when they’re not).
Loyalty programs like travel (e.g. Delta Skymiles), lodging (e.g. Marriott Starwood Bonvoy), retail (e.g. REI Co-op), and restaurants (e.g.Sweetgreen) partner with payment platforms like American Express, Chase, US Bank, and Levelup respectively to enable customers to earn more points toward rewards.
When a patient is treated in a hospital, his or her health record resides in an EHR system like EPIC. This record is used by nurses, surgeons, internal medicine, specialists, anesthesiologists, laboratories, pharmacies, physical therapists, and insurance companies to coordinate treatment and payment.
Revenue
98.5% of Facebook’s $71 billion in revenue is from Facebook Ads. 83.3% of Google’s $162 billion in revenue is from Google Ads (Visual Capitalist).
It keeps growing every year.
Verizon Media was purchased by private equity firm Apollo for $5 billion (AdExchanger). Ad Tech valuations are high again (AdExchanger). There are now over 600 technology unicorn companies (CB Insights).
And consumers don’t earn anything from advertising revenue or startup exits. Furthermore, when Credit Bureaus, Dunn & Bradstreet, and Mastercard from above sell data to power advertising, customers don’t earn anything either. The only “benefit” is ad relevance.
Growth
In 2015, Facebook had 2 million advertisers and Google had 4 million (Macquarie Research). In Feb 2019, Facebook had 7 million advertisers (Facebook). In 2020, Facebook and Google ad revenue was $233 billion. Paid advertising is used by corporations, tech startups, and small businesses because it’s accessible to budgets of all sizes and effective. Google investments in different account management treatments for each customer segment based on current and potential future ad spend. Services like SimilarWeb and SEMRush enable competitive intelligence on paid advertising because it’s so prevalent.
Power
Big Tech is growing fast (No Mercy / No Malice). Not everyone is thrilled (Time).
US Tech now surpassed 12 million workers, more than 10% of the nation’s economy (CompTIA). And it’s not slowing down (Max Marmer).
Big Tech is growing so fast that it is larger than entire countries (howmuch.net).
Countries are trying to take power back on behalf of consumers with legislation like the Consumer Financial Protection Bureau (“CFPB”), the General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”). The former was precipitated by the financial collapse of 2008 and the latter by actual consumer Professor David Carroll featured in The Great Hack.
And some countries are just trying to back power by any means necessary including cyber warfare that is in the press regularly by China and Russia including the 2016 US election.
Investors
Retail and institutional investors care a great deal about privacy because many have made a fortune riding the waves of companies who are using data to its fullest. Scott Galloway can be like Jekyll & Hyde when it comes to Big Tech because he will be their biggest critic when it comes to market power but then also talk about how his holdings in Big Tech have appreciated so significantly.
Exposure
When considering UX, Revenue, Growth, Power, and Investors, we have spent little time talking about the consumer whose data is at the core of ALL of this. They have the most at stake and collect the least in terms of financial return. There were nearly 4k data breaches in 2020 including 280 million Microsoft records (Varonis).
Where Do We Go From Here?
Big Moves from Across the Ecosystem
Privacy “leadership” is commercial and follows the marketplace whether it be a widespread issue or whistleblowing consumer’s lead.
As data security breaches increased, adoption of certifications from organizations like the International Organization for Standardization (“ISO”) Information Security Management and the American Institute of CPAs (“AICPA”) System and Organizational Controls (“SOC”) and the protections they require grew dramatically. The FTC released guidance on data breach responses and legislation followed in ALL 50 states so companies learned to care about ISO/SOC.
After a sequence of events including the Cambridge Analytica and the 2016 US elections, some of the most substantial privacy legislation in GDPR and CCPA legislation was passed. After long periods of notification, education, and preparation, stakeholders from across the data ecosystem have adjusted their infrastructure and processes to accommodate. The interpretation and level of compliance varies because of the great cost & impact. It is a complex legal & business hybrid decision.
As the data privacy momentum builds, the largest part of the last mile aka devices manufacturers and search engines have now “proactively” stepped into the spotlight.
Apple announced App Tracking Transparency the requirement for consumers to opt-in to app tracking (i.e. the use of Apple’s IDFA), aggregation and delay of said tracking information via updates to the SKAdnetwork, and no longer passing macOS to the user agent (thanks Simo Ahava for pointing this out. Facebook is the most vocal opposition with its newspaper ad and “keep Facebook free” campaigns as well as an evergreen laundry list of impacts.
Google announced the end of Chrome cookies and similar changes to Android OS similar to Apple iOS. Google will be ending cookies in 2022 through its introducing Federated Learning of Cohorts (“FLoC”) to replace third party cookies and First Locally-Executed Decision over Groups Experiment (“FLEDGE”) to replace first party cookies (Ignite Visibility). There is an official whitepaper and GitHub folder on it; the basics is that Google will allow targeting based on cohorts of 1,000 instead of 1 as done presently via cookies. They will also be aggregating and delaying tracking information and hiding IP info (Google). An interesting concern is the ability to join other identifiers with FLoC to reveal more information (Electronic Frontier Foundation, Search Engine Land, Forbes).
