Privacy

Sifting Through Google Privacy Sandbox for Android

Jeff Richardson — Tue, 12 Mar 2024 21:29:15 +0000

How to become an early testing partner with Kochava

Google Privacy Sandbox for Web has recently come increasingly under the microscope as the adtech industry witnesses early signs of third-party cookie deprecation’s impact on ad monetization across the open web. With Google’s 1% third-party cookie deprecation beta for Chrome users starting in early January, initial observations have noted Chrome users without cookies monetizing approximately 30% worse than users with cookies.

IAB Tech Lab’s recent fit gap analysis for Privacy Sandbox APIs has sparked a healthy, albeit slightly tense, public debate. Their testing of many fundamental digital advertising use cases brought into question whether Sandbox would be up to the task of filling the void left by full third-party cookie deprecation in Q3 2024 and other future changes. IAB Tech Lab even noted fragmented documentation as a challenge when attempting to “understand the totality of some aspects of the various APIs supporting it [Sandbox].” You can download IAB Tech Lab’s Privacy Sandbox Fit Gap Analysis for Digital Advertising HERE. The draft is open for public comment until March 22, 2024.

Propelling the adtech industry toward a more privacy-first approach is a massive undertaking, especially for the most dominant mobile and browser ecosystem in the world. Google is taking a collaborative approach with the industry to tackle this monumental shift, and Kochava is thrilled to be partnering with industry leaders such as IAB Tech Lab to ensure that Privacy Sandbox meets our customer’s needs. As a longstanding mobile measurement partner (MMP), Kochava is particularly focused on the coming of Privacy Sandbox for Android—and its implications for the mobile ecosystem.

A Refresh on Privacy Sandbox for Android

In August 2019, Google launched Privacy Sandbox as an initiative to develop new standards for websites to access Chrome user information without compromising user privacy. In February 2022, Google announced that Privacy Sandbox would be coming to its mobile operating system, Android. Privacy Sandbox for Android is often likened to Apple’s SKAdNetwork (SKAN), a privacy-enhancing technology for understanding iOS campaign performance in a privacy-first world, although the scope and impact of Sandbox will extend beyond SKAN’s purview.

In their own words, here are Google’s stated goals with Sandbox for Android:

So what are the tools in the Sandbox? As illustrated in the following graphic, Privacy Sandbox on Android consists of four primary technologies. Let’s unpack each in further detail.

Attribution Reporting API

The Attribution Reporting API serves as a privacy-first solution for marketers to measure the effectiveness of their advertising campaigns. It facilitates the aggregation of conversion reporting data (triggers) from different sources (i.e., attribution data from an ad click or impression) while maintaining individual user privacy. Using this API, marketers can assess the impact of campaigns without compromising individual user identities—ensuring privacy compliance while still providing a base level of performance insight for the purposes of campaign optimization.

Similar to SKAN for iOS, the Attribution Reporting API within Sandbox features privacy-preserving thresholds and outputs only anonymous, aggregated performance data. No user or device-level data is available. Unlike SKAN, which originally supported only app-to-app conversion paths (until the release of web-to-app support for Safari in SKAN 4.0), Sandbox will support app-to-app, app-to-web, web-to-app, and web-to-web user paths from the outset.

This API supports observance of measurement data through two types of attribution reports:

Event Level Reports connect specific attribution sources from an ad click or ad impression with trigger data from conversions. The fidelity of signal output is more limited, as the connection is one-to-one.
Aggregatable Reports provide a richer fidelity of trigger conversion data, but in only an aggregate format not necessarily tied to particular attribution source data.

Kochava is currently focused on testing Event Level Reports, which more closely resemble the style of reporting through SKAN on iOS.

Why it’s important
The current state of mobile attribution on Android relies on Google Advertising ID (GAID), UTM referrer, and/or other device characteristics, including user agent and IP address, that may be transmitted off device to perform one-to-one attribution between an ad impression or click and the resulting conversion. The Attribution Reporting API will eliminate reliance on this user and device-level data and bring advertising measurement on device. Sensitive signals will no longer need to be sent off device—making them unavailable for unauthorized collection, use, and covert tracking. With the eventual deprecation of GAID, UTM referrer, and access to other device signals, the Attribution Reporting API will be the lifeline through which marketers can understand the performance of their campaigns to inform their optimization decisions.

