Advances in digital wired and wireless technology are rapidly expanding both the types of media and the devices that advertising, marketing and brand professionals can use to reach consumers. Not only is the B2C landscape changing, but even B2B marketing is undergoing rapid and often radical shifts in tactics, techniques, challenges and opportunities.

Indeed, the advertising and marketing buzzwords over the past few years have shifted from "eyeballs" to "engagement"; from "brand recognition" to "brand reputation"; from "messages" to "conversations"; and from "online" to "digital," as the inclusion of wireless and mobile applications and interfaces has been transformative in ways we could never have imagined just a few years ago. With technology as a dynamic enabler, cloud computing represents yet another shift in the ability of advertisers and agencies to reach their target audience, and for consumers and businesses to interact with the marketing community.

As technology decreases in cost and increases in utility and accessibility; and as increased bandwidth and compression algorithms expand the capabilities, features and functions of interface devices, marketing professionals are increasingly able to capitalize on these technological innovations in a number of ways through: (1) an abundance of new content (music and video, for example) and programming made for online and mobile, mushrooming at an exponential rate; (2) “apps,” which are rapidly becoming the preferred method of not only essentially bookmarking favorite web locations and accessing content, but also of sharing of information on social media; (3) robust data collection—there is a marked increase in data available, shared, created and collected; and while monetization and pricing, to some extent remain confusing in the marketplace, we have never before seen such robust capability to capture advertising metrics, demographics, geographic, and context-sensitive data, as well as consumer personal information and preferences; and (4) technology scalability—spikes in server usage and bandwidth demands are more easily handled, and changes in requirements can often be responded to in seconds, not days or weeks.

Whether you are in a business that advertises, develops advertising, serves advertising, collects advertising information, measures advertising data and effectiveness, monitors advertising, or displays or distributes advertising, the real time, digital demands that can change in an instant have to put a strain on the current IT infrastructure, information security mechanisms, and existing storage and processing capacity.

In an effort to manage the load and demand issues in a rapidly changing technological environment, many companies are looking to cloud computing as a means of addressing their changing (and often increasing) IT infrastructure needs. At the same time, global companies are also looking to reduce costs and figure out the challenges of global branding, coupled with local relevance. While cost savings are certainly an initial selling point of cloud computing (just as it was with outsourcing information technology, business processes or call center requirements decades ago), moving to the cloud, in whole or in part, requires planning and management—and unfortunately, all too often the ad sales, marketing and brand management groups are not even consulted when a decision to look to cloud computing is considered or taken; it is often viewed purely as an information technology, security or compliance matter, best handled by the IT department.

Overview of Cloud Computing

While there is no industry agreed-to or standard definition, cloud computing is generally defined as Internet-based computing, where shared resources, software and information are provided to computers and other devices on demand, like a public utility. Cloud computing allows users to access hardware and software over the Internet on a pay-per-use basis through utility-like access portals, often coupling the availability of programming applications, data and content in a cloud environment as well. While ostensibly, a cloud computing model can be implemented internally by a company’s own systems and communications staff, that presumably creates none of the prioritization, control and management challenges that outsourcing to a third-party cloud provider entails. For purposes of this analysis, we focus on external cloud services provided by third parties over a network connection.  

There are three primary categories available as cloud computing services:

  • Infrastructure as a service (IAAS): Delivers virtual servers on demand, such as Elastic Compute Cloud, available from Amazon Web Services LLC (the entity providing cloud services—we’ll just use “Amazon”)
  • Platform as a service (PAAS): Delivers developmental platforms, such as Microsoft’s Windows Azure AppFabric, that allow each customer to develop and run its applications
  • Software as a service (SAAS): Delivers software that users can access over the Internet, such as GoogleDocs (Google’s suite of word processing, presentation and spreadsheet programs), which is used over the Internet and stored on Google’s servers.

For advertisers, publishers, advertising networks and agencies, there are, pardon the pun, a host of benefits to be found in cloud computing, including providing: (1) scalability; (2) collaboration capabilities; (3) ad serving options; and (4) advanced data collection capabilities.  


Cloud computing is highly scalable. Ad serving, depending on success metrics, timing and other factors, can be ramped up or reduced, with multiple iterations or variations or types of ads stored and available to be served on demand, without investing in costly infrastructure or without suffering the vagaries of IT peaks and valleys. Businesses can launch new services, or develop and implement corresponding advertising and marketing campaigns, with little concern over whether a spike in demand or views or the need to increase ad serving, will create a serious problem or even be unavailable. If an advertiser launches a new advertising campaign with a Super Bowl commercial, the cloud and its scalable capacity should generally be able to handle the resultant spike in demand with nary a peep.  


