Data Privacy and DOOH Audience Measurement

Published by Visual Solutions on

Our public spaces are much more private than you might think and solutions for Digital Out of Home (DOOH) audience measurement would do well to bear this in mind. Failure to do so risks possible legal action and severe financial penalties. Living in the so called ‘era of customer consent’ where personal data can only be stored with the explicit consent of the relevant individual means that audience measurement solutions are treading a virtual minefield of rules and regulations. Reviewing previously implemented solutions it is easy to see where they can fall foul of such regulations. Recent legislation in a number of countries has meant that the definition of personal data is much more broader than you might originally think.

We should start by considering some the reasons why audience measurement would be so important to the world of DOOH. These are:

  • Marketers need accurate audience exposure data for the planning of cost-effective campaigns
  • Clients require proof of DOOH’s advertising budget worth
  • Media owners need accurate data for pricing their screen inventory and return on investment
  • Programmatic buying based on prediction requires accurate historical measurement of audience impressions
  • Dynamic messaging with content shown within DOOH ads relies on key triggers to drive that messaging
  • Precise targeting of customers based on matching device-collected data with audience insights from third-party attribution vendors, think “Minority Report”

How is audience measurement obtained

There are a number of different technological approaches to measuring the size of DOOH audiences such as :

  • Digital cameras used alongside facial detection technology
  • Digital cameras used alongside vehicle licence plate recognition
  • Mobile data collected from sources such as mobile apps installed by the user, or part of the mobile operating system
  • Collection of Wi-Fi data such as GPS signals, Wi-Fi networks, Bluetooth beacons etc. For instance mobile phones broadcast a request (known as the 802.11 probe request) when searching for near by Wi-Fi hot spots
  • Audience surveys, geolocation data, traffic counts and other public and commercial sources used to gauge the size and composition of the estimated audience exposed to DOOH ads. It should be noted this is primarily audience estimation and not true measurement
  • Other sensors such as beam breakers or LIDAR

Why the concern?

Somewhat inconveniently for marketers, as the technological capabilities of these solutions have increased, the continuing development of privacy legislation and regulations are starting to restrict the opportunity to use them.

There is an increasing public sentiment against being watched and tracked in public. As a response, legislation such as the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the USA, are reducing the options for collecting personal data to specified, explicit and legitimate reasons. In practice, this means that collecting personal data from people for commercial reasons without their awareness and consent is not permitted.

What is personal?

The question then is what is personal data? Recent rulings have decided that all of the following represent personal data:

  • Real mobile phone MAC addresses
  • Mobile phone location data
  • Mobile phone Ad IDs (MAID)
  • Vehicle identification plates
  • Facial features

Apple and Android have both implemented anonymous MAC addresses over the last few years, such that probe requests are all now broadcast using randomly generated addresses. These addresses change either periodically or on each probe request burst. These random addresses are not considered personal data. Data collected from older mobile devices that still broadcast the real MAC address is considered personal data. However real MAC addresses now make up less than one percent of the mobile probe request traffic. Because of this they can safely be ignored without affecting the accuracy of the audience measurement taken.

The Mobile Ad ID (MAID) is a sequence of random symbols, given by the mobile device’s operating system. It can be shared with the servers of the apps that the user is using to track their customer journey and their choices. Any sort of tracking or remembering of personal choices has already been recognised as personal data. In fact all mobile operating systems now require a user to opt into the use of MAIDs when installing an application. The opt in rate is estimated to be less than 20% and getting smaller and it is widely believed MAIDs are no longer a viable source of measurement. Apple Killed The IDFA. What Else Dies?

Vehicle registration plates are clearly personal data, and so, for example, photographing traffic and reading and storing registration numbers would fall foul of GDPR. So would capturing images of peoples faces using a camera and storing them.

Some companies are now using Anonymous Video Analytics (AVA) as an alternative to facial recognition technologies. In this case images are captured and processed on device in real time, frame by frame. Images are only stored while being processed and are never transmitted. However, even with this approach there have been recent rulings by privacy regulators that the approach falls foul of the local privacy regulations, and cannot be carried out without the awareness and consent of individual members of the public. Using AVA technology in public settings | BLG

What is clear is that the environment of increasing privacy regulation is making audience measurement more difficult, despite the advancing capabilities of technology that can make it much easier.

The road ahead

Going forward it is reasonable to expect that privacy regulations will continue to develop in only one direction; giving more privacy rights to the individual. Contravening any of these regulations is expensive as witnessed by the eye-watering fines that have been issued by the European Union when companies fall foul of GDPR (Enforcement Tracker). Audience measurement metrics that have been readily available in the past, such as dwell time, will become more difficult to obtain.

As already discussed MAIDs should be considered a technology of the past. The same can be said for any technology that identifies and stores vehicle licence plate information.

When a camera technology captures and stores a facial image or a unique data point derived from the image that can identify the same face later, this is considered personal data. Therefore, the measurement solution needs to get consent from the people whose faces it captures. Obviously obtaining such consent is difficult if not impossible for most DOOH scenarios.

The only way to measure DOOH audiences in real time without breaking any privacy laws is to use methods that do not identify anyone, such as detecting anonymous Wi-Fi signals. Technology behind Crowd-Sense.

Our public spaces are truly more private than you might imagine and the strength of this privacy will only increase as more countries and regions enact privacy legislation and legal action is taken against those businesses that breach it.