See Google Developer Documentation HERE.

Protected Audience API (formerly FLEDGE)

Originally named FLEDGE, now affectionately called PAAPI (Protected Audience Application Programming Interface), this set of APIs aims to support on-device auctions for remarketing and custom audience segmentation based on interest groups. The goal is to serve personalized ads to users in line with previous app engagement, but without any third-party data sharing.

Why it’s important
User data no longer needs to be sent off device for the purposes of building user profiles attached to GAIDs or other device/user-data derived profiles for personalized ad targeting across ad networks, DSPs, and other ad platforms. Adtech vendors will be able to tap into anonymous, yet highly accurate signals to inform ad buys based on user behaviors, interests, and historical app usage.

See Google Developer Documentation HERE.

Topics API

The Topics API in Google’s Privacy Sandbox for Android is designed to give marketers a privacy-centric method to target relevant audiences based on their interests. Advertisers can understand the topics engaged by users and serve them personalized and targeted ads without revealing individual user identities—respecting user privacy and maintaining data confidentiality. A topics taxonomy will provide hundreds to potentially thousands of human-curated interest labels that help categorize a user by interests.

Why it’s important
One might liken this to IAB Tech Lab’s Audience Taxonomy, which provides standard nomenclature for the classification of audience segments. The Topics API will provide the new standard for classifying Android users for targeting purposes by leveraging on-device learning. This replaces ad tech platforms collecting user and device data to build their own profiles on users attached to GAIDs or other third-party generated identifiers.

See Google Developer Documentation HERE.

SDK Runtime

SDK Runtime establishes a more secure framework for apps integrating third-party software development kits (SDKs). Because app developers are not always aware of a third-party SDK’s full functionality and data collection practices, SDK Runtime places third-party SDKs into a modified execution environment featuring well-defined permissions and data access rights privileges.

Why it’s important
Over the years, adtech news publications have featured many stories about rogue, third-party SDKs behind advertising fraud schemes, covert data collection, and other nefarious practices. While these SDKs were intended to leverage valuable app functions and features, rogue actors have been known to hide covert functionality deep within their codebase, enabling them to exploit data-access permissions for nefarious purposes, unbeknownst to the developer who integrated them for legitimate use cases. SDK Runtime technology will put third-party SDKs in a dedicated runtime environment that makes such exploitation impossible—giving app developers and the end consumer peace of mind.

The complete library of Kochava Android SDKs will be available through SDK Runtime.

See Google Developer Documentation HERE.

MMPs and the Attribution Reporting API

Let’s zoom in on the Attribution Reporting API—a key focus for the team here at Kochava.

Mobile measurement partners (MMPs) are able to integrate with the API to provide conversion analytics and performance insights for advertisers under the new privacy framework of Sandbox. It’s important to note that while ad network vendors can use the API to receive self-attributed event and summary reports for conversions they drive/influence, only an MMP is positioned to provide cross-network, last-touch attribution by integrating with the array of aggregation services set up by various ad network vendors. Google lays out multiple scenarios for cross-network attribution with an MMP in this developer documentation. Similar to how MMPs work as a unified decoder ring of sorts for the various SKAN-enabled media partners with which a brand is running campaigns, MMPs will again be sitting at the intersection, translating cross-network Sandbox data into a holistic reporting layer marketers can make sense of.

The Attribution Reporting API also provides for lookback window configurability adjustable by the advertiser and/or via their MMP partner. This is more flexibility than we see on SKAN, where such windows are fixed. Sandbox also provides 30 days of post-install event measurement for better user quality and retention insights out of the gate, compared to what SKAN offered at launch.

