Privacy regulation is not an obstacle. It is the architecture of advertising's future.

Ad tech poses an interesting, unsolvable problem: how do you serve an ad for a relevant product to a user in an increasingly private universe where privacy means something fundamentally different to everyone?

Why I like unsolvable thought problems: I was born in DC, the product of two attorneys (one who loved practising law, one who hated it and became a lobbyist almost immediately). I wanted to do something different, to be an astrophysicist, and didn't want to do the maths, so I studied philosophy instead. Deep thoughts about ethical quandaries and occasionally physics. After time in the Senate and across the buy-side, sell-side, and exchange parts of the ecosystem, here we are.

It doesn't look like this industry has existential crises sitting here right now, and the industry thrives on them. In 2017-2018, everyone said Europe has just passed this law called GDPR; it's the end of advertising. Then we created a task force and fixed it (I was on it with fantastic people), and we can still advertise in Europe, with interesting constraints. More recently the threats have been regulatory, monolithic-company, and the bridging from national law into state law. California, Texas, Colorado and countless others (19 in total) are passing laws with serious consequences. We will face them and do the right thing.

Data governance and privacy framed two ways: yes, the letter of the law (evolving at the speed of light), and the brand-protection component. You don't want to work with partners who sell a competing product or who facilitate the movement of your first-party data to benefit a competitor. Data governance and privacy are about trust between the advertiser, the user, and the intermediaries who facilitate re-engagement or first-time engagement. They're also about brand protection: your most valuable first-party data not benefiting others, not leaving your universe.

The General Data Protection Regulation came in 2018, governing 720 million people with extraterritorial bite. It changed the legal rights of users, made consent the standard for tailored advertising, and raised the transparency bar for websites and anyone facilitating reaching a user on a website.

IAB Europe (under Townsend Feehan and Matthias Wittjeesen) said we need a coalition of the willing to come up with an unbelievably complicated solve that is simple enough to implement in a matter of months. At MediaMath we offered the daisy bit: a compression string moving along the OpenRTB request signalling whether the user had consented to advertising in the first place, and the intermediaries who might advertise on the site. Quantcast offered the idea of the CMP so users could inject the signal with meaningful data. Julia Shulman at AppNexus brought sanity (and other very good ideas). R11 Fell contributed; many people were involved.

The lesson: the OpenRTB protocol can do more than publisher recognises user is coming, SSPs scream out into the void, DSPs frenetically bid for them. It can offer enough information to enhance compliance, signal consent, recognise bid enrichment, and respect locale restrictions.

Post-GDPR, Tech Lab is now more involved on US state-level issues. Prebid (with its summit next week) takes a more publisher-centric approach. The standards bodies are necessary because too many players with too much at stake, including the fate of the open web and the ability of advertisers to reach users outside entrenched portals, need a sub-100-millisecond turnaround for an ad.

It takes professional people to wrangle: Tech Lab, IAB broadly, Prebid, others. It takes concerted effort from companies that volunteer their time. Many meetings, many Slack channels. Slack genuinely helped: what would have been biweekly meetings with 100 players who didn't always get along and had competing interests now gets handled on Slack or in shared docs. For the big stuff (GDPR, state-level changes), it helps to have an existential dilemma.

The DOJ's bulk-data rule and PADFA are recent layers on top of the country-to-country data-flow story that pre-dates GDPR. Globally we're seeing not exact copycat and similar legislation in Asia and South America. Brazil passed the LGPD (effectively a Portuguese copy-paste of GDPR). Japan, South Korea, New Zealand, Australia. RTB House was born and raised amid GDPR so we're ready for consent and responsible data handling.

Where it gets tricky is the states. The internet doesn't work below the country level. IP addresses act like a home address: useful at city or country level, very stable at country level, with odd exceptions (one South American country has French IPs, so specify the hemisphere). At the state level it breaks down because a California user may in fact be a Nevada user (the shared border, AT&T may switch the IP). With 19 states having comprehensive privacy laws either enacted or imminent (around a third of the US population), the practical advice is to work with partners who treat the US as a whole. Don't give rights only to California or Maryland or Massachusetts or Connecticut or Texas. Give them everywhere. Honour the spirit of the law and certainly the letter, and maintain user trust.

People talk about Gen AI as a threat to the open web. There's also a benefit: Gen AI lets us understand content on pages contextually in a way classic contextual never did.

