User concerns grow globally

Recent research found low trust in AL combined with high support for increased regulation. Trust, Attitudes, and Use of Artificial Intelligence: A Global Study 2025, led by the University of Melbourne in collaboration with KPMG, surveyed over 48,000 people across 47 countries. The study found that most people report using AI regularly. And even more support AI regulations:

• 66% of people use AI regularly, and 83% believe AI will bring significant benefits.
• Despite this, only 46% of people globally report trust in AI systems.
• 70% of respondents support national and international AI regulation.

As international consumers are increasingly relying on AI, they are also expressing increased trepidation over issues of trust and transparency. Tech engagement, while strong across markets, is especially robust in emerging markets such as India, Brazil, and China, according to Kantar Media’s Global Digital Media and Tech Trends Report. The report analyzed data derived from 80,000 respondents in 37 countries. 86% of media users from India answered yes to “I try to keep up with developments in technology” as did 76% of those in China and 73% of those in Brazil – compared to 62% of U.S. respondents.  A large majority of media users in India (78%) agreed with the statement: “Artificial intelligence has had a significant impact on my daily life.” More than half of Brazilians agreed (52%), compared to less than half (46%) of U.S. respondents.

According to the Adobe 2025 Digital Trends Report, key issues around AI adoption include trust and the use of AI include balance, transparency, and data security.  The balance between innovation and trust is an ongoing challenge: both privacy concerns and governance complexities remain significant hurdles. Of the 8,301 consumers surveyed by Adobe, close to half (45%) claim to prioritize visibility and control over their data, while a third (33%) say they demand clarity on how AI is used to generate recommendations. As organizations move beyond pilot programs to scale AI initiatives, they must focus on clear disclosure and ethical AI practices to maintain credibility.

Trust erosion and AI adoption

A recent study by Thales reveals that consumers’ trust in organizations to use their data responsibly in the age of AI is rapidly waning. However, increased regulation alleviated some of the distrust.

• In 2024, 47% of consumers questioned whether companies used AI responsibly. By 2025, this concern rose to 57% – a marked leap in just one year.

• The 2025 global trust index found global trust rates stagnating or declining, with no sector achieving more than 50% “high trust” ratings. However, industries (such as banking and healthcare) and geographies with the most regulations had higher trust rates.

• Trust in news media hit a new low, with news organizations trusted by only 3% of consumers in 2025, a decline from 6% in 2024. Some of this drop was attributed to slackening oversight (particularly from social platforms).

• In contrast, Government services saw improvement, increasing from 37% trust in 2024 to 42% in 2025, an improvement possibly driven by enhanced regulatory frameworks like the EU’s Digital Operational Resilience Act (DORA).

These studies indicate increasing awareness on the part of consumers about the risks inherent in AI technology. This underscores the need for media executives to demonstrate strong governance and proactive leadership.

AI data risk found to be almost universal

Consumer trepidation is far from unfounded. The 2025 State of Data Security Report by Varonis quantifies the data risk entailed by AI usage based on data obtained from 1,000 companies. Findings confirm that AI adoption is leaping ahead of risk mitigation. Among the findings: 99% of organizations have had sensitive data exposed to AI tools.

The report also indicates 88% of organizations evaluated had old but still enabled user accounts, which are potential entry points for attackers. The report also reveals that 90% of the organizations studied have exposed sensitive cloud data, and 98% were found to have employees using unsanctioned apps, including shadow AI. The study underscores an urgent need for stronger data governance frameworks in the age of AI.

As previously reported by DCN, a plan that includes transparency, balance, and education can offset some AI concerns. However, the conundrum remains that while most users claim to want transparency around the use of AI, revealing such origins can undermine trust. In addition to the very real risks of data exposure, AI use by organizations risks turning off consumers who perceive a lack of human connection and oversight. Media Pulse points out that human creator content, even when flawed, feels authentic and drives stronger engagement. Thus, AI tools must always be orchestrated with human creators to maintain community trust.

Global governments differ on AI regulation

The impact of AI adoption and data security concerns will likely spur increased regulation in many locales, so companies will be wise to get ahead of future requirements. The EU Artificial Intelligence Act (AI Act) – the world’s first comprehensive AI regulation – officially went into force in August of 2024. Designed to ensure safe, ethical, and transparent AI development and deployment across the European Union, it requires AI content and deepfakes to be clearly labeled by 2026. Failure to disclose can lead to legal penalties.

Other countries are likely to follow suit as the impact of AI-related data risks become increasingly apparent. Brazil and Peru are currently working on AI governance frameworks based on the EU model. Canada has established the Artificial Intelligence and Data Act (AIDA), which focuses on transparency, accountability, and risk management for AI systems. China’s strict AI regulations include content moderation laws and licensing requirements for AI models. Meanwhile, India is developing a techno-legal approach to AI regulation. The United Kingdom leans towards a more pro-innovation approach, relying on existing regulators rather than creating new AI-specific laws. Australia boasts a comprehensive “AI assurance framework” at federal, state and territory levels.

Meanwhile, AI governance in the U.S. has been fragmented so far, with state-level regulations and sector-specific guidelines. Until 2025, a more nationwide approach to shaping AI governance seemed likely, but recent executive orders have been aimed at repealing AI regulations. As of this writing, The House of Representatives has passed the Budget Reconciliation Bill, which includes a 10-year moratorium on state and local laws regulating the use of AI technologies. This repeal of AI regulations, however, may be the opposite of what the majority of the public wants: More than half of U.S. adults (58%) say they are concerned that government regulation won’t go far enough in managing AI risks. Only 21% fear it will go too far, according to a recent Pew Research poll.

Different attitudes towards AI risks mean that a policy acceptable in one region might not be elsewhere. Media companies operating internationally may have to tailor AI-driven strategies to align with local regulatory expectations. The Global AI Regulation Tracker offers an interactive real-time comparison of how various countries are responding to the explosion of AI use with regulations, laws and policies

Given the research linking increased AI governance with customer confidence, being proactive about AI policy is wise from a customer service perspective. Whether or not their region requires it, media leaders will want to establish clear guidelines for AI use within their organizations to ensure practices that align with user expectations. Regulations aren’t just about compliance; they are about setting standards that align with public trust. Media leaders who responsibly integrate AI can gain a strategic advantage, with ethical AI use as a key differentiator among market competitors.

