Fixing the Internet One Digital Ecosystem at a Time

Note: This article was initially published in ExchangeWire on May 10, 2018.

Internet

Read article

Over the past 14 years, The Media Trust has focused on one audacious goal: to fix the internet. The company has continuously monitored the internet for malvertising, creative quality, data leakage, and other compliance issues on behalf of organisations seeking to protect and monetise their mobile apps and websites. In this piece, ExchangeWire speaks with The Media Trust CEO Chris Olson; CRO Alex Calic; and European General Manager Matt O’Neill.

How The Media Trust delivers on its promise has evolved and expanded in scope over the years. The company’s products have noticeably shifted in approach from a reactive detect-and-notify to a pre-emptive identify-evaluate-notify-and-resolve. Olson and CTO Dave Crane started The Media Trust to meet publishers’ emergent need for a systematic way to verify whether an online ad published according to the contract with the ad buyer: on the right page location, to the right audience, at the right time. Next, they pioneered malware scanning and spawned services for malware prevention, creative QA, and data protection. Today, the company helps their clients address the three dimensions of digital risks – security, privacy, and quality – from a single platform known as ‘Digital Vendor Risk Management’. “We work with most of the largest publishers, advertising exchanges, demand side platforms (DSPs), brands, and e-commerce companies”, explains Olson.

Continue reading

5 Reasons Why: DSPs need more than an ads.txt aggregator

Authored by Jason Bickham, Vice President, The Media Trust

The Media Trust’s Ads.txt Manager for DSPs puts the muscle in managing ads.txt files.

Building ads.txt muscles

Even as the digital ad ecosystem finds its footing in 2018, the winds of change are more of a gale than a gentle breeze. Perhaps, one of the most crucial and welcome change that is underway, is the industry-wide push for trust and transparency. The IAB Tech Lab’s Ads.txt initiative does its part by addressing one element of fraud: inventory fraud or the use of spoofed domains to mask illegitimate or counterfeit inventory. As a simple file publishers post to their domain containing a list of their inventory’s authorized direct sellers and resellers, the ads.txt initiative enjoys unprecedented adoption rate among digital publishers.

Adoption by publishers is a good start but only half of the solution. What about their upstream partners who now need to leverage this information, especially DSPs?

We quizzed some DSPs over the past few weeks and learned that while many have built their own crawlers, they are also looking for more color in open source feeds – hoping to derive benefits beyond the fodder collected by their in-house solution. There is key truth here that is hard to ignore: an ads.txt aggregator just isn’t going to cut it when it comes to managing ads.txt files and reconciling payment issues with SSPs.

That’s why The Media Trust took file aggregation a step further and created an Ads.txt Manager for DSPs. This centralized tool supports three mission-critical tasks for prime business impact by helping DSPs:

  • validate digital advertising inventory
  • swiftly reconcile payment issues
  • build trusted relationships with downstream partners and publishers

But, don’t just take our word for it. Here’s what Ari Paparo, CEO of Beeswax, a leading provider of bidder-as-a-service programmatic solutions has to say about the Media Trust’s Ads.txt Manager: “Ads.txt can be confusing, but with The Media Trust’s tool you can quickly see a clean version of a publisher’s most up-to-date ads.txt file.”

Why go beyond a simple ads.txt file aggregators that are mushrooming across the industry? Here are five top reasons why you should adopt our Ads.txt Manager for DSPs:

You do you
DSPs need to focus on what they do best – securing the best ad placements possible for their clients! True, while checking ads.txt files definitely helps in vetting and validating advertising inventory, these files change more often than you think. Managing the growing number of ads.txt files shifts focus away from DSPs’ core competencies.

1. What about file accuracy?
The issue of accuracy when it comes to ads.txt files is critical – to fight inventory fraud you need up-to-date file versions. Our solution to the question of accuracy is simple – inaccuracies may come in but they don’t have to go out. Formatting errors and invalid content are stripped from any usable content so DSPs can make the most of what’s available without wasting time handling inadequate files.

2. Retroactive lookup and change notifications
In addition to providing access to near real-time versions, Ads.txt Manager archives every captured version of a publisher’s ads.txt file and notifies on file content changes – critical information for billing reconciliation. The tool’s query parameters include domain, key, action, “as-of” date and the DSP’s specified format for easy lookup.

3. A quick check should be quick
Verification of an ads.txt file should be quick and simple. While DSPs are welcome to open several browser tabs/ windows to manually access open source feeds or spend resources building their own tools and troubleshooting as required, The Media Trust offers a centralized platform to access the internet’s continuously updated database of accurate ads.txt files in an easy-to-parse format.

