Insights from IAB Tech Lab Privacy Event

By Alex Roucourt, ThinkMedium Client Advisor

I recently had the pleasure to attend the IAB Tech Lab Rearc: Build for Privacy event, where a group of industry professionals gathered in San Francisco to discuss challenges and review solutions to keep advertising spend-effective, without being trust-defective. IAB Tech Lab has been running industry working groups to develop and promote data privacy and interoperability-focused standards and solutions for several years, starting under the leadership of ThinkMedium‘s Dennis Buchheim.

On the menu of a jam-packed day, the focus was on:

1. privacy-preserving solutions serving various advertising use cases; 
2. the latest regulatory/platform trends and industry standardization efforts; 
3. all manner of technology vendors, brands, agencies and platforms with their POV and concrete applications; and 
4. how to ensure interoperability across all constituents – a noble, if ambitious, mission. 

If you join any advertising tech event these days, you will likely hear one of the following phrases: “data clean rooms” or “privacy regulations”. In fact, you’ll probably hear both. This encapsulates a key industry challenge: as we wind down 2023, there is a well-documented and increasing body of consumer privacy laws and platform policies governing our industry. In parallel, numerous technologies and techniques fostering better data privacy exist and have demonstrated utility, some already in active use. 

It’s our collective level of urgency building for a predictable, privacy-oriented future with the tools we have that is still lackluster. Many are largely ignoring making foundational changes (or are unaware), while others are starting to understand the scope of changes to advertising infrastructure that will be required. Some who are aware are effectively patching existing solutions. But why fix a leak with tape, if you can replace the pipe? Why build for next quarter, if there are tools and partners that can help you build for 3 years from now, as recommended by Alysa Hutnik of law firm Kelley, Drye & Warren? (Always listen to your lawyer, especially these days.)

After glancing at the agenda, a quick chat with industry veterans about to speak on stage, and reflecting on my 10+ years in ad tech – especially since 2018 with GDPR, then 2021 with Apple iOS14, I had my expectations set:

1. There will be many questions and some partial answers,
2. There will be some well-rehearsed salesmanship, 
3. There will be many AI integrations,
4. It will never be boring!

Time to grab a cup of coffee… or something stronger.

Reflecting on my notes, several highlights come to mind. First, there was no groundbreaking technology or regulatory revelation at the event. Most of the sessions, for instance the one covering Google’s rollout of PAIR (Publisher Advertiser Identity Reconciliation) included some interesting publisher adoption insights and were continuations of topics, standards and solutions that have emerged in the last few years.

That said, by now, some of these solutions are starting to reach a more mature stage, gaining traction with key ecosystem partners and expanding the scope of use cases they enable. Take data clean rooms. By now, their potential for delivering measurement utility is relatively well established, partial interoperability across certain vendors and clean rooms exists, and the ecosystem seems to now be moving on to tackling more complex audience activation and data partnerships use cases via clean rooms (and the significant privacy guarantees they require). Note, however, that clean rooms are still only as “clean” as their supporting privacy-enhancing technologies and practices.

Talking about privacy-enhancing technologies (PETs), specific PETs are getting more consistently cited and implemented by various players, which are now trying to convert new practitioners who might still find their mathematical foundations daunting: Differential Privacy to inject randomized noise into sensitive data sets to preserve anonymity, Multi-Party Computation to join data for insights without revealing underlying user information. Are we somehow reaching PETs standardization? Not quite, but getting closer. Cue the idea of PETs as “Partnership-Enhancing Technologies” (credit: Lauren Kaufman from Habu), which the partnership guy in me had to nod to.

It’s not all rosy however, to the surprise of no-one in ad tech these days. Take the important case of fraud solutions and the detection mechanisms that underpin them. If platforms and regulators march on to fully curb IP as an identity signal (we are on this path already), a critical data point in the type of advanced pattern analysis fraud detection requires to catch criminals, it’s very likely that effectiveness at catching fraudsters will nosedive. A paradox in data privacy: removing too many signals might end up harming consumers. Are regulators and platforms willing to allow policy carve-outs to keep these solutions functional? Time, but also hopefully common sense, will tell.

On a positive note, there is no denying that the industry knows it needs better interoperability to thrive. Consider audience activation, in what is now de facto a globally-regulated ecosystem, as pointed out by IAB’s CEO David Cohen: in a world where traditional identity signals are no longer available – whether cookies, MAIDs, IPs – and platforms operate in silos, there’s a growing trend toward direct integrations. A more collaborative approach to ensure data transitions smoothly and securely between platforms could involve on-device capabilities and better compatibility across different vendors. Significant work is needed on this front – or complexity and handoffs could result in bigger privacy and security issues than in today’s ecosystem.

Now, this couldn’t be a privacy-focused piece without some more pressing legal considerations. With the recent adoption of DPDPA, India’s GDPR-style consumer privacy law, more strategic and high-growth international markets are rolling out new impactful data regulations. It’s becoming increasingly compelling to adopt privacy-by-design as a result, as opposed to an ever more costly piecemeal regional approach. Further adding to this overall theme, the recently-signed Delete Act amends CCPA with consumer data deletion requirements that are more blunt than in GDPR – a challenging piece of architecture to implement for many technology companies before the first January 1, 2026 verification milestone.

Finally, there is AI. And guess what: AI is not immune to data privacy considerations. One of the newer solutions covered at the event, Skyflow, showcased a data vault designed to handle the intricacies of protecting consumer privacy in AI. One of the key challenges with AI, more specifically Large Language Models (LLMs) that allow communicating with it, is deleting learned information from said models, as they cannot easily “unlearn” potentially sensitive or copyrighted training data. Isolating models to add security is generally impractical, because costly. So Skyflow’s solution proposes the concept of “PII Vault” to encrypt data with deterministic tokens – upstream of model training. Generally makes sense to me, interesting to see if this evolves into a full-fledged new vendor category in coming years, as advertisers try to embrace AI without creating new liability risks.

As final remarks concluded, I was generally left with the sentiment that although privacy in advertising still has a long way to go in adopting generalized standards and consistently deploying durable solutions as opposed to continuing to patch holes, there is a noticeable evolution in the field – technologies getting closer to maturity and major companies demonstrating their commitment to building and adopting new architectures. If you’re not yet exploring what all these shifts and solutions mean for your business – and explicitly shifting resources from legacy solutions and practices towards what you will need 3 years from now (or even 1 year from now!) – the time to start is now.