The post What media leaders need to know about AI risk and regulation appeared first on Digital Content Next.

Since the early days of the Internet, there were hundreds if not thousands of venture-backed companies competing to scoop up as much data as possible about consumers. They would then try to spin those datasets into a compelling product or service usually involving a model that included data-driven advertising. Nowadays, Meta and Google are the most often cited aggressive data collectors. Though arguably that’s because they killed off the competition and strong-armed their way into a dominant market position.

Google’s parent company, Alphabet collects massive amounts of data from Android devices, Google services, and its apps (Search, Maps, Gmail, etc.) and Chrome. It has even delayed killing off third party cookies in Chrome (the last major browser to do so) because it hasn’t developed a good way to maintain its dominant position as collector of consumer data.

Data vacuum meets governance vacuum

Meta set about to hoover up so much consumer data directly or indirectly that it failed to have controls in place around who could collect it or the purposes for which it could be used (see Cambridge Analytica). Another cringey example recently came to light when court documents were unsealed. Lest we think this behavior a thing of the past, Meta was reportedly using Onavo (a VPN it purchased in 2013) as a trojan horse to gather valuable analytics data on Snapchat, Amazon and YouTube. Meta is now being sued for violating wiretapping laws.

While regulators and legislative bodies are working to clean up the debris left in the aftermath of the wild west data industry, the race to compete in the Generative AI market might take data collection to a whole new level, likely with unforeseen and potentially catastrophic results.

Large Language Models (LLMs) need data to get better – lots of it. The hockey stick progress we’ve seen in the last 18 months among generative AI systems is almost completely attributable to the massive increase in datasets upon which the LLMs are trained. The New York Times recently reported on the red hot competition among AI companies to find new data for training with companies scraping any and all content they can get their hands on. And this is taking place with no regard for copyright law, terms of use or consumer privacy laws (and without any respect for consumers’ reasonable expectations of privacy).

That said, as The New York Times’ article also notes, AI systems may exhaust all available data for training by 2026. In the absence of high-quality original data, they might even turn to synthetic data – data that was created by AI systems – for training. Who knows what kind of consequences that could render?

Legal safeguards needed for generative AI

Sure, there are some existing safeguards that could be helpful in setting a more responsible course forward. AI companies have been confronted with numerous legal challenges to their unfettered data collection. These companies face a number of lawsuits around copyright infringement as well. However, these suits could take years to fully play out given the AI companies are well-funded and would likely appeal any setbacks in court.

There are privacy laws on the books that likely impact data collection by AI companies. But those laws exist only in a handful of states and it’s not clear exactly how the law applies since AI companies won’t disclose what and whose data they use for training.

Against this bleak backdrop, there have been some promising recent developments around generative AI governance in Congress. This week, a new bipartisan consumer privacy bill was unveiled. While there are some serious concerns and questions to address in that bill, at least the issue is front and center. At the same time, Members of Congress from both parties appear to be actively and constructively wrestling with how best to regulate the emerging AI industry. In fact, nearly every AI bill that has been introduced is bipartisan in nature.

As the wild west of data collection gets even wilder, it’s clear we need basic rules for AI systems and stronger protections for consumers. Without this, we are likely doomed to repeat the mistakes of the previous data collection bonanza – possibly with far more severe consequences.

The post Let’s not allow AI to be another data disaster appeared first on Digital Content Next.

So, let’s go beyond the acronyms and break down what this means for publishers going forward.

The ruling

First, the basics. The GDPR requires companies to have a valid legal basis tied to a specific purpose before processing any personal data from consumers. The two most popular bases are consent (affirmative and freely given) and legitimate interest (essentially, the benefit to the consumer from the use of their data outweighs the risk). Although it should be noted that Facebook decided to take its own direction by using a contract as its basis, a strategy that is quickly unraveling.

To maintain the free flow of data that currently fuels a wide swath of digital advertising, the IAB created the TCF which allows companies to transfer their legal basis for the data used in the buying and selling of advertising inventory in a real-time bidding format. Under the TCF, a publisher can note whether or not they have a legal basis to process a consumer’s personal data. Then, advertisers and ad tech companies can decide whether to bid on the ability to show an ad to that person.

The Belgian DPA received several complaints, including one from Johnny Ryan at the Irish Council for Civil Liberties, that the IAB’s TCF violated the GDPR. In short, the TCF was criticized for facilitating the widespread dissemination of personal data to the entire industry without any real controls on the access, use or auditing of that data. Specifically, the DPA found that:

1. The TCF and the ad tech companies using the TCF were processing a ton of personal data without any legal basis and certainly beyond any legal basis claimed by the publisher.

2. The IAB failed to properly educate consumers given the complexity of the data processing.

3. The IAB deployed no technical measures to limit unauthorized access to personal data.

4. The IAB was operating as a controller of data and, thus, should have kept a register of activities, appointed a data protection officer and conducted a data protection impact assessment.

The DPA ruled the TCF invalid and fined the IAB 250,000 Euro per day. The IAB is currently appealing in the hopes of making small changes to satisfy regulators. However, many insiders are skeptical that the IAB’s proposals will suffice. The fundamental problem is that the current ad industry is built on the ability to collect and share consumer data at will and at scale. And GDPR enforcers want meaningful change with meaningful protections for consumers. This approach to maintain status quo simply does not satisfy that requirement.

Impact on data-centric ad businesses

Let’s assume that the Belgian and other European regulators win on appeal and the TCF is required to undergo major changes. What does that mean for the ad marketplace, for real time bidding and for publishers?

For starters, ad marketplaces will be required to handle consumer data more carefully. Allowing free-for-all access to consumer personal data by any company that agrees to the terms of service just won’t fly. They may need to deploy technical measures to mask personal data and/or limit access to only those companies with a sound legal basis.

Of course, this could be a problem for some of the IAB’s biggest members and hundreds of ad tech intermediaries, which are dependent upon the ability to profile consumers silently across the web. However, should a more consumer-friendly, less data-invasive approach win out, advertisers will need to learn to rely far less third party data. The certainly won’t want to open themselves up to liability for using illegally-sourced personal data.

Marketplaces and the shifting data market

The second major impact will be on the organizations that run marketplaces. The IAB attempted to craft a framework which would save the status quo of third-party, behaviorally targeted advertising because that is the moneymaker for its biggest members and the sea of intermediaries who mine and resell access to user profile data as a core business model. However, a fine of 250,000 Euro per day is likely too rich even for the dominant platforms.

