© LUMA Partners LLC 2015

Performance

Video / Rich Media

Targeted Networks / AMPs

Ad Networks

Horizontal

Vertical / Custom

Mobile

Exchanges DSPs

Publisher Tools

Data Suppliers

Ad Servers

DMPs and Data Aggregators

Measurement and Analytics

Creative Optimization

Agency Trading Desks

Media Planning and Attribution

Verification / Privacy

Ad Servers

Retargeting

Media Mgmt Systems and Operations

Sharing Data / Social Tools

SSPs

DISPLAY LUMAscape

M

A

R

K

E

T

E

R

P U

O B

N L

I S

M H

E

R

C

S U

E

R Tag Mgmt

Agencies

Denotes acquired company Denotes shuttered company

Publisher Ad Server SSP Ad

Exchange DSP Advertiser

• Ad Server

• DSP / SSP • Exchange

DMP

4

Online Ingest and Activation

DMP 1st Party Data

Mobile Display Social Site Optimization Search

1. User visits website

2. Cookie collects attributes from the page and associates data to an unknown user

3. Client creates audience using 1st (and 3rd) party data

4. Client can model the audience based on additional desired attributes

5. The DMP activates data to execution channels

6. Execution Channel targets users or optimizes content based on DMP data

7. Media data is passed back into DMP for further Analytics and Reporting

Analytics & Reporting

Modeling

3rd Party Data Marketplace

5

Offline Data Activated Online

Client’s CRM DB (with PII)

Match Provider

4. Strips PII (retaining hashed email) from offline reference file,

associates data with the matching hashed online file, and creates new

anonymous online User Profile containing the offline user attributes

DMP 1st Party

Data

1b. User visits store and provides PII, including email

2b. Client stores PII and user attributes in CRM DB

3a. Match Provider associates hashed PII with the cookie to create online file.

1a. User visits website and logs in

3b. Client passes PII and offline user attributes to Match Provider via reference file

5. Load into DMP to activate Online User Profile via execution channels

2a. Match Provider tag grabs PII (usually email) from the page when user logs in and hashes it.

WilmerHale 6

FTC Expectations: Framework 2009 FTC Staff Report Self-Regulatory Principles For Online Behavioral

Advertising and March 2012 final report Protecting Consumer Privacy in

an Era of Rapid Change: Recommendations for Business and

Policymakers

• Four central principles (from 2009 report):

• Transparency and Consumer Control • Data Security and Retention • Express Consent for Sensitive Data • Express Consent for Material, Retroactive Changes

• Application of principles in final report

• Reports apply to mobile as well

WilmerHale 7

2009 Report: Observations The Report is based on the following premises:

• Collection and use of data is ubiquitous and often invisible. • Consumers lack an understanding of the nature and extent of this collection. • Many consumers are concerned. • Collection and use has led to significant benefits. • Traditional distinctions between personally identifiable and anonymous data

are blurred.

The report was not intended to be a template for law enforcement, or even new regulations, but rather to:

• Articulate best practices for companies and • Assist Congress as it considers privacy legislation.

WilmerHale 8

FTC 2012 Final Privacy Report Simplified Consumer Choice

• Not required for contextually appropriate uses of data (e.g., order fulfillment)

• Required for uses not consistent with context of transaction or relationship (e.g., secondary uses, behavioral advertising)

• Affirmative, express consent required: • Material retroactive changes to privacy provisions • Collection of sensitive data

Transparency • Clearer, shorter, more standard privacy policies • More explanation of data “enhancement” practices • Consumer access to data collected about them

Special Concerns • Mobile context—constant data flow & limited disclosure space • Data brokers—no consumer-facing element makes disclosure difficult • Large Platform Providers (e.g., ISPs)—invisible access to large amounts of

data (workshop in December 2012)

WilmerHale 9

FTC Enforcement Actions: Overview FTC is aggressively using its Section 5 authority in response to what it sees as unfair and deceptive acts and practices in the online and mobile spaces.