As neutral third-party measurement services, Kochava and other MMPs play an important role in the advertising ecosystem. The Attribution Reporting API provides both event-level and aggregated attribution reporting to MMPs, which along with other aggregated omni-channel data helps MMPs empower marketers to understand overall campaign effectiveness and optimize spend across multiple media channels. The Privacy Sandbox model creates opportunities for MMPs to innovate with privacy-focused solutions that decomplicate the lives of marketers amid the increasingly complex privacy considerations of digital advertising.

Kochava Sandbox Testing

Kochava engineering and Android SDK development teams have commenced testing of the primary Attribution Reporting API flow:

Registering ad clicks or views (impressions) that lead users to a particular app or website to complete a conversion (known as attribution sources)
Next, registering triggers (conversions) that signify a user taking a valuable action such as installing an app, making a purchase, or starting a free trial
The Attribution Reporting API receiving both attribution sources and triggers, making relevant matches for conversion attribution and sending one or more triggers off device through event-level and aggregatable reports

Are you interested in Sandbox testing with Kochava?

While testing is already underway with a small selection of clients and partners, we’re looking to expand our testing group. Please note that currently our testing is focused on Event Level Reports.

Advertisers

If you’re an advertiser and interested in early Sandbox testing with Kochava, please reach out to your client success manager or email Support@Kochava.com

Media Partners

If you’re an integrated media partner and interested in early Sandbox testing, please contact our Integrations team by emailing Integrations@Kochava.com

Stay Updated

Privacy Sandbox for Android is a multi-year effort, and Google has not given an exact timeline for general release. Subscribe to our newsletter to stay connected and up to date on future Privacy Sandbox milestones and related updates to Kochava products and services. You can also enroll for notifications directly from Google.

The post Sifting Through Google Privacy Sandbox for Android appeared first on Kochava.

Opt Out

rory — Wed, 04 Apr 2018 21:40:14 +0000

This page provides details on how an end user can opt-out of receiving interest-based advertising. Several options are presented on this page:

Disable interest-based ads on your device
Reset your advertising identifier on your device
Opt-out directly through the app

Learn more about online advertising and your opt-out choices here. To check your browser’s data sharing with websites, visit YourAdChoices.

Disabling Interest-Based Ads
An end user has the choice to opt out of all interest-based advertising by enabling the Limit Ad Tracking setting on iPhone or turning off the Ads Personalization setting on Android. When the user takes this action, the particular device will no longer receive “targeted” ads; however, the user will continue to receive “non-targeted” ads. Kochava and its clients are bound by a platform’s terms (e.g., Apple, Google) to honor end user opt-outs for interest-based or location-based ads.

Click the link below for details on how to opt out of interest-based ads on Google:
https://support.google.com/ads/answer/2662922?hl=en

Click the link below for details on how to opt out of interest-based ads on Microsoft:
https://choice.microsoft.com/en-US/opt-out

Reset Advertising Identifier
An end user can also “reset” the data being used to target ads to them. The effect is akin to clearing your cache on your computer. A user may want to reset the ad ID if ads are being served based on past activities that are no longer relevant to the user’s interests.

The operating system on your device determines which process to follow for resetting the ad ID.

Apple’s iOS refers to an ad ID as the Identifier for Advertising, or “IDFA.” For instructions to reset the IDFA on an iOS device, visit:
http://osxdaily.com/2013/02/01/reset-advertising-identifier-ios/

Google’s Android refers to ad ID as the Google Ad ID, or “GAID.” For instructions to reset the GAID on an Android device, visit:
http://www.tomsguide.com/faq/id-2316491/reset-google-advertising-android.html

Microsoft’s Windows refers to ad ID as “Advertising ID.” For instructions to reset the Advertising ID on a Windows device, visit:
http://forums.windowscentral.com/windows-phone-8-1-preview-developers/278822-question-what-advertisement-id.html

In-App Opt-Out
An end user can opt out directly through the app itself if the app provides this capability. Kochava encourages users to check their in-app settings. An end user can also opt out of receiving engagement (or “push”) notifications. Such messages allow advertisers to send an end user a notification outside the app environment, as well as from within the app. To opt out of engagement notifications, Kochava encourages end users to activate the appropriate commands located within their mobile platform settings (iPhone, Android, or Windows). Push notifications are opt-in on the iPhone and Windows platforms, and opt-out on the Android platform. For more information on engagement notifications, check out the following Mobile Marketing Association’s publication: http://www.mmaglobal.com/files/push_notification_mma_france.pdf

The post Opt Out appeared first on Kochava.