Going forward, organizations that want to offer automated ad marketplaces will have to institute more controls and assume greater liability. There is a real question as to whether any organization will want to take on that role certainly for the entire industry. It’s far more likely (at least in the short term) that smaller organizations will stand up marketplaces with segments of industry.

CPRA follows suit

Third, the issues at play on the European landscape are likely to play out similarly on the California coastline. California regulators have just recently proposed a set of draft regulations for compliance with the California Privacy Rights Act (CPRA). Starting next year, the collection and use of Californians’ personal data will be regulated in ways that are very similar to European law. Whatever solutions emerge to satisfy European regulators will have a very good chance of satisfying California regulators.

Future focused

Undoubtedly, the IAB faces significant pressure from its most powerful members such as Google and Facebook and the long-tail of adtech solution companies. Given that their businesses have been built on the ability to collect data (even off-platform, when consumers do not expect it), they are deeply invested in finding a way to comply with emerging regulations in a way that ultimately allows them to continue their business more or less as usual. In Europe, their strategy has been to put off any major interruption to their massive data-collection-and-use model for as long as possible.

But these businesses that have dominated the digital advertising market do not represent the only way of doing business. While regulation certainly changes the market, it does not inherently change things for the worse.

In fact, I’ll leave you with a feel-good fact: A revamped and GDPR/CPRA compliant ad marketplace could elevate premium publishers. They enjoy trusted, direct relationships with consumers. Instead of a wild west marketplace where all kinds of actors stake dubious claims of proper legal bases, the premium publishers, which are on far more solid legal ground, would be in a strong position of controlling access to a limited supply of consumers.

The post What the landmark GDPR fine of the IAB signals for the ad industry appeared first on Digital Content Next.

Certainly, when platforms such as Google, Apple, and Facebook address their data practices, it impacts the entire ecosystem. The cookie-blocking changes that Apple has made in Safari and the anti-tracking movement across its app ecosystem are already having a significant impact on how advertisers track and target consumers with relevant ads.

In April of this year, Google reengineered the consent pop-up message throughout Europe to make it equally easy for users to “reject all” cookies as it is to “accept all.” As a result, some publishers have seen a 55% opt-out rate. As this opt-out culture among consumers grows across regions, including the U.S., publisher data becomes even more valuable. Eventually, we will see a global shift toward data privacy that prioritizes user consent.

User opt-in is key

Much of the advertising industry debate to date has focused on the upcoming deprecation of third-party cookies, However, the issues around consumers opting out of sharing data for advertising purposes are much broader and require urgent consideration. This is significant for the entire adtech community, advertisers and publishers. When a consumer hits “reject all,” the ad tech that support programmatic advertising—targeting in particular—stops working.

We have already seen with Apple ATT that over half of iOS users opted out of being tracked by apps and marketers when presented with the choice. This, coupled with the opt-out rate publishers are experiencing in Europe, demonstrates that consumers are actively controlling what data they share with companies.

The next era of ad tech is about user opt-in. Meta has recognized this too. The recent Meta breach, which suggests their ad business is likely non-compliant with GDPR and upcoming privacy regulations, shows that walled gardens aren’t immune from the impact of privacy regulation despite being closed ecosystems.

The regulatory requirement is full oversight and understanding of the data within these walls and enforcing users’ preferences. It’s why publisher data, made up of contextual and audience first-party signals, becomes an extremely valuable commodity in advertising. 

The value of publisher data

Advertisers will find the most effective way to reach customers is by working with publishers who have and can continue to collect first-party data, plus contextual insights that are not impacted by consent.

These include behavioral signals, such as time of day, clicks, scrolling, and video engagement, which are gathered when a user browses a web page; and contextual data, through the content being consumed and metadata, such as locations searched, description, topics, and keywords. Publishers can also gather insights from declared data, which is provided directly to a publisher by users and subscribers, data such as the purpose of visiting, industry, or preferences about certain topics or content.

In this ecosystem, publisher first-party data increases in value because it provides advertisers with the opportunity to target consumers based on consented data and contextual insights. Publishers that recognize the value of their data assets and educate advertisers on what’s possible and privacy-compliant can unlock new, sustainable revenue opportunities.

Fortunately, we are already experiencing a move from the open to a more direct relationship between the buy- and sell-side. When publishers and advertisers work closer together and view adtech as an enabler rather than an intermediary, they can responsibly activate audiences.

Moving forward responsibly

The current disruption we see has always been about more than third-party cookies; it’s about the demand for consumer privacy. Going forward, the ability to track and enforce user consent of first-party data at a granular level can’t just be a bolt-on–it must be treated with the highest importance. When publishers and advertisers work together and build direct relationships, they are in control of how audience data is used, be it for insights, activation, or collaboration. Adtech provides the tools to foster collaboration with controls and permissions. When this happens, publishers regain their place in the advertising ecosystem and the industry moves to a more responsible web. 

About the author

Katie Millington is the Head of North America Publisher Sales for Permutive. In her current role, she is responsible for leading Permutive’s North American Publisher Sales Team. Katie has previously held roles at the likes of Vox Media and Mediacom and has a decade of experience in the digital media industry. An agent for change, Katie is driven by innovative technologies that disrupt the status quo, evident in her background as an early proponent of publisher first-party data and programmatic advertising

The post Publishers hold a strong hand for the future of advertising; now they must play it wisely appeared first on Digital Content Next.

Something is happening at a macro-level that requires more attention than incremental changes and band-aid solutions that we see at the forefront of digital advertising. We are heading towards a great privacy reset. A sharp focus on privacy is pushing everything towards the protection of people’s data and strengthens the requirement for first-party data and closer relationships between publishers, advertisers and their end-users. 

Unfortunately, publishers and advertisers are currently working through a disruptive and chaotic period caused by changing privacy regulations and regular browser announcements. And the results aren’t positive. A study conducted by Permutive in June, surveying 501 senior decision-makers within publishers in the U.S. and U.K., shows that almost three-quarters (74%) of publishers say that browser updates negatively impact advertising business models. And 75% say that privacy regulations are impacting the ability to future-proof advertising revenue. 

