The General Data Protection Regulation (GDPR) — a pending EU regulation set to take effect May 25, 2018 — is primed to change the way in which programmatic marketers connect with EU consumers.
But what exactly is the GDPR, and what type of impact will it have on the programmatic advertising industry?
What is the GDPR?
The GDPR is a regulation set to take effect on May 25, 2018. Initial discussions surrounding the regulation began in 2012. By April 2016, the GPDR was officially adopted by the EU Parliament, with a two year transition period.
At its core, the GDPR addresses consumer concerns about data privacy and security. Boiled down, a few of the most prominent changes for programmatic marketers include:
- In most instances, "personal data" can only be used with the express consent of the consumer
- Consumers have a “right to be forgotten” and a right of “data portability”
- Administrative and record-keeping requirements
What is ‘personal data’ as it relates to the GDPR?
"Personal data" ranges from email addresses to medical records to bank details — virtually anything that can be used to personally identify an individual.
For the sake of simplicity, a few of the big takeaways for programmatic marketers are the pending changes to the ways in which cookies, IP addresses, device IDs, and location data can be used for digital advertising.
Recital 30 of the EU GDPR defines “online identifiers for profiling and identification” as such:
"Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them."
Importantly, cookies are considered “personal data” when said cookies are used to identify an individual — as is often the case in programmatic advertising. The same is true for IP addresses, location data, and device IDs.
What constitutes ‘consent’ for the use of ‘personal data’ under the GDPR?
Article 7 of the GDPR spells out “consent” as it relates to the new regulation. A few key notes here:
- Consent must be freely given by the consumer. Consent cannot be implied.
- Pre-ticked boxes are no longer permitted.
- Passive notices such as “by using this site, you accept cookies” are not compliant with the GDPR.
- Consent cannot be hidden in long Terms & Conditions; it must “be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.”
- Consent is not binding if it’s obtained in this manner.
- The consumer has a right to withdraw their consent at any time.
- “It shall be as easy to withdraw as to give consent,” the regulation reads.
Article 8 details consent as it relates to children below the age of 16. If the child is below the age of 16, consent to use personal data must be “given or authorised by the holder of parental responsibility over the child.” (Individual EU member states can move the age from 16, but it can go no lower than 13; Spain has so far kept their age of consent at 14.)
A handful of Recitals go into further detail regarding the process of consent as it relates to personal data, including:
- Recital 32: Conditions for consent
- “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”
- “Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”
- “When the processing has multiple purposes, consent should be given for all of them.”
- Recital 33: Consent to certain areas of scientific research
- Recital 38: Special protection of children's personal data
- Recital 42: Burden of proof and requirements for consent
- “Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given.”
- “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”
- Recital 43: Freely given consent
Consumers have a ‘right to be forgotten’ and a right of 'data portability'
Article 17 of the GDPR details the consumers’ “right to erasure,” colloquially known as the “right to be forgotten.”
It means that consumers have the right to request that their personal data be erased from specific data controllers for a variety of reasons, including basic withdrawal of consent.
An important takeaway here is that programmatic marketers who deal with consumers’ personal data must also have the ability to erase that data, should the consumer exercise their “right to be forgotten.” This applies even if the consent has already been obtained because the consumer can still withdraw their consent and request the right to erasure.
Article 20 details the consumers' right to "data portability." This means that consumers have the right to receive the personal data they provided to a controller "in a structured, commonly used and machine-readable format." The consumer also has the right to transmit their personal data to another controller, per the regulation.
The GDPR impacts marketers worldwide — not just in the EU
As detailed in Article 3 of the GDPR, the regulation “applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union,” so long as the data processing is related to:
- “the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or”
- “the monitoring of their behaviour as far as their behaviour takes place within the Union.”
Recitals 22, 23, 24, and 25 further detail the territorial aspects of the GDPR, but the takeaway is clear for programmatic marketers: Even if you aren’t located in the EU, if you monitor the behavior of an EU consumer, or offer them goods or services, you are still required to abide by the GDPR regulations.
What kind of impact will the GDPR have for companies invested in programmatic advertising?
The exact implications may not be known for some time, but there are a handful of potential paths.
The industry-to-consumer discourse may look familiar to ad-blocking
For starters, given that DSPs, SSPs, and other players tucked into the ad tech stack do not have as much direct exposure to consumers, the onus may largely be on consumer-facing companies to communicate with consumers as to why data sharing can be beneficial to them. Publishers, websites, and marketers figure to assume much of this responsibility — thus making first-party data even more paramount.
The conversations that take place may look similar to those that have occurred throughout the recent ad-blocking phenomenon, in which publishers have attempted unique ways to communicate with customers regarding the use of ad-blockers.
Publishers that have relied heavily on programmatic advertising to support their businesses are primed to undergo the most significant changes, but they are also in a good position to obtain consent. High-quality publishers could benefit the most from the GDPR, as they are more likely to receive consent from consumers than low-quality or little-known publishers.
Shoring up ‘data leakage’ takes center stage
Here’s how Digiday describes “data leakage”:
"Data leakage typically occurs when a brand, agency or ad tech company collects data about a website’s audience and subsequently uses that data without the initial publisher’s permission."
If a publisher obtains consent from a user, they must also protect that data — e.g. prevent data leakage — which means they must have tight contracts with their partners and processors. Trust and transparency will also be paramount, which will likely lead to a shift in the number of platforms publishers team up with.
Under the GDPR and its terminology, publishers will most often be “controllers.” Article 4, Section 7 of the GDPR defines a “controller” as the “... body which … determines the purposes and means of the processing of personal data.”
The “processor” is the “... body which processes personal data on behalf of the controller” (Article 4, Section 8).
As detailed in Article 33, data breaches must be reported within 72 hours by the controllers.
Conversations about ‘transparency’ may accelerate
Trust and transparency are already at the forefront of the conversation in the programmatic ecosystem, and the GDPR may serve to accelerate the industry-wide push for more accountability.
Marketers and publishers may be held accountable for non-compliance by third parties, which means all players in the ad tech ecosystem will become more reliant on one another. This also means that the ecosystem may undergo a significant change in the number of partners marketers and publishers work with. Consolidation may be expedited as well.
Contracts will likely be revised to ensure compliance, and publishers will likely gain significant leverage in demands for transparency regarding the data used by any of their partners or platforms.
Reduced quantity, increased quality
The scale of data used for programmatic buying will likely decrease (not every EU consumer will give express consent), but the quality of that data figures to increase (those that do give consent are affirming that they understand and are okay with the value proposition).
As such, there is a potential for an increase in CPMs as competition intensifies as marketers focus on more intentional, transparent spending.
Want more data-driven insights? Sign up for our blog!