Conversations with CROs and high-level VPs at publishers tend to go like this:
Me: So you're taking insertion orders from agencies with their own DSPs...
Me: And they're buying targeted inventory from you, based on data you've collected from your users...
Me: So they can go ahead and retarget those users and reach them more cost-effectively in other environments, then.
CRO: Right again.
Me: So why are you taking insertion orders from them?
It's still questionable as to who "owns" the data that's used to target ads. But we can't continue to dance around that question. Publishers make investments in content and tools that result in site-based user profiles that make a tremendous difference with respect to an advertiser's ability to reach the right target audience. In many cases, these data points are simply leaking away to agencies, networks, and DSPs, keeping the publisher from adequately monetizing them and hurting their businesses in the long term.
The elephant in the room is that every call to a server that doesn't belong to the publisher, whether it's for an ad, a piece of content, or a 1x1 tracking pixel, is an opportunity for data to leak to an external party.
This is bad for the publisher. That much has been acknowledged. The IAB and the AAAA acknowledged it in their update of Terms and Conditions for media buys:
"Unless authorized by Media Company, Advertiser will not: (A) use Collected data for Repurposing... " sits on Page 10 of the IAB/AAAA 3.0 Terms and Conditions. The definition of "Repurposing" is a bit further up the page:
"'Repurposing' means retargeting a user or appending data to a non-public profile regarding a user for purposes other than the performance of the IO."
So what we have is an agreement on the part of the advertiser to avoid gathering data for these purposes. Here's the problem: The publisher has no way to reliably verify that data points gleaned from buys on their sites aren't being used for retargeting or data-gathering purposes. With the right set of tools, an agency or an advertiser could easily purchase media weight against those profiles on other sites (or even on the original site, if that site allows exchanges to auction off some of their ad inventory). The publisher would likely never know. Even if the publisher somehow found out, the deep forensic analysis required to prove the instance of data leakage is cost-prohibitive in most cases.
Additionally, biting the hand that feeds them isn't a very effective business strategy for most publishers. Calling an agency or advertiser out on bad data practices isn't very productive, especially when it's very difficult to prove.
This handshake agreement between publisher and advertiser (or agency) is ripe for abuse. Simply put, it's not realistic to expect that the bad eggs in the industry will show some restraint in a marketplace where data leakage is commonplace, and where proving that a company collected it and used it when they shouldn't have is exceptionally tough.
Regrettably, the systems that allow for this sort of data leakage are now a part of the infrastructure that allows publishers and agencies to do their jobs efficiently. The obvious solution would be to eliminate external server calls. That would throw the baby out with the bathwater, though, and result in a world where white hat agencies couldn't use tools like third-party ad servers. No third-party ad serving means no consolidated reporting, no creative optimization, and no control over creative rotation from the advertiser side, not to mention no closed-loop reporting for direct response-centric advertisers. Eliminating third-party serving would also mean significant increases in the labor necessary to launch and maintain campaigns, on both the publisher and agency side. We're too far down that path to go back now.
So what's the solution then? Do we build an auditing entity that certifies networks, DSPs, and agency tools in order to prevent the data leakage? Should more publishers follow the leading examples set by Google, Facebook, and a few other select sites and ban third-party serving?
Whatever the solution, we need it very, very soon. Not only do we have the long-term viability of our industry's content publishers to think about, but we also have the Federal Government to think about in the U.S. If we think this data leakage issue will simply go away if we continue to ignore it, we deserve any heavy-handed response we get from the government in order to protect consumers from having their information shared haphazardly.