There is another way. We need a stable and sustainable foundation for digital advertising that protects publishers’ work, enables advertisers to reach their consumers, and protects people’s privacy and access to information. That approach and solution exists today. It’s an advertising ecosystem built from publishers’ first-party data that prioritizes privacy and protects revenue.   

First-party data drives brand results 

The way media is traded is rapidly changing, shifting fundamentally from third-party cookies and identity to consented first-party data. With this shift towards privacy, first-party data is becoming the new gold standard. This creates an opportunity for publishers to be fairly compensated for their data and improve campaign performance. 

In a recent event, held by Permutive and New Digital Age, publishers pitched their first-party strategies to a panel of agencies. The pitches showed agencies the maturity of publishers’ solutions for advertisers and the impact of first-party data on brand metrics, compared to third-party and publisher averages. 

One publisher was the Guardian, one of the world’s leading English-language news publications that reaches 8.8 million readers daily. The Guardian showed that its first-party data had an average brand lift of 65% and ranked 39% higher on preference and intent metrics. For one particular campaign, the Guardian created a bespoke cohort for luxury furniture brand Rimadesio focused on readers interested in architecture, interiors, art and luxury. The campaign achieved a brand consideration increase of 102% and an intent uplift of 79%. 

Digital Media Services (DMS), the digital arm of Choueiri Group — the leading media representation group in the Middle East – also took part in the event. In a campaign for a telco brand in Iraq aiming to drive awareness of 4G in the nation, DMS created first-party cohorts from data points across its 40-plus sites. 

The campaign resulted in an 85% increase in clickthrough rate, a brand awareness increase of 12% and an ad recall increase of 38%. The agencies who participated, including Starcom, Carat, Mindshare, and Havas, concluded that publishers’ first-party data stands up as a privacy-safe solution for the open web that’s available today. 

Focusing on first-party collection and scale 

Publishers recognize the value of their data as they look to build direct relationships with advertisers. The in-depth-cohort insights they can proactively promote and add in their RFP responses only looks to secure that revenue stream. In our study of the impacts of privacy, consent and browser updates, 80% of publishers say that collecting more first-party data to fuel advertising revenue is a priority.

This is also reflected in buy-side demand for these insights, as almost half (49%) of publishers say their first-party audiences are requested in over 60% of RFPs. Insider, for example, launched its first-party platform, SAGA, in February 2020. The publisher is seeing 400% growth year-over-year with advertisers using Insider’s first-party data for their campaigns. Today, 19-out-of-20 of Insider’s top advertisers are using SAGA.   

An appetite for these audience insights has spurred publishers to collect more behavioral and contextual first-party data and invest in technology to scale first-party data. In fact, according to our research, these are the top two priorities for publishers within the next six months. 

Upside of first-party relationships

The benefits of building privacy-safe direct relationships based on first-party data are many. It adds transparency between the buy and sell-side, first-party data is used to create cohorts that improve campaign performance, and it protects people’s privacy. Plus, it’s a solution that is available today and does not require third-party data or the use of identifiers. 

When publishers and advertisers control their data, they control their fate. Significantly: User privacy is centred, not an afterthought. The great privacy reset is here. Those that don’t take it seriously open themselves up to risk. Publishers are proving that digital advertising can be successful for both themselves and advertisers without using identifiers and third-party cookies, all while increasing revenue and maintaining users’ trust. 

By resetting to protect privacy, publishers and advertisers can build a foundation for digital advertising based on knowledge, understanding and experience and run successful data-driven campaigns without sacrificing privacy for performance.   

About the author

Michael Ogunjobi is Manager, Customer Success, Americas, at Permutive. Michael, and the customer success team, consult with enterprise publishers to enable them to increase their data-driven advertising revenue and make revenue diversification a reality — while keeping user privacy at the heart. Prior to joining Permutive, Michael was Senior Customer Success Manager at Qubit, responsible for product adoption and customer retention. Michael champions the value of publisher first-party data, especially as the industry navigates the impact of data deprecation and identity challenges.

The post The great privacy reset is here. Publishers, are you ready to capitalize? appeared first on Digital Content Next.

General Data Protection Regulation (GDPR)

The GDPR is an EU data privacy law that went into effect May 25, 2018. It is designed to give individuals more control over how their data are collected, used, and protected online. It also binds organizations to strict new rules about using and securing the personal data they collect from people, including the mandatory use of technical safeguards like encryption and higher legal thresholds to justify data collection. The law applies to organizations that handle such data whether they are EU-based organizations or not, known as “extra-territorial effect.”

Canada’s Consumer Privacy Protection Act (CPPA)

The CCPA, which went into effect June 2022, falls into two parts, which focus on the law and enforcement capabilities.

Part 1: Enacts the Consumer Privacy Protection Act to protect the personal information of individuals while recognizing the need of organizations to collect, use or disclose personal information in the course of commercial activities. Like GDPR, CPPA requires businesses to be transparent about the use of automated decision systems – such as algorithms and artificial intelligence – to make predictions, recommendations, or decisions about individuals that could impact them. Individuals also have the right to request an explanation as to how information about them was obtained as well as how any prediction, recommendation or decision was made by an automated decision-making system.

Part 2: Enacts the Personal Information and Data Protection Tribunal Act, which establishes an administrative tribunal to hear appeals of certain decisions made by the Privacy Commissioner under the Consumer Privacy Protection Act and to impose penalties for the contravention of certain provisions of that Act.

China’s Personal Information Protection Law

The Personal Information Protection Law (PIPL) is China’s first comprehensive legislation on personal information and data privacy. While similar to the European Union’s General Data Protection Regulation in many ways, China’s PIPL notably contains a number of ambiguities that have yet to be interpreted, thereby generating regulatory uncertainty. It remains to be seen how stringent the PIPL will truly be and the extent of its impact.

China’s Data Security Law

Aimed at protecting national security interests in the usage, collection and protection of data, China’s Data Security Law came into effect on September 1 2021. Data protection experts said that there are a number of areas that remain murky in the new law, such as guidance on which regulatory bodies are in charge of the new law and what data processing activities may trigger national security review requirements.

India Personal Data Protection Bill — proposed; as of March 2020, the Bill was being analyzed by a Joint Parliamentary Committee; scrapped as of August 2022, with a promise to introduce new legislation soon.