4. Trust and transparency isn’t a one-way stream
We believe that the ads.txt initiative is a step in the right direction, but DSPs need to know more than just surface-level insights about the SSPs listed in these files. Keeping this in mind, Ads.txt Manager provides access to our growing digital vendor network, a group of 200+ entities dedicated to creating a better, more robust digital ecosystem.

For these five crucial reasons we decided to go further than building an ads.txt file aggregator and create a more actionable tool for DSPs. And, more is coming. So watch this space for more updates, but in the meantime,register to use our Ads.txt Manager (FREE until June 30, 2018) if you haven’t already!

Ad Ops: The Unlikely GDPR Heroes

This article by Matt O’Neill, General Manager, Europe was originally published in Digital Content Next on February 6, 2018.

art abstract dark business depression background

Read article

10 actionable steps to charting a publisher’s course to digital GDPR compliance

Yes, it is the topic du jour, but somehow many are still adrift when it comes to the European Union’s impending General Data Protection Regulation (GDPR), which goes into effect on 25 May 2018—under 100 working days or five short months away. Countless articles summarise requirements into generalities covering organisation-wide data elements, such as customer, partner and vendor information. More often than not this approach doesn’t mean much to Ad/Revenue Operations (Ad Ops) professionals.

The Ad Ops Challenge

GDPR presents three significant hurdles to Ad Ops:

  1. Identifying known data collection activity;
  2. Confirming it is legitimate under GDPR (i.e. that the rules are being met); and
  3. Detecting and remediating unauthorised data collection, which is potentially considered a data breach.

The highly-dynamic and opaque nature of the digital ecosystem often means that all three of these hurdles are difficult to clear without adversely affecting a media publisher’s strategic revenue channel. So, the key issue to resolve is this: how does a publisher go about managing data in a GDPR-compliant way but without undermining its business model(s) and therefore its commercial viability?

The answer, as usual, is Ad Ops. For this group, GDPR presents an important opportunity. As the frontline of digital operations, Ad Ops professionals are in the unique position to influence, drive, and co-create strategies to protect and optimise revenue in the changing regulatory environment. In fact, they have a powerful legitimate reason to control audience data collection activities on their digital properties and demand compliance from upstream partners.

10 Steps to GDPR Compliance

The daily demands placed on Ad Ops can be overwhelming, with the complexities—and vagaries—of GDPR an unwelcome intrusion. But it’s a critical opportunity. Here’s a 10-step approach (with supporting GDPR references) towards GDPR compliance for media-oriented websites and mobile apps:

1. Participate in an internal GDPR Task Force [GDPR Articles 37-39]

Every business— large and small—should have a GDPR ‘Task Force’ or something similar. This could be organised by a senior data privacy leader, such as a Data Protection Officer (DPO), which is now a requirement for many organisations. The Task Force should be staffed with key personnel across the organisation who interact with any type of personal data, i.e. operations, IT, privacy and risk, security, HR etc, and should include individuals across strategic markets as the GDPR has a global reach (see GDPR Article 3). As part of the Task Force, Ad Ops can explain the role of consumer data in the digital environment to deliver user-specific content and advertisements and how it supports the publication’s mission and contributes to revenue.

It is important to understand that the scope of personal data is broader than under existing EU data protection law. Under Article 4 of the GDPR, personal data is defined as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

To this extent, typical data collection, use and sharing activity generated from everyday access of websites and/or mobile apps for digital advertising purposes (i.e. cookie deployment or device identification) should be treated as personal data. Therefore, the term ‘non-Personally Identifiable Information’ should no longer exist as personal data under the GDPR is broader than PII, which is a significant change for digital advertising.

2.  Evaluate the Privacy Risks [GDPR Articles 25, 35 & 36]

The Task Force will probably be responsible for developing a centralised roadmap for the organisation’s digital data and designing the plans to implement necessary processes and changes (including budgetary considerations) required to comply with the new law. Many organisations will need to conduct a Data Protection Impact Assessment (DPIA–a valuable  exercise for good data hygiene), mapping the kind of data collected and processed. Here’s a good template to follow[i].

The DPIA should enable revenue and Ad Ops teams to get up close and personal with all data collection and processing activities, and knowing with whom data is being shared. There are many companies that can assist with DPIAs to develop a point-in-time data picture, which is a critical start to identifying data in the publisher ecosystem. However, the ever-changing digital environment requires continuous monitoring for compliance in order to provide an audit trail or truly demonstrate ongoing compliance. The bottom line is that the GDPR seeks to introduce a ‘Privacy by Design’ approach: removing or minimising data or ‘pseudonymising’ it (e.g. hashing) to minimise the privacy risks.

3.  Create an Authorised Partner List [GDPR Article 30]

Accountability is a central theme within the GDPR: you are required to record and account for all data processing activities. Ultimately, publishers will need to know and understand what data is being collected and processed, and who it is shared with—a serious challenge for the dynamic digital environment.

