Shady Advertising Practices and Their Privacy Implications

While questionable practices have always existed in the advertising ecosystem, it seems as though the frequency at which these are occurring is increasing. Or at least the frequency at which they are being uncovered is increasing thanks to individuals and organizations that are focused on trying to drive change.

Allison Schiff, managing editor at AdExchanger, has highlighted a lot of the issues, especially those related to privacy. In one of her recent articles, titled “Shadier Than Forbes? Premium Publishers Are Partnering With Content Farms To Make A Quick Programmatic Buck”, she highlights data from Sincera, a startup that gathers and supplies metadata to the ad tech ecosystem, that shines light on yet another bad behavior. The Sincera data shows premium publishers creating subdomains that are essentially Made For Advertising (or MFA) sites, leveraging their well-known brand names with off brand, click-bait content and heavy ad load to drive impressions and clicks.

This is a classic example of revenue opportunity taking precedence over all else including user experience and brand reputation. It also got me thinking about the role of privacy in these scenarios. How do these click-bait, MFA type sites fare when it comes to privacy compliance? If they are being shady about their site identity and monetization practices, are they also not doing the right things when it comes to privacy?

By the time I read the article, the only one of the subdomains called out that I could find that was still active was magazine.jpost.com. After conducting a quick of the privacy policy on the site, it didn’t appear that there was anything major that was glaringly missing. Worth noting that the policy shows that it was last updated in 2019 so it does pose the question of how up to date the information is and whether or not it reflects current business practices but that aside, they do mention at least at a high level how data is collected, type of data collected, purpose for collecting, how data is shared and user rights.

This said, upon further review of their Data Subject Access Request form (or DSAR for short), things got a bit more interesting…

1. The form is a PDF that someone has to print, fill out, scan and then email back to the company. This process as currently designed makes it overly tedious on the individual trying to exercise their rights.
2. They ask for full physical address to complete the request. Being an online content website, there is no reason why an individual should have to provide their address in order to make a request.
3. Last but definitely not least, they require identity verification to make a request!! They ask for photo identification AND proof of address (utility bill, bank statement, driver’s license, or tax document). This just seems creepy and 100% unnecessary.

Safe to say that I have NEVER seen this as a requirement in any of the hundreds of DSAR forms that I have manually reviewed as a part of our data QA process. Hopefully no one is actually completing their form and submitting this level of information! You can see the full form from the site below.

The examples in this form, again point to actions that are guided by a singular focus. Just as the subdomains were created with revenue opportunity trumping all, this DSAR form was created with maximizing data collection taking precedence over the individual experience and most importantly data protection.

The intersection of unethical advertising tactics and questionable privacy measures poses a significant threat to consumer trust and brand integrity. Revenue goals and brand values must both be considered when making advertising monetization decisions just as privacy regulations and user data protection must be taken into account when developing privacy practices. Without these balances we cannot change the status quo. With them we can hopefully move towards a more transparent and privacy-led approach to advertising.