India’s Personal Data Protection Bill is intended to provide for protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data, protect the fundamental rights of individuals whose personal data are processed, to create a framework for organizational and technical measures in processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorized and harmful processing, and to establish a Data Protection Authority of India for the said purposes and for matters connected there with or incidental thereto.

New Zealand Privacy Act

The Privacy Act 2020, which went into effect December 1, 2020, provides the rules in New Zealand for protecting personal information and puts responsibilities on agencies and organizations about how they must do that. While New Zealand’s new privacy legislation is not as comprehensive as some international privacy laws, such as the GDPR, it still introduced significant changes including:

• mandatory data breach notification;
• new investigative and regulatory powers for the New Zealand Privacy Commissioner; and
• new criminal offenses and penalties, including fines of up to $10,000.

Overseas businesses are required to comply with New Zealand’s privacy laws as the Privacy Act 2020 has extraterritorial effect.

UNITED STATES OF AMERICA

Update: As of July 2024, twenty states had passed privacy legislation.

California (CCPA)

The California Consumer Privacy Act of 2018 (CCPA), which went into effect January 1, 2020, gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law. This landmark law secures new privacy rights for California consumers, including:

• The right to know about the personal information a business collects about them and how it is used and shared;
• The right to delete personal information collected from them (with some exceptions);
• The right to opt-out of the sale of their personal information; and
• The right to non-discrimination for exercising their CCPA rights.

Businesses are required to give consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers.

California (CPRA)

In November 2020, California passed the CPRA which amends and expands the California Consumer Privacy Act (CCPA). This California state privacy law, which is being phased in through July of 2023, clarifies existing provisions of the CCPA, creates new consumer rights, imposes additional obligations on businesses that collect personal information from California consumers, and creates a new enforcement agency called the California Privacy Protection Agency.

The CPRA will affect large businesses and organizations the most. Any company that engages in the data collection, analysis, and storage of any person located in California is subject to CPRA they fit under the following criteria:

• For-profit companies that do business in California
• Over $25 million in annual revenue
• Companies that buy, sell or share personal information (PI) of over 100,000 consumers or households
• Derives at least 50 percent of annual revenue from selling or sharing of consumer PI

Note that even if a business isn’t physically or legally located in California, that company is still subject to CPRA as long as they have users or conduct business in the state.

Colorado Privacy Act

The Colorado Privacy Act creates personal data privacy rights and:

Applies to legal entities that conduct business or produce commercial products or services that are intentionally targeted to Colorado residents and that either:

• Control or process personal data of more than 100,000 consumers per calendar year; or
• Derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers; and
• Does not apply to certain specified entities, personal data governed by listed state and federal laws, listed activities, and employment records.

Under the bill, consumers have the right to opt out of the processing of their personal data; access, correct, or delete the data; or obtain a portable copy of the data. The bill defines a “controller” as a person that, alone or jointly with others, determines the purposes and means of processing personal data. A “processor” means a person that processes personal data on behalf of a controller.

The bill:

• Specifies how controllers must fulfill duties regarding consumers’ assertion of their rights, transparency, purpose specification, data minimization, avoiding secondary use, care, avoiding unlawful discrimination, and sensitive data;
• Requires controllers to conduct a data protection assessment for each of their processing activities involving personal data that present a heightened risk of harm to consumers, such as processing for purposes of targeted advertising , profiling, selling personal data, or processing sensitive data; and
• Specifies that a violation of its requirements is a deceptive trade practice, but the bill may be enforced only by the attorney general or district attorneys.

Connecticut Data Privacy Act

The Connecticut Data Privacy Act (CTDPA) protects the privacy and security of Connecticut residents’ personal data by requiring businesses and organizations to be accountable for safeguarding it. The CTDPA applies to entities that handle personal data, including sensitive data like genetic or biometric information. 

The CTDPA gives Connecticut residents the following rights:

• Access their personal data
• Correct inaccuracies in their personal data
• Delete their personal data
• Obtain a copy of their personal data in a portable format
• Opt-out of the sale of their personal data
• Opt-out of the processing of their personal data for targeted advertising 

The CTDPA also imposes strict requirements on data handling, security, breach notification, and consent. For example, controllers must limit the collection of personal data to what is relevant and necessary for the purpose it is processed for. They must also create and maintain security practices to protect the confidentiality, integrity, and accessibility of data.

Maryland Online Data Privacy Act of 2024

The Maryland Online Data Privacy Act of 2024 (MODPA) establishes a regulatory framework to protect Marylanders’ personal data. The law imposes requirements on businesses to protect personal information, such as:

Data security

Businesses must implement and maintain security procedures to protect personal information from unauthorized access, use, modification, or disclosure

Sensitive data

Businesses cannot collect, process, or share sensitive data unless it’s strictly necessary to provide or maintain a specific product or service

Data collection

Businesses cannot collect, process, or sell a consumer’s personal data for targeted advertising if they know or should know the consumer is under 18

Anti-discrimination

Businesses cannot collect, process, or transfer personal data in a discriminatory manner

Data subject requests

Businesses must respond to data subject requests within 45 days, with a 45-day extension if necessary

The Montana Consumer Data Privacy Act

The Montana Consumer Data Privacy Act (MTCDPA) establishes consumer rights and requirements for businesses that collect and process personal data. The law goes into effect on October 1, 2024. 

The MTCDPA applies to businesses that:

• Operate in Montana
• Produce products or services for Montana consumers
• Control or process personal data for at least 50,000 Montana consumers
• Control or process personal data for at least 25,000 Montana consumers and earn more than 25% of their gross revenue from selling personal data 

The MTCDPA requires businesses to:

• Provide consumers with a way to opt out of data collection and processing
• Implement reasonable security and protections to safeguard collected data
• Conduct and document a data protection assessment for each activity that presents a heightened risk of harm to a consumer
• Obtain prior consent from a parent or guardian before processing the personal data of any known child under 13
• Obtain consent from a known consumer who is at least 13 but under 16 before processing their personal data for targeted advertising or sale 

The MTCDPA also gives consumers several rights, including:

• Confirmation of whether a controller is processing their data
• Access to the data a controller has collected
• Correction of inaccuracies in personal data
• Deletion of collected data
• A copy of the data a controller has collected
• Opting out of the processing of personal data for targeted advertising, sale, or automated profiling

Nevada Online Privacy Law

Nevada’s Online privacy Law is an ACT relating to Internet privacy that went into effect May 30, 2019; prohibiting an operator of an Internet website or online service which collects certain information from consumers in Nevada from making any sale of certain information about a consumer if so directed by the consumer; and providing other matters properly relating thereto. Under the law, sales are defined as exchanges of personal information for monetary consideration by the online operator to a person for the person to license or sell the personal information to additional persons.

