Taming the Wild West of Consumer Data Sharing in AdTech
The Wild West era in America during the late 1880s gave rise to a new genre of film known as Westerns — vast, rugged landscapes, men on horseback, and gunfights at every turn.
The Wild West is famous, above all, for lawlessness. Vigilantism. Outlaws on the run.
It's a surprisingly apt metaphor for how the online advertising industry has operated for the better part of two decades.
Authorities Slow to Act
The Wild West saw an influx of new land — and later, gold — there for the taking, arriving so fast that authorities couldn't introduce laws quickly enough to govern it.
The public internet, which arrived in the mid-1990s, created a structurally similar situation. Instead of land and gold, user data was the prize.
Since the mid-2000s, advertising-technology companies have been collecting, segmenting, and sharing enormous volumes of consumer data. And just as in the Wild West era, regulators and governments were slow to respond.
That's not to say the industry operated with zero safeguards. Concepts like privacy by design and data minimization have been in circulation for years. But their existence hasn't prevented the industry from amassing user data to the point where it now forms the backbone of online advertising — where data collection happens on any internet-connected device (consider how many tags and pixels fire on a typical website), and where that data is routinely passed to multiple downstream vendors via piggybacking and cookie syncing.
Several developments over the past few years, however, suggest those unchecked days are numbered.
The EU's General Data Protection Regulation (GDPR) was the most significant early signal, with countries like Brazil and India subsequently moving to introduce comparable frameworks. Even major technology companies — Cisco, Microsoft, and Apple among them — have advocated for GDPR-style legislation in the US. Meanwhile, the proposed ePrivacy regulation, still working its way through trilogue negotiations, will likely have a bigger and more direct impact on AdTech than the GDPR ever did.
Over the coming years, AdTech companies will need to ensure their data-collection activities comply with a growing patchwork of data-protection and privacy laws — or face the consequences.
Vigilantism in the Form of Self-Regulation
In the Wild West, violence and theft were rampant. Local authorities simply lacked the manpower to keep up with the sheer volume of crimes. In response, vigilante justice groups formed from within communities, acting as judge, jury, and executioner — doing what established authorities couldn't.
The online advertising world has had its own version of this dynamic: self-regulation.
Governments and regulatory bodies have lacked the resources to govern a sprawling, technically complex advertising ecosystem. That vacuum was filled by industry bodies like the Interactive Advertising Bureau (IAB) and the Network Advertising Initiative (NAI), among others.
The problem is that, unlike even the roughest vigilante outfit, these self-regulatory groups have done relatively little to properly rein in the data-sharing practices that have come to define AdTech. Failed initiatives are the telling evidence here: AdChoices, for instance, requires users to opt out by clicking a tiny icon on ads and waiting while a new page loads their browser and cookie statuses — hardly a meaningful standard for consent. The IAB's Transparency and Consent Framework has similarly been criticized as inadequate.
Time's Up for Shady Actors
The outlaws and bandits of the Wild West hid out in the badlands, out of reach of authorities and vigilantes alike.
For the better part of a decade, advertising companies and data brokers collected and distributed user data without that user's knowledge or explicit consent. But the online-advertising bandits can hide no longer.
Consumers are increasingly aware of the scale of data collection by walled gardens like Google and Facebook, as well as by independent AdTech and data companies. Complaints filed by privacy advocacy groups have helped drive that awareness — including recent filings by Brave and the Open Rights Group, which in turn formed the basis for a separate complaint filed by Panoptykon targeting Google and the IAB.
A report by Piwik PRO put some hard numbers to the problem: 74% of websites placed third-party cookies without valid consent, and 86% preloaded possible tracking cookies before a user had even expressed a consent decision. Those third-party cookies almost always belong to AdTech or MarTech vendors, meaning personal data is routinely transferred outside the EU, where it can be exposed to retargeting, profiling, or outright sale.
The AdTech companies that will succeed going forward are those that treat user privacy as a genuine design requirement, not an afterthought. Both clients and consumers are becoming less willing to work with companies that don't.
That places the burden squarely on AdTech and data companies to demonstrate — credibly — that their data-collection practices are privacy-friendly and compliant with GDPR and whatever regulations follow.
The Events That Ended the Wild West
No single event ended the Wild West era. It was more likely a combination: new laws governing land ownership and gold mining, and the gradual takedown of enough prominent outlaw figures to change the calculus for everyone else.
With ad blockers, GDPR, and Intelligent Tracking Prevention (ITP) all having made an impact over the past few years, it's reasonable to ask whether the mass user-data free-for-all in online advertising is finally approaching its close.
The evidence is mounting that it is.
The GDPR's initial rollout didn't produce an immediate industry-wide course correction — a large majority of AdTech companies didn't fundamentally change how they operated. But the subsequent investigations by France's data-protection authority CNIL and the UK's Information Commissioner's Office (ICO) into Google's handling of user consent under GDPR represent a meaningful escalation. They may well be a sign of things to come for AdTech broadly.
The next few years will likely establish some genuine law and order around user-data collection — regulating what self-regulation couldn't, and exposing the companies that refuse to adapt.
The window to act proactively is open now: reduce data collection, build privacy into products from the ground up, and rebuild the trust of online users before regulators force the issue. Fifty years from now, the AdTech industry of today may well be remembered as a chaotic, data-grabbing era — just don't expect any motion pictures to be made about it.