Cloud computing also facilitates activities that are not simple or that may be resource-intensive (or unavailable) using traditional IT infrastructures. For instance, cloud computing can provide the ability to collaborate online and to access information anywhere in the world, with multiple applications, multiple access points, common content, information and data availability, in real time, across time zones and geography—all without requiring any additional resources, effort, equipment or software by anyone on the collaborative team. Removing dependence on all of these allows the advertiser to collaborate with agencies, suppliers, talent, publishing networks around the globe, as well as internally with marketing and—here it comes— legal, whether inside or outside counsel!  

Cloud computing has the potential to change the way companies and industries operate. The creation of private clouds designed to reflect the unique requirements, standards, and services of a company or an industry, will proliferate. Of course, to be ubiquitous and feature-rich, they will need to interface and interoperate with other clouds; but consider that today, it remains common practice to send CDs or DVDs back and forth, or emails with links (or even attachments!), or to create FTP sites, in order to review commercials as they are being developed. Reviews may be made by creative teams, marketing, compliance, legal—all of whom may have input or may require editing before a commercial can be released, whether for network clearance or for public viewing. A cloud enables the collaboration to take place with standardized tools and techniques, auditable methodology, interactive cooperation and clearly a more cost-effective platform, reducing the overall preparation, operation and distribution expense.

Ad Serving Options

Further, and certainly not least, cloud computing offers a wider array of choices and flexibility for advertisers to distribute and display advertising. Consider the ability to create and distribute advertising that could reach consumers regardless of the technology they had available. The cloud could detect and serve ads in a form, format and version, just right for the device the consumer is using at that very moment. Similarly, through authentication methodologies, individuals traveling or outside their home base will still be served advertising relevant to them, because the cloud will "know" the log-in credentials or the mobile device number. Traveling to Spain, you will still see ads in English targeted to you—unless of course, you tell the "cloud" you want something different.

Context-sensitive searches will allow consumers to select advertising based on their preferences, literally on a moment’s notice. Visiting Amsterdam? A search for local restaurants and ads will be able to target your needs. Business meetings in Buenos Aires? Search for directions and you could see English-language ads for business services in or around town. Although all of these features may currently be available today using non-cloud platforms, make no mistake, their cost-effectiveness, universal availability, and ubiquitous functionality are meager compared with the robust capabilities that will soon be available in the cloud.

Advanced Data Collection Capabilities

Cloud computing increases the ability to gather data and analyze metrics across different platforms. The most precise data (i.e., personal identifiable information about a consumer) still remains the subject of volatile and heated debate. In the cloud, global data, both aggregate and consumer-specific, will become the subject of even hotter debate. As will be noted below, privacy, surveillance and similar issues will continue to be hotly debated, but one area that everyone is likely to agree upon is the fact that cloud computing will make significantly greater amounts of valuable information—gathered on a global scale, segmented in as many ways as the marketer’s imagination can conjure up—accessible and usable.

Key Legal Issues

Although myriad legal issues arise in a cloud computing environment, this paper will focus on three key areas of concern: (1) confidentiality, privacy and data protection; (2) global regulatory compliance; and (3) intellectual property.

Confidentiality, Privacy and Data Protection

One of the primary legal concerns expressed by regulators, consumer groups and information security professionals when it comes to cloud computing revolves around issues of privacy and data protection—the security, integrity and reliability of information and data. In a cloud computing environment, businesses are concerned about ceding control over their data, their proprietary processes and ultimately their digital capabilities, to a third party. Consumers search for assurances that their personally identifiable information, personal and private data, their financial and health records, for example, will be safe and secure, protected not only from unwanted and unauthorized intrusion, misappropriation and alteration, but also from use in ways that were not intended and are often unknown and undisclosed.

Information and data may be subject to laws governing their collection, processing, storage and use. Who is responsible for compliance may well depend on the relationship of the parties (is it B2B, B2C, or some combination of these) and the laws and regulations that apply (either by contract or based on the jurisdiction that applies to one or more of the parties). Multiple parties, multiple jurisdictions and the blurring of responsibility for delivering data, content, application programs, processing resources and communications, or interface capabilities, will likely give lawyers much to negotiate (and litigate) over the next decade.

From the advertisers' perspective, the "service" in a cloud will likely consist of a continuum of activities, from the creation of advertising to the delivery of the ads themselves, and ultimately to measuring the effectiveness and resultant product and service delivery when positive responses are received with respect to the advertising. Contractually allocating the risks involved at each stage of the process is likely to be something the industry struggles with for some time to come, as standards will be difficult to define and the sheer diversity of parties, roles and responsibilities with endless permutations can be numbing.  