Nevada’s bill does not add include new notice requirements for website operators but does require them to post certain items of information in their privacy policies, including the categories of information collected, the categories of third parties with which the data is shared, a description of the process consumers may use to review and request changes to their covered information, a disclosure that third parties may track consumers’ online activities and the effective date of these notices.

Utah Consumer Privacy Act

The Utah Consumer Privacy Act (UCPA) is a law that went into effect on December 31, 2023, that protects Utah residents’ personal information and gives them control over it. The UCPA grants consumers rights and imposes obligations on businesses. 

The UCPA gives consumers the right to:

• Know if their personal data is being processed
• Access their personal data
• Delete their personal data
• Obtain a copy of their personal data in a usable format
• Opt out of the sale of their personal data
• Opt out of targeted advertising 

The UCPA also requires businesses to:

• Protect personal data
• Provide consumers with information about how to exercise their rights
• Disclose how consumers can opt out of the sale of their data and targeted advertising 

The UCPA applies to businesses that process data of a certain scale or target Utah and have more than $25 million in annual revenue. Government entities and non-profits are exempt from the UCPA. 

Tennessee Information Protection Act

The Tennessee Information Protection Act (TIPA) is a privacy law that gives Tennessee residents rights over how businesses collect, use, and sell their personal information. It was passed in April 2023 and will take effect on July 1, 2025. 

TIPA imposes obligations on businesses and penalties for violations. It requires controllers to:

• Limit data collection to what is necessary for the disclosed purpose
• Get consumer consent before processing data for other purposes
• Establish reasonable data security practices
• Conduct and document data protection impact assessments before certain processing activities 

TIPA also requires processors to cooperate with controllers to comply with the act, including consumer rights requests and data security. Processors must also be governed by a contract with the controller that outlines relevant consumer privacy provisions

Vermont Data Privacy Act

The Vermont Data Privacy Act is considered to be one of the strongest data privacy laws in the country. The bill includes:

• Data minimization: Limits the amount of personal data companies can collect and use
• Sensitive data: Prohibits the sale of sensitive data, such as social security numbers, financial information, and health records
• Civil rights protections: Prohibits digital discrimination
• Private right of action: Allows consumers to hold businesses accountable for violations of sensitive data rules
• Consumer rights: Includes the right to opt out of targeted advertising, profiling, and the sale of personal data
• Data security: Requires controllers to establish, implement, and maintain reasonable data security practices
• Data breach notification: Requires data collectors to provide preliminary notice to the AG or DFR within 14 days of discovering a breach 

Virginia Consumer Data Protection Act

Virginia’s Consumer Data Protection Act (CDPA) establishes a framework for controlling and processing personal data in the Commonwealth. The bill applies to all persons that conduct business in the Commonwealth and either (i) control or process personal data of at least 100,000 consumers or (ii) derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.

The bill outlines responsibilities and privacy protection standards for data controllers and processors. The bill does not apply to state or local governmental entities and contains exceptions for certain types of data and information governed by federal law.

The bill grants consumer rights to access, correct, delete, and obtain a copy of personal data and to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling of the consumer.

The bill provides that the Attorney General has exclusive authority to enforce violations of the law, and the Consumer Privacy Fund is created to support this effort.

The bill directs the Joint Commission on Technology and Science to establish a work group to review the provisions of this act and issues related to its implementation, and to report on its findings by November 1, 2021. The bill has a delayed effective date of January 1, 2023.

For more information, see:

• State Laws Related to Digital Privacy
• Privacy Laws of the United States
• US State Privacy Legislation Tracker
• Privacy Laws Around the Globe

The post Digital advertising data: legislation and regulation appeared first on Digital Content Next.

The New Economic Foundation’s report, I-Spy, The Billion Dollar Business of Surveillance Advertising, explores concerns around surveillance advertising – targeted advertising using personal data provided by websites and platforms. In particular, the report examines issues around the collection and use of children’s personal information.

From data collection to buying and sharing data, surveillance advertising is questionable in terms of its legality. Data protection regulations like General Data Protection Regulation (GDPR) and California Privacy Rights Act (CPRA) are in place to protect consumers. However, it is clear from this report that market needs a thorough compliance review.

Mechanics of surveillance advertising

Real-time bidding (RTM) with algorithms and automation accelerated the usage and growth of data-intensive advertising. In fact, targeted advertising serves as the business model for two of the largest internet platforms, Facebook and Google. While many consumers are aware that they are being tracked, they are often not aware of the extent of that tracking.

The process of surveillance advertising:

1. When we click on a webpage, a site identifies the number of advertising slots for sale and begins a bid request.
2. To compile this bid request, the site assembles as much information about the user as possible. A standard bid request usually contains:
   
   – A user ID set by the supply-side platforms (SSPs)
   – Full referral URL, the link to the site where the ad is supposed to appear
   – Birth date
   – Gender
   – Location
   – IP address
   – Interests or segments previously assigned to the user
   – Other information collected directly, from a data broker, or inferred
3. The information contained in the bid request is then used by demand-side platforms (DSPs), working for advertisers, to decide whether, and how much, to bid in an auction for the right to show the advertisement to the targeted audience.
4. The winning bidder gets to place the ad on the page and to keep a copy of the data in the bid request.

The New Economics Foundation estimates that bid requests on U.K. users containing personal information are sent out at a rate of approximately 10 billion a day. This translates to approximately 164 bid requests per person per day across all the ad exchanges. This information is seen by a multitude of ad tech companies. In fact, vast amounts of personal data are broadcasted across the digital advertising ecosystem.

Advocating for children

Children are protection under the Data Protection Act (DPA) in the U.K. and under Children’s Online Privacy Protection Act (COPPA) in the U.S. The two laws require parental consent prior to any data collection, usage, or disclosure of the personal information for children under the age of 13. Unfortunately, the more children spend time online, the that more digital platforms and ad tech platforms companies target them to gather data. The data collection process also employs algorithms to keep children online longer. This leads to an endless loop of data collection and advertising.

