Jules Polonetsky is ready for the ‘firehose’ of privacy rules to intensify

Privacy and ad tech may seem like vinegar and oil, but to Jules Polonetsky, CEO of the Future of Privacy Forum, a rich vinaigrette may be unavoidable. He would know, having previously served as chief privacy officer at both AOL and at DoubleClick before it was acquired by Google.

“Everybody needs some chops in adtech,” Polonetsky told us at the IAPP’s Global Privacy Summit in Washington, DC. “Even if you’re not in the advertising business, your organization markets what it does, has a website, has analytics, has code. It’s been invaluable to me in my career to understand the concepts.”

Marketing Brew caught up with Polonetsky, after he was recognized as the winner of the 2023 IAPP Leadership Award to chat about his ad tech origins and whether the industry’s pioneers ever anticipated such a complex privacy landscape.

This interview has been lightly edited and condensed for clarity.

Although few mention it explicitly, it seems like every panel at this conference is, to some degree, related to ad tech. As an OG in the space, what was the original promise of programmatic advertising?

Simply being able to put your ad on many small websites, not just the largest…Back then, all of the small websites and certainly the small media sites of the world had no efficient way to interact with giant advertisers…That was the promise.

What happened? The early ad networks delivered the promise that big advertisers could buy on the groups of sites that DoubleClick was representing…My team during those days, and even at AOL afterward, was able to do some compliance. We could look at the publishers, we could get big deals, we had insights, we had brand practices…When the system became a free flow of stock-market trading, the ability of any responsible player to actually make any promise to consumers…really broke down. That is, in my view, what needs fixing.

Were some of the privacy concerns we talk about today considered back then? That law enforcement could use bidstream data, or that location data could be used for potentially nefarious reasons?

It was inconceivable because we thought there were so many places that law enforcement was already going, or could go, when they actually wanted the kind of data they needed.

What we had was so kludgy and messy that we weren’t getting those requests and couldn’t imagine they would be useful…We thought that our data was cookie-linked only and wasn’t widely being linked back to explicit personal information, and of course that has changed.

You hosted a fireside chat earlier this week with FTC Commissioner Rebecca Kelly Slaughter, who essentially joked that advertisers shouldn’t think she’s “scary or crazy.”

[The FTC] understands that they have a law that has parameters. It cannot simply decide that it doesn’t like internet advertising and will therefore run wild with a scalpel.

That being said, the agency has shown that it is very ready to push a wide swath of enforcement…They certainly are—and should be—a bit scary. I’d like people to be scared. A lot of our stakeholders who are chief privacy officers need to have a little bit of a “Don’t do this because we think it’s a bad idea, but because the FTC actually cares about this. You are at risk, you can’t do it.” It’s helpful to have that enforcement stick in the background.

Why do you think the folks in the audience laughed when Commissioner Slaughter said that?

The FTC’s rhetoric under this administration and the FTC’s rhetoric in its rulemaking—de facto, declaring 20-year-old business models as surveillance—sets a very clear tone. Collecting a lot of data for advertising and marketing purposes—the FTC is now coming to the table to say “this is suspect.”...That’s a very different tone than the FTC of past years.

Some of my favorite conversations at this conference have been with privacy folks who work in insurance and banking, two heavily regulated industries. Turns out, they can still do their jobs. It does appear to be possible.

Listen to what ChatGPT says: We would like regulation, please!

There are really hard issues. Let’s take health data. What exactly is the border between something being sensitive health data because it’s collected by your doctor versus data dealing in a consumer health or mental health situation, or my pedometer? In the second case, you probably have a pretty good assessment of my health…Once there’s a lot of attention and once there’s uncertainty, most responsible industries…want and welcome clear lines. Much of the audience gets frustrated when they feel inconsistent conflict…“I’ve got Google Analytics on my site in Europe, I don’t want to take it off, but it seems to be illegal but nobody is taking it off. What do I do?”...I think that when it comes to responsible businesses in frothy areas, people are desperate for policymakers to say, “On behalf of society, don’t do this.” When it’s legal but unclear, it’s super hard for business to draw that line simply based on best practices.

It can be hard to verify whether recent privacy changes, like blocking sensitive locations proactively, are actually happening.

Unfortunately, it takes a crisis sometimes for companies to do the work that they know needed to be done…Despite all of the complaints about legislation that is inconsistent or moving too quickly, it’s also been the biggest boost for 5,000 people at this conference.

Over the course of this conference, are there any trends or themes that have surprised you?

There’s so much coming, so quickly, in every state, in every jurisdiction, in local laws like New York City’s AI and employment law. Globally, it’s been a 20-year firehose, and it’s only accelerating as things like ChatGPT and others immediately rush some of these issues to the fore. A firehose is the right example…As a state legislator, once you see a couple of states doing something, the path has been greased. You don’t need to convince anybody, you’re becoming a laggard if your state doesn’t have one. The continued rapid acceleration in complexity continues to amaze me.