While the protection of personal and personally identifiable data and information is subject to a variety of laws and regulations in the United States and many countries around the world (e.g., in the United States, the Graham-Leach- Bliley Act applies to personal information collected by financial institutions, and the Health Insurance Portability and Accountability Act to medical and health information), the advertising and marketing industries face new and uncharted challenges as the regulation of virtually all kinds of information derived from digital advertising is being targeted for legislation and regulation. Most industry professionals are all too familiar with terms such as "browser ad blocking," "opt-in" cookie legislation, "online behavioral advertising," "tracking," "location based marketing." All of these terms have arisen in the context of some technological innovation, enabling advertisers to gather more information, segment demographics more granularly, and focus increasingly relevant advertising to the right target audience. Unfortunately, the abuses that have crept into the system have caught the attention of regulators and legislators, and it is too early to tell what, if any, beneficial effect the industry’s self-regulatory initiative (i.e., the Digital Advertising Alliance and the online behavioral advertising self-regulatory guidelines), is having on these abuses.  

In addition to industry regulations, most states in the United States have laws regulating the collection and security of the personal information of their residents, and states are continuing to strengthen these laws by proposing new laws or amendments to current laws. In April 2011, California introduced a bill that would require companies doing business in California to provide Internet consumers with a method to opt out of the collection or use of any "covered information." Other states have also introduced new bills relating to data collection and/or security breach requirements, including Massachusetts, Hawaii and Colorado.  

Data protection laws and regulations abound throughout the world. Consider for instance the European Union’s Data Protection Directive1 (“EU Directive”) that requires Member nations to enact legislation and implement regulations regarding the collection, processing, storage and transfer of personal information outside of the EU, and attaches to any personal information processed by a Member State and to personal data of residents within each Member State. This imposes restrictions on the export of personal data of EU citizens and residents to anywhere outside the EU.2 Laws and regulations in the United States, European Union and throughout the world create a patchwork quilt of obligations, disclosure requirements, restrictions, responsibilities and liabilities that global and multinational companies will need to navigate in a cloud environment.

When it comes to security, there are laws, regulations and, increasingly, industry self-regulatory requirements (e.g., the Data Security Standards of the Payment Card Industry, commonly referred to as “PCI DSS”) that companies will need to comply with as consumer information is collected in connection with advertising and marketing. Encryption and data security is or will be required when, for example, personally identifiable information, credit or other payment and financial information, health and medical information, is involved.  

The requirements often extend not merely to the advertiser, but also to every entity that touches the information: agencies, vendors and suppliers, distributors, networks and publishers will be required to contractually commit (or be formally subject to regulations). Due diligence, modified contract terms and conditions, and constant reevaluation is needed to ensure each of these entities has adequate physical and logical security controls for safeguarding the information and data, and is properly authenticating users; controlling who is given access to the information; who the information and data is shared with; when, where and how appropriate disclosures, opt-in or opt-out opportunities are given; and so much more, depending on the situation.  

For instance, if the provider’s terms of service allow the provider to have access to a user’s data or to share the data, could this violate the advertiser’s own privacy policy? Google’s terms of service provide that Google has the right to “pre-screen, review, flag, filter, modify, refuse or remove any or all Content from any Service.”3 If an ad agency uses the services of the "cloud," would contractually agreeing to such a right violate the provisions of contracts between the agency and its client, the advertiser, or the advertiser and customers and consumers?  

Should advertisers seek to add (or require that their agencies, suppliers and others add) specific clauses that prohibit cloud providers from monitoring their information and data, or using it, other than as necessary to provide the services (e.g., capacity planning, network traffic monitoring, operational and systems configuration)? Consider the following. Not that long ago, in an advertising environment ruled by passive, one-way communication— television, print, radio, direct mail—only the advertiser, its agency and perhaps the retailer conducting the promotion or redeeming a coupon, would be in a position to gather personally identifiable information about consumers. Rating services and metrics were by inference and statistics, more often than not, rather than by direct observation.  

Today, network publishers, ad serving networks, search engine providers, social network operators, wireless carries and even browser technology providers, are in a position to gather such data and information. Indeed, not only firstparty advertisers, but third parties as well can now obtain, store, analyze and ostensibly use behavioral marketing information about consumers.  

As you may already know, the U.S. Federal Trade Commission (“FTC”) takes the view that a company’s website policies, its terms, conditions and privacy statements—the agreements by which consumers are bound when they visit or register and use a particular website—represent claims and express representations to consumers about how their information and data will be collected, stored, used and, if applicable, shared. Failure to adhere to one’s own website statements, even if well beyond what the law requires, not only can give rise to a cause of action from a consumer alleging breach of contract, but may also draw action from the FTC for misleading or deceptive advertising under section 5 of the FTC Act.  