Recommendations

The New Economic Foundation recommends policymakers address surveillance advertising as follows:

• Ensure platforms do not serve surveillance-based advertisements to children. And if data is collected, the child will be compensated, and their data will be deleted.
• Platforms tracking and collecting data have a legal responsibility to handle all in a fiduciary manner.
• Eventually prohibit the practice of surveillance advertising.

Critical context

Extensive online tracking systems coupled with the use of online auction systems shifts the advertising paradigm from contextual to behavioral. Many marketers today prioritize targeting over ad environments that are safe for consumers and advertisers. . Unfortunately, data is now the holy grail, which allows fake news, clickbait, and user-generated content to easily be monetized.

Importantly, GDPR and CCPA legislation are critical steps to reset business strategies and their reliant on extensive third-party consumer data collection. However, enforcement has been uneven at best. And when it comes to kids, it is clear that much more needs to be done to curb these unethical, even illegal, practices.

The post Targeting practices: a critical look at surveillance advertising appeared first on Digital Content Next.

Driving subscriptions

Consumers have multiple free and paid entertainment choices competing for their attention. Content and cost are key factors driving paid video subscriptions. Content, no cost, and ease of access are drivers for ad-supported video services. Consumers often assess subscription costs based upon their willingness to offset price by viewing advertising.

Nearly the same number of consumers prefer to pay for content as those that prefer ad-supported services. Interestingly, 40% of respondents prefer to pay $12 a month for a service with no ads versus 39% preferring a free service with 12 minutes of ads per hour. Understanding how ad-related preferences and expectations around personalization and privacy impact consumer choice is crucial to driving subscriptions, paid or not.  

Consumer frustration and churn

The flip side of acquiring subscribers is retaining them. Listening to consumer frustrations is an important action step for all businesses.

Deloitte’s identifies audience dissatisfaction when:

• Content they want to view is no longer available on the service: 66%.
• They must subscribe to multiple services to access the content they want: 53%.
• They find it difficult to access content across so many services: 52%.
• A service fails to provide them with good recommendations: 49%.

Anchoring consumers in a customized user experiences with an ease of navigation builds audience engagement and prevents churn. The report states the churn rate for streaming video services remained constant at approximately 37% measuring from October 2020 to February 2021.

Impact of data economy

Consumers are wary of data collection. They want more oversight in the data economy and question the value they get from its collection. In fact, eight in 10 respondents (82%) believe they should be able to view and delete the data that companies collect about them. Further, 78% said providers are responsible for protecting consumers’ personal data. Looking to put controls in place, 77% say the government must do more to regulate data collection and its usage. Importantly, publishers should assess ad-related preferences and consumer expectations around personalization and privacy to inform their internal policies.

As media companies navigate their subscription practices, they must continue to keep consumer preferences in focus. An emphasis on data and analytics is key to create a personalized entertainment service for consumers. Further, a customized user experiences makes it easier for subscribers to find content they want to view. Improving the interface with personalization and ease of use strengthens the audience connection. As the competition for audience grows tighter, it’s necessary to take actions that support developing and maintain a strong relationship with the audience. 

The post Courting media consumers with a customized approach appeared first on Digital Content Next.

As promised in the iOS14 update, Apple will begin enforcing the user consent requirement for apps to share its Identifier for Advertisers (aka IDFA) in March. This was delayed from September; however, it’s been a dark cloud rapidly approaching for anyone advertising or monetizing in the mobile app space.

IDFA was a giant boon to mobile advertising. Arguably, it kick-started in-app programmatic by enabling cross-app targeting and measurement for advertisers similarly to the way third-party cookies function in browsers. While third-party cookies are (reportedly) hitting the end of the road in 2022, Apple’s IDFA will live on. However, advertisers, adtech companies, and publishers alike are pessimistic about the percentage of users who will opt-in due to a rather negative permission window from privacy-centric Apple.

Eric Seufert, who has become somewhat of an IDFA whisperer with his Mobile Dev Memo blog, predicts that only 20% of app users will opt in to sharing IDFA. While Facebook and Google are both expected to take billion-dollar revenue hits in the next 12 months due to the privacy switch, this will be a calamity for app developers of all shapes and sizes.

Unfortunately, those developers may get hit with a double whammy. They face severe revenue loss and a storm of malvertising and malicious ads taking advantage of a drooping programmatic marketplace and mobile vulnerabilities.

Publishers’ incessant mobile troubles

Mobile has been a long, hard road for digital publishers. As more and more of their traffic creeped over to smartphones and tablets during the last decade, publisher revenue opportunities dwindled. Less screen real estate was available to show display ads, visitors scrolled by impressions at warp speed, and the available formats not only failed to satisfy advertisers, but also alienated audiences.

And that was before Apple’s Safari, the most widely used mobile browser in the US, introduced Intelligent Tracking Protection (ITP) and cut off third-party cookie support. Eventually, Apple plans to put even tighter restrictions on first-party collection.

At AdMonsters Publisher Forums, ad ops professionals described their mobile web environments like ghost towns. “Oh yeah, the advertisers know that iOS users skew more affluent and that we have solid first-party data segments. But they won’t bite without client-side measurement capabilities and attribution.”

Scammers step in

No surprise then that the scammers saw a weak mobile programmatic marketplace and came to play. The current age of ad quality challenges started with omnipresent mobile redirect campaigns. For a while in 2018, it seemed like every weekend you could be greeted by scam announcements that you’d won a gift card if you dared to brave the mobile web.

Much has changed since then. Publishers have creative blockers at the ready for redirect barrages. But bad actors now seem to be favoring malicious clickbait slathered in cloaking code over the ol’ redirect.

And their interest in compromising mobile users has only grown. The biggest named malvertising threats of 2020, including LuckyBoy and IcePick, used fingerprinting to pinpoint mobile devices.

Late 2020 and early 2021, The Media Trust saw a dramatic rise in malicious ads on mobile devices. (And when we refer to an incident, we mean a specific malvertising campaign; the amount of infected impressions is exponentially higher.)

As Pat Ciavolella, Digital Security and Operations Director at The Media Trust, explained on a recent webinar, “Mobile is a juicy target for bad actors…. Most people access the Internet through their mobile devices and malvertising is harder to detect. Malicious actors are starting there to make sure their code is working before expanding onto desktop and reaching anyone and everyone.”