• Tracking disclosures must be obvious and outside Privacy Policy • In the Matter of Advertising.com

• Offered “security software” that also installed Adware—was disclosed in terms & conditions, which users could click past without reading.

• In the Matter of Sears Holdings Management Company

• Sold software offering discounts but also tracked users; was disclosed in EULA, which users had to read, but was buried.

• Websites and apps must offer an effective opt-out • In the Matter of Chitika, Inc.

• Offered opt-out only effective for 10 days (in error—intended it to be 10 years).

• Websites and apps are bound by third-party terms and conditions? • FTC v. Jerk.com

• FTC consent order can be read to suggest that the FTC may try to treat the use of information pulled from a website such as Facebook out of compliance with the Facebook API terms is a deceptive act or practice in its own right .

WilmerHale 10

FTC Enforcement: Compete, Inc. In the Matter of Compete, Inc. (October 22, 2012)

• Web tracking company collected data on browsing behavior of millions of users

• Allegedly: • Convinced consumers to download tracking program by offering rewards in

exchange for opinions on products and services • Once downloaded, the program operated in background and collected information

about browsing behavior, including usernames, passwords and financial account information

• Program did not disclose extent of collection, and did not adequately protect collected information

• Resolved by settlement • Compete must obtain express consumer consent before collection any data from

downloaded software. Law or fencing in? • Delete or anonymize any data already collected • Provide directions for consumers to uninstall the software

WilmerHale 11

Self-Regulation of Interest-Based Advertising (IBA) Digital Advertising Alliance (DAA) Self-Regulatory Principles for Online Behavioral Advertising

• Transparency • First parties generally must disclose third-party IBA practices • Third parties must describe in privacy notice: (1) types of data collected for IBA; (2)

uses/transfers of data; (3) opt-out; and (4) adherence to DAA Principles • “Enhanced notice” required in or around interest-based ads and/or on web pages where

data is collected or used for IBA • Consumer Control/Choices

• Opt-out required for IBA • Opt-in required for sensitive health or financial data, material changes to existing

policies, or collection/use of data by “Service Providers” • Data Security & Accountability

Network Advertising Initiative (NAI) Code of Conduct contains similar requirements, but members also must:

• Disclose (1) ad delivery/reporting practices; (2) technologies used; (3) data retention period; (4) adherence to NAI Code; and (5) use of health-related interest segments

• Require by contract that first parties disclose IBA practices/opt-out and make “reasonable efforts” to confirm that first parties comply with such requirements

Application of Self-Regulatory Principles to the Mobile Environment, 2013

This guidance explains how the existing DAA Principles apply to certain types of data in the mobile Website and application environment.

The 2015 update to the NAI Mobile Application Code governs NAI members’ Cross-App Advertising and ad delivery and reporting.

NAI Mobile Application Code, 2015

Data DAA and NAI Cross App Advertising Programs

DAA: (Cross App Data) “Data collected from a particular device regarding application use over time and across non-affiliate applications.” NAI: (Cross App Advertising) “Collection of data through applications owned or operated by different entities on a particular device for the purpose of delivering advertising based on preferences or interests known or inferred from the data collected.”

All about the fine print…

Though programs are similar, a number of differences. These include

• Notice construct • What’s in notice • Overall program requirements • Definition distinctions

15

ID 455

Sjones@gmail.com

IDFA 3245 AdID 6867

@Susan25

124 Main Street Anytown, USA

Cookie IDs Mobile IDs

Social IDs

Postal IDs

Email IDs

Highly unique, persistent hashed identifiers

Highly Unique, persistent hashed identifiers, able to bind multiple devices and hold profile information

Precise Geo In-App-Behavior A Single User

Mobile and Desktop Web Rich Web-Behavior Often multiple users

offline information, generally confined to households

Cross Device / Context

Cross Device / Context: Best Practices

• More than just device – multiple browsers per device

• Statistical v. deterministic – look at various signals (os version, ip address, browser

types, time/dates, etc.) – email or account logins (clear or hashed)

• Notice and choice – US: notice probably ok (FTC roundtable in November) – EU: affirmative consent probably required

– Wait to scan and associate each device until consent obtained

16

Cross Device / Context: Best Practices

Opting out – Single device or all associated devices?

