Is data privacy regulation sparking an 'ad tech tax?'
The distance an ad dollar travels will become shorter as marketers begin to pay for technology to help them comply with emerging data-privacy regulations.
“It’s almost like another ad tech tax,” says Richy Glassberg, co-founder of the Interactive Advertising Bureau and co-founder and CEO of SafeGuard Privacy, which offers tools for data privacy compliance. “You have to buy, build and spend money with these companies [that sell the software] to comply with the privacy regulations. It is another cost and another expense for the industry.” (Though Glassberg sells his own such software, he says he bundles services to drive down cost.)
The price for adopting privacy management platforms varies. Some companies, for example, will offer software that tackles every aspect of compliance for about $20,000 to $30,000 per year.
Others, however, will charge $600 per month, per product to smaller brands, and there are eight different products offered by most privacy compliance providers.
The $600 figure balloons to $7,200 per month, per product, when holding companies or large agencies adopt the solutions. Other companies base pricing on volume, similar to CPM, or cost per thousand impressions.
Penalties for noncompliance can be even more costly.
“The fines are tremendous,” says Glassberg. “They can be up to 4 percent of global revenue in Europe. In California, if you intentionally fail to comply with the law, it’s $7,500 per person, per event.”
And it can escalate from there. “If you are a brand and buy an ad from a famous publisher and do 25 million impressions, and you buy location in California and that location company didn’t get the right consent, well, that means you just violated CCPA [California’s Consumer Privacy Act] 25 million times,” Glassberg says. “Now multiply that by $7,500.”
Data privacy companies can help clients train staff on the new regulations, manage consumer requests and produce compliance documents, among other tasks.
Not all platforms do the same thing. Some only tackle areas such as consent, while others provide data mapping, showing the third parties a company works with for its website. A brand might have to work with multiple vendors to achieve compliance.
How regulation happened
Data privacy regulations come in response to an industry with few restrictions on how it collects data and targets consumers online. Companies can locate consumers when they walk past a public Wi-Fi spot, track the websites they visit and capture transactional data from online or in-store purchases.
Such practices were ignored for years. Then Equifax announced a breach exposing the personal data of 147 million people in 2017, and Cambridge Analytica was caught in 2018 using the personal data from millions of Facebook profiles for political advertising. These watershed events prompted American lawmakers from both sides of the political aisle, as well as consumers, to look under the hood and examine how companies collect and use personal data.
“The proliferation of large-scale data breaches and public news stories about how information is being shared and used with vendors has really shifted this market with legislators who now realize they must do something,” says Michael Lin, senior VP of product at TrustArc, a company that provides digital privacy compliance tools and consulting services. “A new paradigm is being introduced that people should own their own data, and that was led mostly by Europe.”
The shift has led to an increase in the number of companies offering privacy management services, from 75 in 2017—a year before the European Union’s General Data Protection Regulation (GDPR) went into effect—to more than 275 this year, according to The International Association of Privacy Professionals. That number is expected to rise due to U.S. privacy regulations, especially CCPA, which will take effect in 2020, the IAPP says.
“Many privacy management platforms are focused on compliance with various global legislations, specifically in consent information reporting and compliance workflow configurations,” says Jason Patel, chief technology officer at Ensighten, a privacy management platform.
Brands face hurdles
There is no single global privacy legislation. Companies must instead deal with a collection of different laws and interpretations. GDPR, for example, covers 28 separate countries, but each might impose different requirements in identical parts of the law.
When CCPA takes effect, brands can collect personal data for loyalty programs as long as “reasonable” value is being provided. But the definition of “reasonable” is unclear. Airlines and retailers are unsure whether their reward programs qualify.
At the same time, other states are adopting their own version of CCPA. Ultimately, companies might have to be in compliance with 52 different privacy laws, including Washington, D.C., and Puerto Rico, in the U.S.
While privacy compliance has historically been left to lawyers, chief marketing officers are also now starting to pay attention. “The question for a CMO is ‘How do I become compliant and still do all the things I need to market?’” says Lin.