Data is the most discussed topic in advertising and marketing circles.
To date, marketers are focused on its value in driving relevant, personalised ad campaigns, while elsewhere serious concerns are being raised about data security, with recent revelations from Uber and PayPal joining a long list of other high-profile breaches with brand consequences
But 2018 will see the focus shift heavily to data protection, as the EU’s General Data Protection Regulation (GDPR) comes into force on May 25th, with the ePrivacy Regulation set to follow. Both these laws are designed to put consumers at centre stage, providing them with transparency and control and giving them the power to allow or deny the use of their personal information.
But change is difficult, and there is still a general unwillingness to comprehend how these new laws will affect digital advertising -- especially as so much of the industry has orientated itself around US and not European models of data protection. So what might the landscape look like post-GDPR, and are we moving toward an era of data austerity?
It is certain that there will be less businesses operating in the ecosystem, and will that necessarily mean less data?
Will a pan-industry approach to consent be possible?
Consent may not be the only way to establish a lawful basis for processing data, but it is the method the ad industry will have to come to terms with -- the shift to consumers "opting in" for data collection and processing, rather than consent being granted as a default.
It may be easier for some websites than others to request consent -- for instance, premium news brands where the user frequently reads articles, or retail brand websites where the user often shops. But obtaining individual consent will prove challenging for most and impossible for some. This is where the understanding of the law ends, and the understanding of the consumer starts.
It’s not just publishers that need consent for data processing. Every link in the data supply chain from DSPs to attribution providers will need to obtain consent via a publisher as a named third party, or attempt the impossible and obtain consent independently.
Some players can dodge the consent bullet -- anonymous forms of measurement will be exempt from the GDPR, such as reporting on reach and how many people have visited a site. But this information will not then be available for use at an "individual level," or to measure across sites. If companies don’t have the necessary agreement in place to process consumer data in this way, it could lead to decreased investment and diminished publisher revenue.
If Ad Tech firms think they can use ‘legitimate interest’ as a way of establishing a lawful basis for processing they may be disappointed. The formal ‘balancing test’ which needs to be performed before one can claim a business has a ‘legitimate interest’ to process data has too many criteria that tip the scales against processing for ‘advertising purposes’, especially if a firm has no direct relationship with a consumer. This is, of course, not the case for ‘marketing purposes’ where legitimate interest is well established as a basis for processing.
To maintain a thriving digital ecosystem on a technical level, a pan-industry approach is required to provide consent solutions not just to multiple publishers, but also their associated digital supply chain. For example, the IAB Europe has launched its own GDPR Transparency and Consent Mechanism to this end.
While it is a massive leap forward to bring the industry together around common technical standards and mechanisms, consent ultimately relies on the consumer saying "yes." The user experience designed to legally deliver the "yes," and the relationship between that user and the brand will be the deciding factor. While the GDPR is being talked about widely within the industry, how many consumers know we are moving from a position of consent being "on" by default to one where it is "off"?
As publishers will have to name third parties when asking for consent and name the specific purposes that data will be used for, they are likely to have to make hard decisions about the number of vendors they use in order to avoid bombarding consumers with too many options. A quick glance at data-tracking technology provider Ghostery shows that large media sites can have upwards of 50 trackers, all of which would require consent.
And who will decide the order and which vendor goes to the top of the list? Third-party trackers may be providing complementary services to make processes work, but ultimately it will be the consumer who has the choice, regardless of how informed they are about these processes.
Will GDPR signal the end of the current DMP model?
Data Management Platforms (DMPs) are increasingly used by marketers to generate customer profiles for targeted messaging, by combining a variety of data streams. This information comes from a variety of sources such as tags, ad pixels, mobile SDKs, and third-party data, as well as owned first-party data.
DMPs were designed to pull data from a diverse set of locations, and push the resulting -- intuitively defined -- profiles onward to other technology platforms for activation. This means combining first-party and third-party (often referred to as second-party) data, and in a post-GDPR world raises significant questions about how thatthird-party data will be made available lawfully, especially if consent is the basis for processing.
With the new regulations requiring clear data pathways and known provenance, it may be that the current DMP model doesn’t have a part to play in acquiring customers. On this basis DMPs would be used more for marketing than for advertising.
Does the GDPR give tech giants the upper hand?
There are suggestions the GDPR will result in more power for the technology giants and, in some ways, this is true. The walled gardens that make up GAFA -- Google, Apple, Facebook and Amazon -- already have consent built into customer relationships via registration processes.
However, as the major tech giants operate across multiple applications, certain parts of their businesses may be affected. When it comes to mobile apps, for example, the GDPR is likely to cause some problems for companies that operate app stores or provide API sets for developers.
The new law calls out "online identifiers" such as AdIDs -- the unique identifier that tracks activity on mobile devices in a similar way to cookies -- as personal data. Because an AdID is unique to the individual user, all apps on a single device access and can share that AdID data and that is collected as they are "super distributed" across the ecosystem. AdIDs are property; they belong to Google and Apple. But what are the GDPR compliant terms which will allow them to be shared, where do they sit in the customer journey, and how will opt out be managed?
While some may say it is too soon to know what a post-GDPR world will look like, it is safe to assume that digital advertising will be impacted, as the new law was designed to impact on this very industry.
The one thing we can be sure of is that the flow of consumer data will still be essential to the effectiveness of digital advertising, and therefore to the sustainability of the entire online ecosystem.
While the industry is currently ill-prepared for radical change following 25th May 2018, the regulation will inevitably inspire fresh business strategies and technological innovation, so businesses can operate safely and compliantly in a post-GDPR world.