I’m Alan Chapell. Over the past 20+ years, I’ve been outside privacy counsel to hundreds of digital media companies. I write a monthly syndicated insights report called The Chapell Regulatory Insider. I’m also a regulatory analyst for The Monopoly Report.

This week, I welcome Ben Isaacson to The Monopoly Report Podcast to discuss California’s data broker registry - and how the definition of data broker is much broader than many in the ads space might think. When everything is an ad network, everyone is a data broker.

Editor’s note: I’m writing this as I fly out to San Francisco for RampUp to talk about privacy within the agentic space (among other topics). Stop by and say hello if you’re out there. And if you can’t make it to San Fran, I hope you make it out to Marketecture Live next week, where I’ll be doing a fireside chat with Commissioner Mark Meador of the U.S. Federal Trade Commission. Get ready: I’ve got a few grenades I’m planning to throw into the room.

What agentic is currently missing

With all the energy around agentic right now, a good deal of the conventional wisdom is that agentic is going to fix a lot of the misaligned incentives and other challenges inherent in the ads space… almost as if by magic. I’m hearing those types of claims from lots of senior leaders in this space, often from people who should know better.

Anyway, the thing that gets me excited about the move to agentic is that it poses a real opportunity to fix some of what’s broken about the ads space. Whether we’re able to get there is an open question, as I sometimes question our collective desire to move beyond some of the endemic opacity and grift.

While I can’t fix everything, I wanted to at least share a vision for addressing some of the open privacy issues. For example, it would be extremely helpful if we could ascertain the following more consistently:

1. Was a privacy policy presented that describes the agreed-upon data use cases?

2. Is the contemplated data flow aligned with the actual data flow?

3. Are consumer choice signals such as the GPC being respected?

4. Is the targeting technique used benign when it comes to privacy and intellectual property rights?

5. Does the ad or data flow trigger some flavor of special treatment (e.g., alcohol, politics) or are known children viewing the ad?

We’ve come a long way over the years. But equally, we need to be able to answer these types of questions more consistently, and much more quickly.

How selecting data vendors works today: whitelisting

Let’s look at data relationships today. In many use cases today, the process is very salesperson driven. Not that this is necessarily a bad thing. Some of my favorite people are data salespeople.

But the process involves a fair amount of work on the front end that is designed to create a whitelist of good data vendors. Don’t get me wrong: That type of approach can be helpful. And it’s far better than where the industry stood just a few years ago.

But if one of the goals of agentic is to increase speed and efficiency, the current process of having a salesperson reach out to you, selling you on the fact that their data is great and assuring you of their vetting process — well, that might not be as efficient. It certainly won’t enable you to swap-out data vendors quickly.

But that process also has what I’ll call a compliance gap. There’s no efficient way to meaningfully vet that your data partners are doing the thing(s) that they say they’re doing.

And if you can’t do that… well, then moving at light speed stops being an advantage. In fact, speed can pose a distinct disadvantage.

And this doesn’t just apply to data vendors. It arguably applies up and down the adtech vendor chain.

Using agentic to know that your data partners are solid

Regardless of whatever agentic framework you’re using, it’s going to be more important than ever to have confidence in the data partners you use, both when evaluating their quality and when vetting them re: privacy compliance.

The agentic ads space will need to be able to make vetting and compliance decisions much more quickly than they are currently being made. As a result, I believe we’ll need a whole boatload of compliance inputs available in real time if we want to have any hope of addressing privacy concerns going forward.

This is just a starting point, but here is my initial list of inputs:

• Self-regulatory status: You may be thinking — wait! Is self-reg still a thing with all these state privacy laws sprouting up, not to mention the GDPR? The short answer is: It can be. And as board chair of the NAI, I have hope that self-reg will be a major input. But in order for that to happen, self-reg needs to step up its game pretty significantly. The self-regulatory codes of 2015 are not going to cut it in the move to agentic.

• Audits and seal programs: Audits and privacy seal programs have historically been viewed suspiciously in the ads space. Sometimes the audit standards used are viewed as toothless (also an endemic criticism of self-reg). Sometimes the only companies willing to undergo the audit are those who have the biggest trust issues. But the biggest issue is that companies don’t want to pay the required costs or undergo the level of scrutiny required. California seems to have solved that problem for us, as these types of audits become hard requirements soon.

• Whitelisting: I’m including this input here because this is the approach that just about everyone currently uses. Also, I don’t think you can fully replace the value of an effective privacy, data governance, and compliance team. So this should remain part of the mix for the foreseeable future. But please understand me: This approach should be your floor, not your ceiling.

• Attestation tools: All credit to Richy Glassberg and his team at SafeGuard Privacy, as his company has taken a leadership position in the ads privacy community. But if the goal here is to design a tool to vet the accuracy of claims being made, providing a restatement of those claims via an attestation platform is only going to take one so far. So, this is another floor that should not be confused as a ceiling.

• Privacy scores: Perhaps the most (at least potentially) efficient tool to vet compliance is to create a privacy rating system. This concept isn’t exactly new. Back in 2009, a former Yahoo! exec named Jim Brock came up with an idea to create a privacy score to rate the various adtech vendors operating at that time. He eventually sold the idea to anti-virus software company AVG. Today, the most closely on point company is Compliant. [Nope - I don’t work with them.] My hope is that at least a few additional direct competitors spring up in that space. Also, if we don’t have transparency in how the privacy scores are compiled and/or if these scores become just another pay to play, they becomes useless pretty quickly.

Are these the right inputs?

If you have thoughts on the above, or if you want to suggest some new ones, please ping me here.

EVENTS

Marketecture Live III

7 Days Until Marketecture Live

The agenda is set, tickets are moving fast, and The Glasshouse is filling up.

If there’s an area that you want to see covered on these pages, if you agree/disagree with something I’ve written, if you want to tell me you dig my music, or if you just want to yell at me, please reach out to me on LinkedIn or in the comments below.