An advertiser that makes pizza ovens used to ask for a contextual campaign. The partner served the campaign on every page that mentions pizza. Sometimes that's great. Sometimes it's on a New York Times article about the cholesterol impact of pizza. Not the time to market a pizza oven to a reader.

With Gen AI we have a more human understanding of content and can pick when it's relevant. Gen AI is a branch of deep learning, which is what RTB House's stack is built on. That lets us pick the universe of models that can be executed without identifiable data (and potentially without cookies), then use the combined contextual universe for a tailored ad serve without personal data.

The last five years have been a whirlwind. We dedicated engineering resources to cryptography, statistical injection, noise handling, novel measurement. We operate better, more privately, and with less user data than we ever have, both where one-to-one signal exists and where it's classically difficult.

Many privacy-enhancing technologies are still to be tested. Brands like clean rooms because the raw user data isn't being passed to an advertiser product, which is core and crucial. I personally would never hand over an email address for targeting. Through novel statistics, hashing, and encryption, you don't have to. We'll see more clean-room execution, more statistical differential analysis, and more novel measurement. Tech Lab, the Network Advertising Initiative (their PETS Working Group dropped news today), and Prebid will have central roles as established players in the cryptographic scene.

The first part: tried-and-true legal obligations. If you don't meet them, bad things happen.

The second part (which many people miss in the data-governance evolution): brands want partners where their data and their interactions with users aren't going to benefit their competitors, and where their risk isn't being amplified by advertising through those partners. Data governance pertains both to the brand's own technology stack and to making sure partners are executing honestly with the least amount of data possible. That preserves trust with users and is being upfront about how data is used and transmitted. Fortune 100, Fortune 500, all the way to the Etsy shops.

Leading privacy at RTB House might be easier than leading at a brand, oddly. At a major global brand, the tension between the people who build and sell the product and the people who keep you safe is constant. There's a balancing act in ad tech too. RTB House, which came up during GDPR, has a straightforward mission: enable our advertisers' data to deliver lift. The use of advertiser data, identifiers, where data flows, how much we keep: all of it is gelled into the privacy strategy.

From the consumer's view: get a user to download your app, authenticate, sign up, buy not only their first thing and their second and third, and you've created somebody with you for life. You've given them time to think about the trust relationship through thoughtful prompts and forthright disclosures. They become comfortable seeing your products in unexpected environments.

If you're Nike with a shopper who loves Air Force Ones, they're delighted to see those Air Force Ones on the Washington Post or Der Spiegel. They might ask why am I seeing this? You want the why am I seeing this moment to feel like joy, rather than horror. Not stalking me across the web.

There are things you can do as the individual overcoming. In this environment, it has to be coalitions. No single company can shape what federal regulators do, what state regulators do, what the EU does, what New Zealand does, what Tech Lab does. Collaborative, coalition-driven effort.

If you're a marketer, work with partners running point with peers across the regulatory environment. If you're ad tech, engage. Learn the fundamentals. Sometimes that's you need a privacy policy. Sometimes it's here are specific ways you have to use the OpenRTB protocol. Get engineers involved.

It comes down to trust. Not everyone gets sued for doing something illegal, and they will turn off the people they want to buy the product. Understanding privacy at its core ethical layer (why someone is drawn to something, why someone is horrified by something) is elemental to a successful business.

In the Gen AI everywhere era, many people come up with ideas and don't stop to think about how they'd feel if they were impacted by their own product. Take a beat and think about how you'd feel if you were affected by your own product. Your marketing will be better. You're also less likely to get sued.

RTB House is in our F1 moment. F1 has the problem of being awesome in Europe, awesome in Asia, awesome in Latin America, and asking what's up with those 340 million Americans who spend more money than anyone else? F1 solved it with Drive to Survive and a Brad Pitt movie. Now everyone's watching; F1 outside the US is the most popular per-event thing short of the Super Bowl and the World Cup Final.

We're doing well in the US. A lot of that is convincing advertisers of the power of their data and of how much less and how much riskier it is to use more than they need. Not only of their own data and of enriched data, of adding more to it, of slicing the dollar too fine. The advertiser (and the ad tech) doesn't only want to benefit the advertiser; it should benefit the user and the publisher. Publishers create the open web we know and love.

A lot of people think the open web is closing into walled gardens from here. There's data to that. And there are still millions of domains and billions of content creators producing on the open web that we access through a browser, a phone, and soon through glasses. It's not time to go from existential crisis to abandonment. It's time to be useful, novel, and to think quickly and creatively about how to use the open web.