– Do you know who you are opting out? – Transparency: identity graph – Granularity: IBA or Cross Device – Data associated with connected devices

– Device A Opts out, Device B does not. Car interest associated with both. Delete Device B car interest?

– Device C later associated with B. Add car interest to C?

– Make your approach clear in privacy policy – Stat-ID opt-out degradation issues

17

WilmerHale

Tracking and Targeting on Social Media

Facebook, Instagram, Twitter, and other social

media platforms enable advertisers to tailor the

right content to the right users, including through

custom audiences

Data to inform targeted social media marketing

comes from a variety of sources, including:

– existing customer lists (e.g., find your existing customers on a platform, or

potential customers who resemble your existing customers)

– social media activities, such as Twitter “follows” and Facebook “likes”

– tracking website visitors or mobile app users to social media

Targeting options can include basic demographics, interests, behaviors,

hardware attributes, and much more:

– Men ages 35 to 55 who follow Dale Earnhardt and Donald Trump

– iPhone users ages 18 to 30 who shop at Best Buy and like Wired

18

WilmerHale

Tracking and Targeting on Social Media

Social media companies generally require advertisers

to provide privacy protections for users:

– Notice of third-party data collection and behavioral targeting

– Appropriate consent where required

– Instructions for how customers and website visitors may opt out

Certain marketing practices are prohibited on many social media

platforms:

– Creation of tailored audiences based on sensitive personal data reflecting users’

characteristics or beliefs (e.g., race, religion, medical conditions, sex life)

– Ads asserting or implying knowledge of personally identifiable information

(e.g., a user’s full name or physical address)

– Promotion of certain products (e.g., drugs, tobacco, weapons, or adult products

or services)

– Integrating social media tracking on websites and in apps directed to children

19

The Latest on “Do Not Track” • W3C Last Call Working Draft issued July 14

• Browser Actions • EEF Coalition

WilmerHale 21

Data Security Considerations

Maintain a reasonable security program with administrative, technical, and physical safeguards to protect against reasonably foreseeable risks (secure storage,

authenticated connections, access controls, etc.)

Conduct reasonable due diligence and oversight

of third-party service providers and business partners

Ensure that contracts with third parties contain

appropriate security provisions

Ensure that advertising content, software, and systems do not contain malware to prevent “malvertising” and other harm

Confirm that data shared with third parties is anonymized or de-identified properly to prevent unauthorized access/use (e.g., hashing or using random

identifiers)

Limit data retention to a period reasonably necessary to achieve business purposes

WilmerHale 22

Take-Aways 1. Understand the partners you’re dealing with and the role they play in the overall advertising

ecosystem;

2. Understand the technologies you’re deploying and ensure that opt out works for every

consumer, every time;

3. Ensure that data are not used for purposes inconsistent with the purposes for which they

were collected;

4. Avoid consumer surprise; if a use or disclosure would surprise an ordinary consumer,

disclose it outside the privacy policy (such as with the DAA’s Advertising Options Icon);

5. Understand the self-regulatory requirements that apply to you, whether you are a first

party, a third party, or a service provider;

6. When deploying new technologies such as cross-device matching, keep the basic principles

of robust notice and choice in mind, and watch for DAA, NAI, and FTC guidance;

7. Avoid IBA activities using sensitive data without getting consumers’ opt-in consent;

8. Keep on top of developments in Do Not Track and users’ “Limit Ad Tracking” choices on

their iOS and Android devices; and

9. Make sure that data you pass to third parties is secured, and otherwise maintain a

reasonable security program consisting of administrative, technical, and physical controls

against reasonably-foreseeable risks.