This means Ad Ops needs to develop a list of all parties that execute on the website (including contracted second parties and any subsequent parties called during the rendering of the visitor experience), analyse digital behaviour to understand data collection or targeting needs, and block those that exhibit anomalous or unapproved activity.

Conducting a data audit, compiling inventory and documenting authorized partners is a good first step; however, these will have to be continuously evaluated with an eye towards changing partner activity, new digital supply chain partners, international data transfers and consumer understanding of tracking/identification and its value to the digital experience.

4.  Get Legal! [GDPR Article 6]

It may seem strange for Ad Ops teams to concern themselves with too many legalities, but with the GDPR it is imperative that those involved in data collection activities understand the consequences of their actions. The regulation outlines six legal bases to justify the processing of personal data:

  • the user’s consent (which is defined more stringently than under current data protection law)
  • the use of contracts involving the user
  • legal compliance (i.e. with another law)
  • protecting the interests of an individual
  • when it is in the public interest to do so
  • when it is the organisation’s legitimate interests to do so (provided it doesn’t override the rights of the individual)

Digital advertising will require the user’s consent, not least because it is required for the storing of information or gaining access to information already stored on a device—whether personal or not—(i.e. via a cookie) under the existing ePrivacy Directive (See Step 6.) This is where Ad Ops needs to work closely with the compliance teams: an innovative consent mechanism will be required for digital advertising activities. But, keep in mind that some data processing activities (e.g. for network security or when tackling fraud) may warrant different legal bases.

5.  Enforce Digital Partner Compliance [Articles 26-30]

The GDPR introduces obligations (and liability) for all organisations, whether a ‘data controller’ or ‘data processor’. Find out how data partners are preparing for the GDPR and establish a working group with key partners to discuss compliance strategies. This requires first knowing your upstream partners from SSPs and exchanges through to DMP and DSPs. Some data partners are likely to have to conduct a DPIA as well—guide the process for them. In time, revisit, review and adapt contracts or agreements with existing partners to ensure that shared obligations and responsibilities under the GDPR are accounted for and that partners are complying with digital asset policies for your company. If a partner chooses to not comply with your policies reconsider your relationship with them.

6.  Obtain Consent [GDPR Articles 7-9]

Consent is the new king in digital advertising, so review where and how you obtain it. Under the GDPR, consent must be given freely, specifically, and unambiguously, and it requires affirmative user action. Some pre-GDPR consent mechanisms (i.e. so-called ‘implied’ consent) may not be valid when the GDPR applies. And it remains to be seen if existing consent management platforms can properly handle authorized cookies delivered by third-party partners in addition to a publisher’s first-party cookies. It’s important that practical and user-friendly consent mechanisms are adopted. Where appropriate, review existing consent mechanisms and explore evolving market solutions to suit your business. EU regulators have provided some draft guidance on consent[ii].

7.  Be Transparent [GDPR Articles 12-14]

Revisit and restructure your Privacy Notice to ensure that it meets the requirements of GDPR. It is likely it will need to include more information than your existing one (such as all the technologies used to process data, including by third-party solution providers). Ad Ops teams will be directly responsible for any data collection activities. The UK Information Commissioner’s Office (ICO) Code of Practice[iii] provides a good template to follow, including what information to include, how the Privacy Notice should be written, and how to test, review and roll it out. But don’t stop there. Consider enhancing transparency by deploying additional measures including ‘Just-in Time’ mechanisms, video messages or the EU AdChoices programme[iv].

8.  Give your Customers Greater Control over their Information [GDPR Articles 15-22]

The GDPR seeks to give people greater control over their data and therefore includes many rights for individuals, such as the Right to Erasure and the Right to Data Portability. Media publishers will need to put in place processes to achieve these for their customers. Beyond consent, publishers need to provide mechanisms for consumers to solicit information collected and used by the publisher and absolutely honour requests for data removal. The ability to offer this functionality and test its reliability are further proof points to demonstrate compliance. Where appropriate, point to existing controls such as unsubscribe mechanisms and opt-out points, and consider other innovative data control solutions.

9.  Designate a Lead Supervisory Authority [GDPR Article 56, 60-61]

Choose who your ‘Lead Supervisory Authority’ (i.e. regulator) will be when the GDPR becomes effective. This regulator will act as a single point of contact for the enterprise’s data activities throughout the EU. Documenting and opening up communication channels with the Lead Supervisory Authority now is critical to understanding how future enforcement will be carried out. Keep an eye on Brexit: if you are hoping to designate the UK ICO you may have to think again.

