We’re talking to FPF senior policy experts about their work on important privacy issues. Today, Christy Harris, CIPP/US, Director of Technology and Privacy Research, is sharing her perspective on ad tech and privacy.
Prior to joining the FPF team, Christy spent almost 20 years at AOL, where she helped navigate novel consumer privacy issues in the development of internet staples such as AOL Mail, Advertising.com, MapQuest, and The Huffington Post. She also served as Privacy Program Manager at the cybersecurity company FireEye, Inc., where she implemented a vendor management program in preparation for the GDPR and worked to streamline the company’s global data practices.
Can you walk us through your career and how you became interested in privacy?
I worked at AOL for nearly 20 years, starting out by providing tech support in one of their call centers before moving up to AOL’s corporate headquarters. When I started working at AOL, the confidentiality of customer information was a core value, ingrained in everything we did, but online privacy as we know it today was barely a burgeoning field. Eventually, I moved to a position at AOL specifically focused on consumer advocacy, working with the Chief Trust Officer who oversaw a variety of consumer advocacy issues including anything related to privacy policies and the company’s data uses.
Eventually, AOL’s consumer advocacy team evolved into its global privacy team, led by its first official Chief Privacy Officer, Jules [Polonetsky], and the responsibility for protecting user privacy became a rapidly growing team, with broader responsibilities and the ability and authority to structure and encourage responsible company practices around user data. While Jules left AOL to launch FPF in 2009, AOL remained an FPF supporter, involved in various working groups and other FPF efforts over the years.
In 2017, I left AOL and spent some time working as an independent consultant for several tech companies. With the EU’s GDPR going into effect in 2018, many companies were scrambling to ensure they would be compliant on Day 1 of its enforcement, and CCPA (California’s newest privacy law) was swiftly on its heels, leading to much uncertainty for companies trying to determine their compliance obligations and the most efficient approaches, while also avoiding costly re-architecture of established systems and processes. I eventually joined FireEye full-time, working across teams to implement a vendor management process that included mechanisms for ensuring global compliance in light of the GDPR. Like many companies managing global operations, there was a strong desire to streamline processes and practices to provide consistency both for customers as well as internal operations.
During my time as a consultant, I also worked on an ad tech-related project for FPF, which eventually led to my current role as the Director of Technology and Privacy Research.
What projects are you working on at FPF related to ad tech and mobile platforms?
On a daily basis, I keep a close eye on how companies operate in the online advertising and ad tech space, drawing on my experiences at AOL and an understanding of the operations and needs of advertisers, publishers, and platforms. I also approach ad tech from a more technical perspective: evaluating how ad tech providers build and implement their technology, understanding how the systems operate and to track the flow of consumer data, as well as recognizing the needs and demands of publisher and advertisers leveraging the vast amount of data available in conjunction with the offerings and services of ad tech providers. All of this is part of an overall effort to reconcile how advertisers want to use consumer data with consumer expectations around the use of their data.
A key focus of my work is training – helping policymakers, brands, and privacy officers understand the details and mechanics of online data use so they can each be most effective in their roles. You can see some of our master class sessions online, and I and my colleagues are available for more tailored group sessions.
Earlier this year, we launched the International Digital Accountability Council (IDAC). After identifying the need for a third-party enforcement and accountability entity to address the gap between legislation and mobile platforms’ rules and requirements, we incubated the IDAC under the FPF umbrella. Today, the IDAC is an independent watchdog organization dedicated to ensuring a fair and trustworthy digital and application marketplace for consumers, encouraging companies to engage in responsible practices. I’m very proud of that effort and look forward to watching them continue to grow into a widely influential organization.
Balancing user expectations with industry standards is an interesting challenge. Consumers typically use an app because it will provide a specific service or allow them to achieve a specific goal — whether that’s managing a calendar, ordering dinner, or passing the time playing a fun game. App companies need to be clear about what it is they are providing to users, how they use and treat the data they collect, and ensure that any secondary or downstream uses of data are not unexpected or discriminatory (even if such uses ensure an app is free to use).
What do you see happening over the next few years in ad-tech?
Over the past few years, we’ve seen the GDPR have a very significant, global impact — despite ostensibly being a European law, the GDPR has influenced companies’ behaviors with respect to consumer data worldwide. We’re seeing other countries follow the example of the GDPR, working to establish privacy regulations informed by European law and its interpretations. I’ve found it fascinating to see how different cultural norms and expectations with respect to privacy have impacted national and state privacy laws, and it will be interesting to see how they continue to evolve. For example, where Europe recognizes privacy as a fundamental human right and approaches default data practices from that perspective, U.S. companies often rely on a system of notice and choice, requiring users to opt out of certain practices as the default. These differing perspectives are often reflected in how companies collect, use, and share consumer data, and have to be embraced and adapted to accommodate a globally accessible and targeted internet.
In the United States, we’ve seen California enact regulations embracing approaches similar to the GDPR from a perspective that reflects U.S. cultural norms. I expect California to serve as a driver of additional privacy legislation and the evolution of default approaches in the United States, but I also expect to see changes coming from the ad tech providers themselves as well as the companies leveraging their services. Companies with the power to determine what can be done within their respective environments, for example Google and Apple in the mobile platform context, often drive a significant portion of the policy standards and discussions today. When a company controls the platforms and technologies on it that may be used to interact with consumers, a seemingly minor change on that platform can cause a ripple effect felt across the ecosystem.
Ultimately, I think the push-pull between advertisers and the platforms on which they reach consumers will continue. The brands and advertisers themselves may not always be technical experts, but these organizations excel at finding creative ways to reach their goals. This is where we end up in a “whack-a-mole” situation – platforms’ goals may not align with those of the advertisers on their platforms, creating a constant balancing act. FPF’s role and perspective as data optimists allows us to bring together a variety of stakeholders and experts to help achieve the various goals, using data in new and innovative ways, while always respecting the users at the core of the conversation.