Here’s what we heard at the IAPP’s global privacy summit

After three days in Washington, DC, Marketing Brew’s got sore feet and a head full of privacy jargon.

We’ve just returned from covering the IAB’s Public Policy & Legal Summit and the International Association of Privacy Professionals (IAPP) Global Privacy Summit, where both event organizers and their attendees acknowledged the flurry of privacy legislation at the local, state, and federal levels. While the latter wasn’t explicitly a digital advertising conference, consumer data was at the heart of nearly every discussion, the currency for the digital ecosystem.

“There’s more advertising people here than ever before, people who are not privacy lawyers but are advertising lawyers,” Dona J. Fraser, SVP of privacy initiatives at BBB National Programs, told Marketing Brew.

While we already covered the IAB’s summit, here’s everything we saw at the IAPP’s summit.

HIPAA time?

Perhaps the biggest news to come from the conference? A representative from the Department of Health and Human Services said that the agency is investigating data allegedly shared between healthcare providers and third parties via digital trackers.

“We’re seeing people go in and type symptoms, put in information, and that information is being disclosed in a way that’s inconsistent with HIPAA and being used to potentially track people, and that is a problem,” Melanie Fontes Rainer, HHS’s director of the Office for Civil Rights, said.

In December, the agency issued guidance on the subject, reminding companies subject to HIPAA rules that the use of trackers like pixels or cookies is not allowed “in a manner that would result in impermissible disclosures” of personal health information, including to third parties.

Prints, not privacy?

In one session dedicated to digital advertising, ad-tech representatives tried to explain the awkward position they’re in—selling digital targeting and measurement tools, but with weaker, less accurate data.

While third-party cookies are “seeable, knowable, and deletable,” new methods can be “more opaque to a user,” Leigh Parsons Freund, the president and CEO of the ad-tech trade group Network Advertising Initiative, said. Specifically, she highlighted fingerprinting, a technique that pieces together data, like information about a user’s device and IP address, to identify them.

Rachel Glasser, chief privacy officer of the sell-side ad platform Magnite, seemed to agree, saying that alternatives to the third-party cookie become “a little more privacy invasive.”

“Marketers still need to do all this stuff and run their campaigns…They’re just gonna find another piece of data to use in place of that cookie, like a proxy,” she said. (If it isn’t clear, Glasser and Freund represent perspectives in line with an industry that’s historically profited from the data that third-party cookies collect.)

Other alternatives to the third-party cookie, like contextual advertising, haven’t yet matched behavioral targeting from a revenue perspective, according to Mathilde Fiquet, a special advisor to the European Publishers Council.

“There is this impression from policymakers and from some privacy advocates that contextual advertising is going to sort out digital advertising for consumers who will no longer be tracked, and for publishers who will still be able to get revenue. That’s not accurate,” she said.

Eyes on AI

In a nod to the times (or at least the hype cycle), the IAPP dedicated several panels to AI. FTC Commissioner Alvaro Bedoya used his keynote address to deliver what he called a “sober look” at AI. After detailing his own experience with the tools, like asking DALL-E to depict a French bulldog and a possum in a “white lace collar,” he raised concerns about what he considers to be the “among the darkest of black boxes.”

“There is a very powerful myth out there that AI is unregulated…The reality is that AI is regulated. Unfair and deceptive trade practice laws apply to AI,” he said, emphasizing that there isn’t an “AI carve out” in laws like the Fair Housing Act, the Civil Rights Act, or the Equal Credit Opportunity Act.“The law doesn’t turn on how a trained expert reacts to the technology and explains it, it turns on how regular people see it and understand it,” he said.

He also called for further transparency, quoting a report published by OpenAI about its ChatGPT-4 product that declined to detail how it was built, citing “the competitive landscape and the safety implications” of the technology.

“This is a mistake. External researchers, civil society, and the government need to be involved in analyzing and stress testing these models, and it’s difficult to see how that can be done with this kind of opacity,” he said.

Correction 4/11/23: Dona J. Fraser's quote has been updated.