Privacy

rory — Wed, 04 Apr 2018 21:15:21 +0000

Kochava Data Security & Privacy

Your trust and the safety of your data are critical foundations of Kochava’s privacy-first data solutions.

As an industry-leading technology provider, we help enable compliance and ensure the security of your data and that of your customers. In today’s privacy-centric data economy, brands can form closer connections with consumers than ever before by building trusted relationships. Therefore, it is vital to protect information being shared across platforms and connected devices while also empowering consumers with choice.

CCPA

The California Consumer Privacy Act (CCPA) represents a significant shift in state-side consumer data privacy legislation, with implications for brands serving and targeting consumers in the state of California.

For answers to important questions about your business, Kochava, and the CCPA, visit our CCPA FAQ.

CCPA requires brands to provide consumers with a comprehensive description of their online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their personal information. Privacy policies must be designed and presented in a way that is easy to read and understandable to an average consumer. Unlike Europe’s General Data Protection Regulations (GDPR), which required app developers to “ask consumers for consent,” the CCPA requires developers to provide consumers a mechanism to “opt-out” from having their personal data sold, with stricter “opt-in” mechanisms for minors. Full legislation here.

The CCPA took effect on January 1st, 2020, with enforcement commencing no later than July 1st, 2020.

Kochava complies with the CCPA in its capacity as a “service provider” in providing Kochava Measurement services.

As an acting member of the Interactive Advertising Bureau (IAB), Kochava is enacting the IAB’s CCPA Compliance Framework within our native measurement SDKs.

Data Protection by Design

The Kochava Measurement and FAA service platforms (“Platform”) are designed to enable clients to:

Determine which personal data the Platform processes;
Limit the collection of personal data to that which is adequate, relevant, and necessary for the purpose of which they are processed;
Manage the retention periods of personal data; and
Destroy personal data.

Data Protection by Default

The Platform is designed to:

Process personal information in conformance to the instructions provided by the client;
Collect only the personal data that are necessary for fulfilling the purposes of which they are processed;
Make personal data accessible only to a limited number of people whose job requires such access; and
Ensure a level of security appropriate to the risk of processing personal data.

Collection of “Sensitive” Personal Data

Kochava contractually prohibits its clients from utilizing the Platform to collect, process, or otherwise handle sensitive personal data.

Data Retention

Kochava does not keep personal data any longer than is necessary for the purposes for which it is being processed. Kochava deletes personal data after a client’s contract has expired or has been terminated.

Incident Response

Kochava will continue to promptly inform clients of incidents involving personal data in line with the data incident terms in our current (and any subsequently updated) agreements. Kochava maintains, and will continue to invest in, advanced threat detection and avoidance technologies, as well as a rigorous 24/7 incident management program to help identify and respond to security or privacy events (and any personal data breaches under the GDPR) without delay.

Third-Party Audit

Kochava is audited annually by an independent third party against GDPR and ISO/IEC 27001:2013 standards.

International Transfers

Kochava ingests client data to its cloud servers from locations across the world. Upon ingestion, Kochava transfers the data to its secure processing facility located in the United States. Kochava is certified under the EU-U.S. Privacy Shield frameworks, which is a legal mechanism to enable the transfer of personal data from the European Economic Area to the US, where certified organizations guarantee to provide a level of protection in line with EU data protection law. See more here:

https://www.privacyshield.gov/participant?id=a2zt0000000GnEHAA0&status=Active
Kochava also offers clients EU-approved Model Contract Clauses upon request.

Kochava will, in addition, continue to monitor the evolution of international data-transfer mechanisms under the GDPR, and is committed to having an ongoing lawful basis for data transfers in compliance with applicable data protection laws.