A significant slide in in-app programmatic CPMs—due to unidentifiable or unmeasurable traffic— will simply open up new testing grounds for malvertisers.

Double whammy

So, the enforcement of consent for IDFA—with Apple messaging that’s likely to dissuade users from opting in—couldn’t come at a worse time. As noted elsewhere, even rosy opt-in predictions could have devastating consequences on app developers’ revenue. We know because we’ve seen how advertisers pull out when users are unidentifiable and unmeasurable on Safari. (On mobile and desktop).

And when benign advertisers step back, we’ve then seen how the malevolent ones step forward. A simple examination of the rise in malicious advertising during the early days of the pandemic is enough to set your hair on end. An explosion in supply with lowered CPMs is a scammer’s paradise. The scam opportunities around Covid will once again hit fever pitch as bad actors try to capitalize on vaccine distribution.

App developers face a dual threat. First, the are likely to see a serious drop in revenue as in-app programmatic CPMs decline when users fail to opt-in to IDFA-sharing. And then a host of bad advertisers will try to infect their users with malware or rope them into some kind of scam.

As tempting as it may be to send the programmatic bid floors to the basement, app developers – and mobile publishers in general– have to keep their guards up against malvertising. The must also demand better protections from their upstream demand partners. It’s never been more important to scan and track where bad ads are coming from.

In the long run, infecting your users with malware or a credit card skimmer could have far worse ramifications than a revenue shortfall.

The post When Apple closes a door, malvertising opens a window appeared first on Digital Content Next.

In a recent survey, 53% of publishers experienced an increase in engagement with their email newsletters during the Covid pandemic. Email is taking on a new role in nurturing these relationships and maximizing their value. Much like retailers, publishers can leverage email as a path to conversion.

Rethink the “customer” experience

Executives are rethinking many parts of their business in light of the pandemic’s silver lining of higher engagement. And with third party cookies under imminent threat, publishers have both a challenge and opportunity with how to collect insights about visitors to deliver value for advertisers and drive business operations effectively.

One way that publishers can take better advantage of their new engagement opportunity is to collect more data. They have an opportunity to more effectively test and integrate new revenue opportunities by approaching their digital business the way a retailer approaches ecommerce. Many publishers have discussed adding commerce opportunities to their models, such as The New York Times’ addition of Wirecutter to their portfolio. However, for many publishers, the concept needs some direction.

Often, the best work across publisher initiatives is done by connecting experiences between the website, search, and social media. Unfortunately, email remains a relatively static, separated channel. Retailers would be shocked to know that publisher email is frequently bifurcated between content-based newsletters and transaction-based messages about subscriptions with little coordination between them. Email is a hidden opportunity that will help with many 2021 publisher goals.

There are many strategic and tactical improvements that publishers can make to better orchestrate channels to achieve their goals. And these improvements have already proven successful in ecommerce. The multichannel retail experience includes data collection and segmentation, intricate channel orchestration, a dedication to measurement and analytics, and sophisticated testing and personalization with email and SMS. These channels must work together seamlessly to serve to engage, connect, and communicate.

Mapping the “customer” journey

A loyal reader has a particular series of actions that they will, pretty predictably, take. They might visit the site every morning. Or perhaps they open their mobile app every evening as they hang out on the couch. A search-driven reader might have another set of behaviors. They might averaging 30 seconds on the page, with a possible second article before abandoning the site.

These various user profiles are essentially different “customer segments.” Each of these offer their own set of value opportunities and paths to conversion. Many publishers have already created segmented strategies and content personalization. However, multichannel revenue-driven marketing, including email, usually takes a back seat. This reduces the ability to re-engage, offer deeper personalization, and drive conversion.

Retail tactics to learn from

Publishers have more in common with the ecommerce experience than they may realize. In fact, several established ecommerce best practices can be repurposed for publishers:

Browse abandon

Retailers will often trigger a personalized email when someone abandons a product search. Publishers can do the same, tracking everything from scroll depth to which search terms drove them to the site. By testing segmented triggers to bring different readers back to the story, or to similar or different stories, publishers come across as more relevant and more interesting.

Cart abandon

Similarly, retailers will trigger a personalized message via email or SMS to remind people of what’s in their cart. Publishers can do the same with event and subscription signups, or with articles saved for later reading.

Interest-based triggers

Every time a consumer reviews a product, or clicks on a link, that information is gathered to improve personalization and triggered messaging in the future. This information, be it driven by content behavior or more transactional behavior, should be collected by publishers to build richer user profiles and to inform segmentation and marketing actions. This data is also hugely valuable for editors seeking to better understand reader interests.

Live content

Retailers used live content during Black Friday/Cyber Monday to drive interest in sales, manage inventory. Streaming content showing employees explaining products, and influencers discussing health tips, drove engagement and sales. Publishers can imagine incorporating everything from breaking news and live entertainment to real time interviews and podcasts.

Channel optimization

Email is only one element of a multichannel communication strategy. It’s best to test within and across channels to understand how to get people to stay engaged based on their preferences and habits. For example, testing the success of driving engaged readers on mobile web to download the app, or transitioning engaged mobile app readers to in-app messages and push instead of email, can help publishers meet readers where they are without any friction. SMS can take things one step further for brands that don’t have standalone apps but cover breaking news, the same way many D2C retailers alert shoppers about sales.

Bonus points

These five common triggers in a retail strategy also serve another purpose: to test messages and collect more data. Adding triggers along the customer journey doesn’t just provide opportunities to re-engage, they make businesses smarter. Combining insights and measurement across different parts of the business can help speed up learning. Personalizing different elements of the customer journey can help speed up conversion.

Content is the product that many publishers focus on, but it’s the readers (aka customers) that will deliver insight and revenue. By turning focus toward the transactional touchpoints along the reader journey, publishers will find more chances to increase their insights and improve their performance. Retailers may have more measurable ROI. However, what retailers have spent years learning through testing can now serve as a reliable blueprint for publishers.

About the author

Allison Mezzafonte has worked in the media and publishing industry for 20 years and is currently a growth consultant, as well as a Media Advisor to Sailthru. A former publishing executive for Bauer Media, Dotdash, and Hearst Digital, Allison serves as a strategic partner to media clients.

The post Retailers drive revenue with email. So can publishers appeared first on Digital Content Next.