There is news about similar changes with its AAID to Apple’s IDFA (AdExchanger). There is news about no longer supporting the user agent (InfoQ). And there is news about requiring privacy info in app store listing (The Verge). Duck Duck Go unsurprisingly set FLoC as default opt-in required but bigger news is that Wordpress has expressed intention to do the same.
Big Tech has taken additional “proactive” measures such as screen time monitoring and control.
Announced as consumer-friendly measures, these measures are in the best interest of Big Tech, protecting their dominance of devices, screen time, data, and attention in their walled gardens. Constructing privacy “protections” so nobody can access Big Tech’s first party data is entrenching their leadership positions whilst both are the result of questionable or lack of consumer consent.
There is also investment in technology to govern Ad Tech. While ad fraud was already a huge issue on all platforms including Big Tech, it got even bigger with a lower presence of identifiers so companies like Signifyd and DoubleVerify got increased funding to build out their solutions. Privacy Tech is growing rapidly to help manage the complexity (OneTrust 2021 Report).
Organizations have been ramping up investment in first party data with email capture and login creation around homegrown platforms supplemented by the booming customer data platform market. Second party data sharing agreements have ramped up with marketplaces. Taking this to the next level, Ad Tech has been working on shared IDs to enable alternatives to Big Tech which just got a lot more serious with the recent announcements from Big Tech. Trade Desk has Unified ID 2.0 which brings together Ad Tech heavy hitters such as Tapad, Foursquare, Xandr, OpenX, SpotX, Comscore, BidSwitch, The Washington Post, Los Angeles Times, AMC, and the list keeps growing with Oracle recently joining and interoperability partners like Neustar and Publicis Group’s Epsilon. Most other collaborative efforts such as Advertising ID Consortium and IAB’s DigiTrustID seem to have consolidated to Unified ID 2.0 (ClearCode). Even Google has acknowledged the power of this movement with its coopetition move to integrate with these IDs via its Publisher Provider Identifier (“PPID”) in Google Ads. OpenAP unveiled the OpenID for linear and digital TV audiences. Better late than never, now that the use of third party identifiers will be limited and the customer data platform (“CDP”) is booming, Adobe is finally investing in its own CDP. Mega data providers like Mastercard are making moves in the identity space too with its acquisition of Ekata for $850 million.
As you see, brilliant players from the Ad Tech space inside & outside Big Tech will find a way to target individual or cohort Personally Identifiable Information (“PII”) identification using the massive Ad Tech ecosystem that has been built over the last several decades.
Moving Beyond “PII”
Contextual players are making big moves because they bypass identifiers. GumGum which use contextual targeting using image & video recognition (i.e. computer vision) raised $75 million (PR Newswire). Ogury which uses a multifaceted contextual targeting approach is exploring listing options as it prepares for global expansion plans. These contextual approaches will become richer over time, as technology allows more contexts to be recognized & stored, second party contextual data sharing takes place, and merged with first party data to the point where the lines of PII vs Non-PII based identification will get blurred.
There are a myriad of approaches to cookieless technology (e.g. Swaarm, DataTrendz) that have and are emerging rapidly. These present ways to protect PII; however, it does not deal with permissions which have and continue to be questionable. There’s a general disconnect between the knowledge of the power Ad Tech ecosystem users versus the general public whose awareness is being sold through the free market; in order for there to be effective permissions, there needs to be a similar level among consumers which is nearly impossible without major investment in education, by a well capitalized entity like Big Tech, Ad Tech collaboration, and/or the government.
As pushes are made to third world countries to complete internet access coverage, more immersive technology like virtual & augmented reality commercialization increases, increased movement of the offline to online with IoT, data engineering & freemium products continue proliferating, and younger generations grow up, the exponentially larger consumer side of Ad Tech and Data Use will get informed & educated, bringing balance to the equation and the true permissioning will take place that feels more like a presidential election or driver license versus a long contract that either nobody reads, is too complex for anyone but the most seasoned attorneys, or too detailed for any reasonable person to read once let alone thousands of times for every entity it decides to engage with.
Government Regulation Reimagined
As collaborative identifier work like Unified ID 2.0 continues, permission management will become increasingly centralized with more resources available to solve this challenge which has been so poorly addressed. Either the collaborative bodies will create a radically new approach or more likely governments will intervene.