It is likely that we will continue to see additional and/or revised regulations ahead as regulators begin to address the data privacy risks involved in cloud computing. For instance, this year the European Union is planning to propose a new general legal framework for the protection of personal data in the EU covering data processing operations in all sectors and policies of the EU.4 We have also already seen the proposal of several new federal privacy bills.  

Global Regulatory Compliance

In a cloud computing environment, a company may no longer know where its data is at any particular point in time—physically or logically; and while technically it may be possible to audit and trace each bit and byte, as a practical matter, from an availability and access viewpoint, the data might be stored on one or more servers somewhere— across the street, across state lines, national boundaries or across the globe, perhaps even in multiple data centers all over the world. Which jurisdiction’s laws and regulations govern? What level of data and privacy protection is “adequate”? What about transborder data flow? Is your company subject to the laws and regulations of multiple jurisdictions, potentially dynamically changing jurisdictions? Due process and subpoena requirements are not harmonized around the globe—in some jurisdictions, law enforcement and government officials have wide-ranging power to examine and even confiscate data resident on processors or storage devices within their borders.

While a company’s service agreement with its cloud provider can address choice of law between the two parties, it will not provide either a company or an individual user with a choice of where its data will be stored, where it might be routed or processed, and how it can be dealt with by others in a variety of jurisdictions. In the United States, the USA PATRIOT Act, and in the United Kingdom, the Regulation of Investigatory Powers Act, can provide government access to private data. First Amendment protections under the U.S. Constitution might not be immune from defamation, criminal or civil liability in other jurisdictions. As most advertisers already know, advertising standards and regulations vary widely across jurisdictions, and while we tend to think it is only where the ad is "displayed" or visible that laws and regulations would really apply, that is a notion borne more in common sense than legal or regulatory precedent. moved its website to a cloud provider.5 The Chicago Sun Times is deploying its editorial software in a cloud computing environment.6 Are journalists and is news-content accorded the same protections everywhere? In a cloud environment, that is not a trivial question.  

What if the intellectual property laws in one or more nations provide little or no protection? What if your data and information is passing through, enroute to its destination, but transmitted through servers and repeaters and transmission mechanism in multiple jurisdictions? Imagine having a telephone conversation between individuals in country A and country C, but the signal passes through country B on its way. What if country B has no protections against wiretapping? Against listening in on the conversation? Against taking the contents of the call and using it within country B? What if country B has laws that prohibit, restrict or object to content transmitted across its borders for any number of reasons? Serving advertising is not that different from serving any other content, and if a country has the capability and the right to censor or restrict one, it can do so with any content, including advertising. Right now some cloud providers, such as Amazon’s EC2 Service, have ways to address this by allowing users to select “Availability Zones.” Amazon currently has multiple availability zones in the United States and Europe.7 While of some comfort, an "Availability Zone" is still not dispositive of the route personally identifiable, trade secret or sensitive health or financial information may take on its way from point A to B!  

The situation is indeed cloudy and it may take quite some time before we can see clearly and before cloud users have the ability to manage these issues with less risk than is evident today.

Intellectual Property

Although intellectual property issues associated with Internet-based technologies are not new, cloud computing adds an interesting twist, and we have already mentioned a number of them above. Because of the multi-tenancy and quasi-public nature of cloud computing, a company could theoretically be putting its trade secrets at risk by storing its proprietary and sensitive advertising, development, and creative, as well as advertising metrics, with a cloud provider. What if the cloud service agreement allows the cloud provider to see, scan or use the company’s information in some way? Are you required to perform adequate due diligence on the security, integrity and reliability of cloud providers, their data and information security standards, privacy policies, compliance mechanisms? Could you be liable for failing to make reasonable inquiries and obtain contractual covenants in these areas? After all, cloud providers are not immune to security breaches. In 2009, the Electronic Privacy Information Center (EPIC) filed a complaint with the FTC seeking an investigation into Google’s cloud computing services after there was a security breach in Google Docs.8  


Cloud computing holds significant promise for the advertising, media, gaming and entertainment industries. But make no mistake: there are challenges and concerns that must be carefully considered—evaluated based on the nature of the activities, data and information, and requirements. For advertisers, agencies, network and publishing providers, the decision to go to the cloud should be made carefully, taking into account these factors and weighing the benefits and risks. While the technology and the regulatory landscape of cloud computing is and likely will continue to change dynamically in the months and years ahead, cloud computing, like any innovation, can represent extraordinary risks and potential new liabilities, but may also provide a host of benefits and a promise of increasingly globally effective, locally relevant, readily distributable, inexpensive delivery of high-quality advertising in the future.