On Data Patrol: How Digital Ad Watchdogs Do Their Increasingly Complex Job

Since 2011, the Council of Better Business Bureaus has evaluated dozens of cases of alleged violations of the ad industry's data privacy program, most recently involving well-known consumer brands including Wayfair and Budweiser. As of this month, the enforcement arm of the Digital Advertising Alliance's self-regulatory principles has an even more complex job: ensuring compliance with guidelines for data use by multiple websites and mobile apps as they serve ads to individuals across devices.

"We do a lot of network forensics testing," said Jon Brescia, director of adjudications and technology for the online accountability program run by the DAA. That means regularly monitoring traffic on thousands of websites to determine whether websites and apps honor consumers' opt-out requests, and "to see if the disclosures are up to snuff," said Mr. Brescia, who acts as the legal-minded complement to a computer scientist who does the hands-on tech work from the accountability program's offices in Arlington, Va.

Today's digital ad systems have gravitated towards collecting and employing consumer data across multiple devices, sometimes attaching that disparate information to individuals via various identification methods. The industry's self-regulators have tried to keep up. The DAA established its cross-device guidelines in November 2015 in an attempt to keep the industry self-regulations in line with how the digital ad industry works currently.

The newest iteration of the DAA's principles, which went into effect Feb. 1, call on companies operating in the digital ad ecosystem to apply consumer opt-outs not only to the browsers or apps where the opt-out choice was made, but to data gathered on those browsers or apps for ad-related use elsewhere, as well as data gathered elsewhere for use on those browsers or devices.

The Data and Marketing Association, formerly the Direct Marketing Association, also monitors for compliance with DAA principles.

In Arlington, the CBBB's accountability team employs specialized hardware and software such as customized web crawlers to monitor as many as 30,000 sites in a given test period. Samples showing data flow associated with web publishers, ad systems and related technologies are extracted and used to build custom profiles to isolate patterns. Those are analyzed to catch outliers -- sites or apps that may not be providing enhanced notification when third party trackers are intercepting data for use in audience retargeting elsewhere, or technologies that have not applied an opt-out across the entire device graph, for example.

Mr. Brescia declined to go into more detail. "We don't like to give away too many of our secrets," he said.

The accountability program staff are dedicated to enforcing the principles established by the DAA, a coalition of the largest ad industry trade groups which launched its privacy program, symbolized by the ubiquitous triangular blue AdChoices icon, in 2010.

If something pops up on their radar, the enforcers discuss if it looks like a case that warrants further review. They also evaluate cases based on consumer complaints.

While government regulators slap fines on companies in violation of privacy rules, the industry-contracted watchdogs at CBBB have a lighter touch. However, not unlike many cases taken up by the Federal Trade Commission, the process involves issuing inquiries to the company in question and working hand-in-hand with the firm to understand how their data systems operate.

The enforcement staff evaluates cases remotely. "We don't send techs in to pull out their servers and keep them in quarantine or something," said Mr. Brescia, adding that the program has only referred a company under investigation to a government agency -- a last resort -- one time. "Our response rates are very, very good," he said.

In their investigation, the accountability team may determine that technologies passing data to third parties covered by the DAA principles are used only for analytics purposes rather than advertising. "We're limited to interest-based advertising in terms of our jurisdiction," said Mr. Brescia.

On Jan. 25, the CBBB accountability team published decisions on three cases related to minor DAA principle infractions related to how first parties -- a catchall usually referring to brands and web publishers -- notify consumers about their interest-based ad-related data practices. The cases involved home goods seller Wayfair, Anheuser-Busch and The American Automobile Association of Northern California, Nevada and Utah. In each case, the organizations operated websites that did not provide the appropriate notifications regarding interest-based advertising enabled through data collection on the sites.

All three companies voluntarily amended the notifications on their websites to comply with the guidelines, and the CBBB thanked each for their cooperation in the investigation process. In the case decisions, all three firms expressed their appreciation for the accountability program and stressed they are now in compliance with the DAA principles.

In one recent formal review document, the accountability team wrote, "We urge industry members to come to us if they need guidance or find that they have a compliance issue rather than waiting for us to bring a compliance action."

Mr. Brescia's group has yet to discover any violations of the new cross-device guidelines, though he said, "We are actively looking."