Gaps remain in industry guidelines for controversial email-based identity tech

The IAB’s Best Practices for User-Enabled Identity Tokens address the use of identifiers, many of which work by transforming identifiable data like email addresses into encrypted ID signals to replace cookie tracking. The proposed guidelines, now open for public comment through May 7, are meant to reduce privacy threats as these technologies are distributed across the digital media supply chain.

“These are working documents and early concepts, and several large pieces of the puzzle are still missing — including the crucial piece of consumer reactions and how willing we will be to provide consent,” said Georgie Haig, product lead of identity at programmatic marketing agency MiQ.

When presenting the proposal on March 9 — part of a package of technical standards for privacy, accountability and taxonomy for contextual advertising — IAB Tech Lab CEO Dennis Buchheim said, “We need to create and present options to consumers for privacy and personalization.”

The identity token best practices state that first parties — typically website publishers — that gather email addresses and other personal information to build identifiers must provide people with “transparency and control subject to the relevant legal requirements in the applicable jurisdiction.”

However, they do not provide guidance for how that transparency and control should be made accessible to site visitors beyond stating that the controls “need to conform to the requisite consumer transparency and control features defined by local law and policy interpretation.” That lack of guidance risks creating a situation in which compliance measures vary, with some companies taking such lax approaches that consumer advocates criticize the advertising industry for an overall lack of compliance and government regulators decide to impose stricter requirements.

Rather than forcing the industry in a specific direction, said Mathieu Roche, CEO of identity tech firm ID5, as an industry body, “[the IAB’s] job is say this is the minimum threshold we should hit.” He added, “Transparency and consent haven’t been front of mind for the industry for the last 10 or 15 years.”

The legal landscape around privacy and data is becoming more restrictive as new state laws come on the books in California, Virginia and elsewhere in the U.S. Both California’s updated privacy law and new legislation passed in Virginia give people the right to opt-out of the sharing of their personal information for the purpose of cross-context behavioral advertising.

And as pressure for comprehensive federal privacy legislation mounts — even from the IAB itself — signs indicate that today’s identity tech approaches may not pass muster with regulators. Already these email-based identifiers got the cold shoulder from IAB member Google, which noted in a March 3 blog post that identifiers using PII graphs based on people’s email addresses won’t meet rising consumer privacy expectations or regulatory restrictions.

When companies do address user consent, many identity tech providers and publishers that use these technologies consider the fact that someone has provided an email address in exchange for content to be a form of consent for using that email to create an identifier to track them. And publishers’ privacy policies rarely mention by name the companies, such as identity tech providers like ID5, The Trade Desk or others, with which publishers share people’s information.

Industry needs consumer engagement framework
Today’s approaches to consent for use of emails or other login information to enable identification of users is a “slippery [slope],” said one digital agency executive who spoke on the condition of anonymity with Digiday. “If I have a consent banner on NYTimes[.com] to set a first-party cookie, what they choose to do with it and how to integrate it is up to them,” said this person.

The agency executive added that when they explain these technologies to new hires they tell them that people’s attitudes have changed around the need for more explicit consent. Merely presenting information about identifiers in a privacy policy might not be enough, the agency executive said. “That ship has sailed.”

“We look at this as establishing the baseline,” said Travis Clinger, svp and head of addressability and ecosystem at identity tech provider LiveRamp of the IAB Tech Lab’s identity token best practices.

LiveRamp helped draft the best practices along with nearly 300 people from ad tech firms, ad agencies, media outlets and other identity tech providers. “We also need, as an industry, a framework for how to engage with consumers,” he said. LiveRamp requires publishers to name the company in their privacy policies, which is reflected in policies from Newsweek, Salon and iHeartMedia.

Technologist Ashkan Soltani, who helped craft the California Consumer Privacy Act and served in the Division of Privacy and Identity Protection at the Federal Trade Commission, questioned the IAB’s acceptance of email-based identifiers. “IAB’s move to track users via email-derived identifiers seems incredibly tone-deaf in this regulatory climate, particularly as this tracking is even more privacy-invasive than third-party cookies.”

The IAB document does address the need for “technical safeguards that hold industry parties accountable to their preferences, and which allows the actions of 1st and 3rd parties to be reviewable and actionable by consumers.” And it points to a related Accountability Platform proposal for standards for moving user restrictions and preferences along the digital ad supply chain.

Nonetheless, Peter Day, CTO of Quantcast, which offers a consent management service for site logins for identification, said of the IAB’s proposed guidelines — “It would be great to see stronger accountability” for transparency and consent.