Drivers licenses have an entire infrastructure of public & private sector collaboration. Drivers’ education consists of academic curriculum & testing along with private sector experiential driving schools to ensure individuals can be trusted with the driving responsibility. Adherence to driving laws is enforced by the authorities (i.e. traffic light cameras, police, state troopers, judges) with escalating penalties starting with fines, to license suspensions, to imprisonment. Citizens exercise permissions from opting in to taking drivers’ ed exams, renewing drivers licenses, purchasing vehicle(s) (and types thereof), renting vehicles, paying for different levels of insurance coverage, and deciding whether to drive in different countries. Insurance companies provide an important component of safety and coverage because of the inevitable issues that arise, the ones that inflict damage on people & property.
This system is a public/private collaboration. Ad Tech and Data Use is heavy on the private component and extremely light on the public side. When the government inevitably intervenes on behalf of the people, imagine a multifaceted approach to support more informed and engaged consumer involvement. This could be incredibly unproductive because of the knowledge gap in government; however, fear can’t guide these efforts. This knowledge gap must be addressed first at the government level and then at the consumer level.
Because of data use, a system for adults isn’t sufficient. Similar to healthcare, social services, and education, parents/guardians must be factored in to address the protection of children’s data. Because children use screens, we’ll also need an innovative approach that goes well beyond Children's Online Privacy Protection Act (“COPPA”) law which is also incomplete and ineffective. Who hasn’t cringed when an inappropriate TV commercial is played when your kids are watching with you. Natural language processing used by all device companies so recognizing the pitch in their voices with a common open source standard isn’t technically difficult; however, it is practically an act of great difficulty because of the knowledge gap in government and lack public/private collaboration in this space.
Data privacy, digital trade, and national security are increasingly intertwined. Global agreements - EU-US Privacy Shield, US-Mexico-Canada Agreement, and US-Japan Digital Trade Agreement - are facilitating digital commerce and the corresponding data transfers that are secure. The Consumer Privacy Bill of Rights was set forth in 2012 as a framework for legislation but never enacted. The Consumer Data & Privacy Act was set forth in 2019 (Senator Moran). The Information Transparency and Personal Data Control Act (“ITPDCA”) was set forth in 2021 by Representative DelBene. As discussed, consumer consent remains elusive per all the points re consumer education re how Ad Tech and Data really works.
The blocked Tik Tok sale highlighted another challenge of cross-border data hosting, access, and ownership especially where country relationships aren’t as strong and/or aligned. This is especially challenging since American Big Tech Amazon Web Services (“AWS”), Google Cloud, and Microsoft Azure have dominant positions.
The government is already talking about hundreds of billions in investments to bolster the US against global cyberwarfare with programs like the Cyberspace Solarium Commission. This stream of thought needs to carry over just a little bit more to ignite education initiatives to close the knowledge gap in government and then consumers.
There are also interesting ideas like Big Tech paying consumers a dividend for using their data. There’s the Data Dividend Project founded by politician Andrew Yang and an interesting analysis by Forbes:
How Much Should I Be Paid For My Data?
What if Facebook was an equitable business partner that shared half of its profit with those of us who actually provide the data that makes its business model run? Using my math (which is, again, open to debate), the average Facebook user would earn $10.77 per quarter. But, what if you are a more active user than average? Twice as active? Five times as active? Out of curiosity, I broke the numbers down below.
Half as active: $5.38.
Twice as active: $21.53.
Five times as active: $53.83.
Ten times as active: $107.67.
Because of the enormous difficulty and resources needed, this cannot be a state led initiative as is the current trajectory with the CCPA. The inefficiency of the insurance model cannot be followed as it’s too expensive and slow (corresponding to high profits and even higher customer frustration) with a unique body of law for each of the 50 states that must be navigated to launch new & modified products. And the speed of technological and data innovation is too fast. The model from other government regulated industries like health data, genetic information, student records, and financial information also aren’t sufficient. Many don’t think it is possible because it won’t stop the “surveillance” economy (iapp) and some countries like China advocate how AI innovation will push surveillance to new heights (The Atlantic). When data engineers describe collaboration in building stable infrastructure like with Apache Projects, even they describe the speed challenge. When technologists collaborate to overcome algorithm bias, they understand that it’s not enough to just talk it out, nor just to write it out, but also to then code it out ethically (AI4Good).
We need innovation in government, collaboration, and AI coding policy to even have a chance to keep up.
Who Chooses?
The modern political economy is an organic process, orchestrated by brilliant thinkers, well-capitalized companies, brave consumers, and global governmental bodies.
There are people who think the status quo is fine. There are people who think we aren’t going fast enough, that any third party individual or cohort tracking for ads is unacceptable. And the perception changes by case, state, country, and region.
Should we regulate? If yes, how? The US, EU, India, or Chinese model?
Innovation has contributed to immense progress and this immense mess. Innovation is a critical component of what will get us out of this mess too.
Everyone has their own point of view. This is a framework for approaching this challenge. Now let’s decide how to move forward.
