The EU General Data Protection Regulation (GDPR) is a law intend to enhance data protection for all individuals within the European Union (EU). It is the journey that started since April 27, 2016 when the European Union’s General Data Protection Regulation (GDPR) was adopted. Its enforcement will come into effect on 25 May 2018.
As online advertising and marketing companies collect vast amounts of user data every day, the GDPR may have a substantial impact on their business operations and activities across Europe.
Let’s discuss briefly an overview of GDPR and its impact on Ad Tech.
What is the GDPR?
Definition - The General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. *
In simple terms, GDPR is focusing on following main principles:
1. Individual Rights
Individual Rights in EU has always been existed but now with GDPR regulation, it has get strengthen.
It means the GDPR empowers individuals/users to own the right to provide the consent on their Personal Identification Information (PII) collection, sharing and usage.
It also allows individuals to see, edit and delete data a 3rd party has on them.
2. Personal Information
GDPR has broadened the area under personal information section to include, but not limited to: name, SSN, IP address, lat/long coordinates, cookie IDs, user agents, RFID numbers, mobile identifiers (IDFA/GAID/etc), e-mail, physical address, and bio-metric/financial/behavioral/demographic data.
With GDPR regulation, how and the level of details being taken from a user in the consent form has now become very important.
a. Level of details
In the past, PII Data used to be grouped under a generic blanket of words such as ‘for marketing purposes’, ‘for future requirements’ etc. in the consent form. However, with the new regulation the full detail information needs to be disclosed in the consent box such as:
What type of data will be collected.
Details of vendors with whom the data will be shared.
Why the data is being collected or shared.
How long the data will be saved.
b. How the consent is being taken
This is also an explicit requirement now as well with the GDPR regulation but the process is not clear yet.
Silence, pre-ticked boxes may not be enough anymore. It must be an opt-in check box with the clear message to the user as to why the opt-in button is there and how its data will be used.
4. Data Security
The GDPR now imposes strong security restrictions on how PII data will be handled.
This includes limiting what is being collected, adding better security protocols, hiring Data Protection Officers, having data breach notification plans, records of data processing and more.
To be GDPR complaint is very important now, especially for all companies operate in EU region or for EU audiences as in case of breach the companies will be charged with 4% annual revenue.
Challenges of GDPR on Ad Tech Ecosystem and the impact on European Ad revenue.
As we know in Ad Tech Ecosystem, advertising heavily relies on programmatic behavioral targeting using the customer data.
This customer data is pulled availing methods like re-targeting, cookie matching, mobile ID targeting, frequency capping, etc. Such methods involve information containing PII data. However, with GDPR as we know there will be strong security measures applied on PII, it seems the entire ad eco system will be impacted for the way the data is being collected. Therefore, data without specific profiles will have a strong effect on its audience targeting and in turn on overall advertising ROI.
Let’s see some of these challenges below:
Getting consent to use the PII data will not be easy anymore. It may require publishers to state the names of who they and their partners share the data with such as ad server, exchanges, DSP and DMP etc. The eco system is so complex that its little difficult to know who all players are involved in the value chain to mention on the consent form. Moreover, if a new vendor joins the chain, it may further require a new consent which again questions marks the feasibility of getting the consent easily from a user in any way.
If one of explanation in the consent form is about the data collection for ad targeting, it's unlikely many users will find this a compelling reason to give their consent.
It may be an ‘opt in’ option with the regulation now so publishers cannot use the data if the user hasn’t opted in, therefore, power of default check box will not help anymore.
Without User’s consent, the programmatic Real Time Bidding (RTB) ads will have no specific targeting, this in turn may affect the CPMs as the matching & targeting will have an accuracy issue and eventually it will affect the overall ad revenue of the publishers.
Publishers, being controller, will have the huge responsibility to ensure:
All partners in the chain honor the consent and manage the data rights (i.e., consenting users have the right to see, edit, and delete stored data).
Understand how their partners will be blocking the PII collection for users who haven’t given the permission.
Data processing agreements are in place with all partners.
To have a list of all partners to show in their consent form to the user.
Update ad serving platform so no cookie is dropped for users coming from Europe and the traffic can be handled in a EU complaint manner.
With so much speculation and unpredictability, advertisers may likely to take a conservative approach initially. They may want to wait & understand the logical course of GDPR regulation first before spending heavy money on Ad Tech. As a result, they may pull back on Ad tech’s ad spend temporarily. However, that doesn’t mean they would not like to spend on marketing efforts. They may push spend towards safer options such as direct selling platforms where PII data is not needed. Such options will be contextual and search marketing.
EU Laws has always been in place with data restrictions, this further enhancement in the form of GDPR regulation is trying to ensure no building of personal profiles happens without person’s knowledge or consent, using this data in automated decision making, unsafe storage or any data breech of PII.
As a result, publishers may make less money and advertisers may spend less, which may impact overall all ad tech vendors. However, some innovative measures may come in place creating a balance between targeting and data security.
The Debate in industry right now is about how heavy the impact will be and for what duration. Will it be restricted to EU only or may spread to US and Asia? How the compliance will take place for users who are EU citizens but not in EU region. Companies may struggle to have Geo specific compliance policies and officers due to the cost & ambiguity so they may decide to opt EU regulation criteria only for all their marketing efforts.
There are many such questions unanswered or in speculation as of now which with time and practice only will get more clarity.
Please clickhere to read more about the topic, the technicalities and how as a company we are following the compliance.