Exhibit number one would be how Google, RTB and programmatic just kept on going as if GDPR had never happened.
It always struck me that we would need to change our definition of personal information -- to allow anonymised data to be used with impunity, although someone somewhere knows whom it came from -- or at least widen the remit of companies to share data with whoever might appear on an ad network, rather than require them to be specific about where data goes.
The devil is always in the details, and that's why the ICO has asked the programmatic industry to show that it is compliant by the end of the year -- more than a year and a half after GDPR became law.
The latest area that has my digital marketing "spidey senses" tingling is second-party data. It's a term I think we've all come across a lot since the introduction of GDPR. Netimperative is reporting today on research that says second-party data investment has trebled year-on-year.
The notion of second-party data is that to get away from the term "third-party data," one need only share data with one other company and then it becomes second-party data.
I'm not sure about you, but I just don't get the distinction. I get that third-party data is usually from multiple sources and so can get reach and volume with the acceptance of a risk to quality. It's also easy to see how this risk to quality can be dealt with by going to just one source.
But there's no such thing as a second party, is there? It's a term made up by our industry to get away from using the term third party -- and yet, still, if you use someone else's data, that is a third-party source, surely?
Not only is the term a little off -- I'm wondering about how well set up the data collectors and controllers are under GDPR.
Don't get me wrong -- data can be passed on to third parties completely legally with the explicit consent of each person involved and with a clear explanation of whom it will be shared with and for what purpose.
I'm not a legal eagle, but I would imagine some brands engaged in this might need to look at their consent wording and their privacy policies to make sure they're water tight.
However, my main two questions are simple.
Can sharing data with someone else ever be second party? It's still third-party, surely, only more selective?
Secondly, and this is thinking out loud -- it's not an accusation -- are people involved in second-party data ticking every box (literally) and getting the full, informed, granular consent of each member of the public for their personal information to be sold or shared with whoever shows an interest in it?
The wording would definitely have to be pretty loose, as it would be hard to tie down when a collector doesn't know who might later pay for that data and for what purpose.
If these companies are collecting data about religion, health, politics and trade union activity, they would, of course, need specific consent for each of these categories because of them being singled out as special categories of data.
Consent aside, if nothing else, surely the term needs a rethink.
Second-party data? It's just not a thing, really, is it?