Subprocessing

Kochava does not subcontract any of its processing operations to a subprocessor in the absence of a written agreement which contractually obligates the subprocessor to adhere to all applicable GDPR data processing requirements.

Opt-Out & Right to be Forgotten

You may click here to be redirected to the Kochava web page dedicated to providing guidance on opting out of interest-based advertising.

In order to protect your privacy, Kochava has engineered its systems to not collect identifying information such as email, name, and phone number. However, GDPR considers mobile device identifiers and IP addresses to be “personal information.” A mobile device identifier is a unique string of 30+ numbers associated with your device (e.g., cell phone). An IP address is a series of numbers separated by periods that identifies each computing device using a particular “Internet Protocol” at a given time to communicate over a network.

If you are concerned that Kochava has this information, we will be happy to delete it from our systems upon request. You may submit a request to delete all your personal information by emailing Kochava at privacy@kochava.com or by contacting the legal department via telephone at 855-562-4282. However, please bear in mind that when you contact Kochava with such a request, because of the precautions we have proactively taken to protect your privacy, you are actually volunteering more personally identifying information to Kochava as a result of lodging the request than Kochava would have ever had prior to you initiating contact.

Opt Out Policy

Additional Terms

In its capacity as a processor of personal data, Kochava will ensure its contractual agreements with clients require the parties to adhere to the respective obligations of controllers and processors. Furthermore, Kochava will enter into data-processing agreements with clients where required.

Our Consent Management Platform can help you comply with CCPA as a business and GDPR as a data controller.

Learn more

Standards, Regulations & Certifications

Kochava and Trusted Partners†

Comprehensive controls over security and risk management

A framework for legally transferring and processing EU data in the US

Kochava is a registered member of the Trustworthy Accountability Group

Controls over financial reporting

Controls over security, availability, and confidentiality

Public report of controls over security, availability, and confidentiality

Securing cloud computing environments.

German standard for information security of cloud services.

Accessibility Statement

We’re committed to access for everyone. Kochava is committed to making our website as accessible as possible to people with special needs. We are actively taking steps toward improving the accessibility of our website ensuring we provide equal access to all of our users. We view accessibility as an ongoing effort and will continue to devote resources to further enhance the accessibility of our website and other technologies.

Web Content Accessibility Guidelines (WCAG)
Kochava is WCAG 2.1 AA Compliant

Wherever possible, Kochava.com will adhere to the Web Content Accessibility Guidelines (WCAG). These guidelines outline four main principles that state that sites should be:

Perceivable: Information and user interface components must be presentable to users in ways they can perceive.
Operable: User interface components and navigation must be operable.
Understandable: Information and the operation of user interface must be understandable.
Robust: Content must be robust enough that it can be interpreted reliably by a wide variety of user agents, including assistive technologies.

Service Level Standards

The Kochava Platform will operate and otherwise comply and function in all material respects on an uptime basis of 99.99% over a rolling annual basis. If an incident disrupts the client’s use of the Platform, then Kochava shall respond as follows:

Critical Priority Incident rendering the Platform inoperative: Kochava shall respond to Company within one hour of notice and immediately begin replicating and verifying the problem.
High Priority Incident degrading the operations and use of the Platform: Kochava shall respond to Company within four hours of notice and immediately begin replicating and verifying the problem.
Medium Priority Incident affecting the operations of, but not degrading, the Platform: Kochava shall respond to Company within six hours of notice and immediately begin identifying and verifying the problem during normal business hours.
Low Priority Incident having a minor impact on the operations of the Platform- Kochava shall respond to Company within eight hours of notice if alerted between 6:00 a.m. – 8:00 p.m. PST Monday through Friday and begin identifying and verifying the problem within two business days.

†Listed certifications include those held by Kochava directly and those held by our cloud and data center service providers in so far as those certifications are applicable to our data processing and storage operations. For more information, contact privacy@kochava.com.

Have further questions on Kochava Data Privacy and Security?

The post Privacy appeared first on Kochava.