10.  Prepare for any Data Breaches [GDPR Articles 33-34]

Implement (and test) procedures to detect, report, investigate and resolve a personal data breach (e.g. data loss or hack). Keep in mind that the reporting of high-risk breaches to the relevant Supervisory Authority (regulator) needs to happen within 72 hours of discovery—a timeline publishers are not positioned to meet. As Data Controllers, Publishers are ultimately responsible for breach notifications and, therefore, they need to be aware of any breach that occurs throughout the digital supply chain including upstream partners.

Sailing Through the GDPR Storm

All experts agree: GDPR will be a watershed moment for digital publishers. The next several months (let alone years) will be tumultuous as stragglers try to catch up and the more-prepared publishers await the success of their compliance programmes.

On a positive note, the winds are favourable for digital publishers to take back control over their audience data. Direct access to the consumer relationship and the control of consumer consent puts publishers at the helm. However, it is up to the unlikely heroes—Ad Ops teams—to ensure smooth sailing when it comes to digital data compliance and risk management.

[i]  https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf

[ii]  http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083

[iii]  https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/

[iv]  http://www.edaa.eu/

The State of GDPR: Publishers’ Questions Answered

This article originally appeared in AdMonsters on December 19, 2017.

AdMonster_GDPR_660x320

Read article

Data privacy and legal compliance experts agree: GDPR is too big to ignore. As an ad/revenue operations (ops), you should already know the E.U.’s General Data Protection Regulation (GDPR) comes into effect in May, 2018. What’s actually new in this story? Valid point. Despite months—possibly years—of preparation, publishers still have questions about GDPR’s implications, some of them pretty basic: Will this apply to our business? What do we need to do to become compliant? What kind of enforcement is expected? Can we just cross our fingers and ignore it?

The answers to these questions lie in every digital publisher’s ecosystem. GDPR affects any entity worldwide that digitally targets or monitors people in the E.U. This means knowing what’s happening in your digital environment, from vendors executing to data tracking. If knowing your digital partners doesn’t appeal as a basic business practice, then maybe the fines for violating GDPR will (maxing out at 20 million euro or 4% of the company’s global revenue, whichever is higher).

Continue reading

The Honest Truth about The Honest Ads Act

Building transparency with a little upfront disclosure

Authored by Chris Olson, CEO & Co-Founder, The Media Trust

Red, white, and blue vote buttons background

The fake news furor and potential Russian involvement in the U.S. 2016 general election is reaching a fever point with multiple congressional hearings, and, digital advertising is in the crosshairs. Like many challenging discussions about digital advertising, transparency is at the heart of the issue.

Digital compliance for political ads

The proposed Honest Ads Act, a bipartisan effort to govern digital advertising according to the same rules followed by traditional broadcast media regarding political advertising, and is the one tangible fallout from the investigations.

The act calls for all politically-oriented digital ads to be declared at purchase, clearly labeled in the creative, and available for consumer access via a searchable interface. Among other things, the buyer must disclose their contact information, candidate and/or campaign, ad flight duration, number of impressions/views, and targeting criteria. The platform must collect this information and retain it for at least four years. It applies to digital platforms with at least 50 million unique visitors a month for the preceding 12-month period that have political ad buyers who spend at least $500 within a calendar year.

In a nutshell, it requires publishers know their ad buyers, ensure ads comply with (regulatory) policies and provide consumer access to these ads and any associated targeting criteria. Sounds familiar?

Transparency starts with the buyer

As The Media Trust announced a few short months ago, our Digital Vendor Risk Management (DVRM) platform provides real-time visibility and insight into non-compliant activity and threats operating in an enterprise website and mobile app environments. More than a risk management framework, DVRM operationalizes client-specific digital asset policies, continuously evaluates digital partner compliance, and actively facilitates the resolution of violating behavior.

The crux of this solution is the ability to identify and manage an enterprise’s digital ecosystem participants, from ad tech up to the source buyer, and authorize their presence. In addition to privacy regulation and escalating security concerns, the Honest Ads Act is just another reason why enterprises need to know their partners.

DVRM – A simple solution to a complex problem

Applying a political lens to DVRM it’s evident that the platform is already satisfying most of the requirements to enable transparency and accountability. Advertising supply chain partners register via an online portal; ads are uploaded and continuously scanned according to targeting criteria; client-specific policy violations are flagged; and, ads are stored for historical reference.

Self-regulation forces a new digital approach

Major platforms have announced their approaches to address congressional concerns and hopefully stave off the vote, let alone passage, of the Honest Ads Act. However, this self-regulation will need to extend to others meeting the requirement threshold, like ecommerce and media publishers.

Regardless of Honest Ads going to vote, changes are in the air. As an industry that has largely grown via self-regulation, the signals are obvious. It is incumbent upon the industry to embrace these changes, especially with the DVRM platform as an easy way to codify and operationalize your policies.