The General Data Protection Regulation (GDPR) — a pending EU regulation set to take effect May 25, 2018 — is primed to change the way in which programmatic marketers connect with EU consumers.
But what exactly is the GDPR, and what type of impact will it have on the programmatic advertising industry?
The GDPR is a regulation set to take effect on May 25, 2018. Initial discussions surrounding the regulation began in 2012. By April 2016, the GPDR was officially adopted by the EU Parliament, with a two year transition period.
At its core, the GDPR addresses consumer concerns about data privacy and security. Boiled down, a few of the most prominent changes for programmatic marketers include:
"Personal data" ranges from email addresses to medical records to bank details — virtually anything that can be used to personally identify an individual.
For the sake of simplicity, a few of the big takeaways for programmatic marketers are the pending changes to the ways in which cookies, IP addresses, device IDs, and location data can be used for digital advertising.
Recital 30 of the EU GDPR defines “online identifiers for profiling and identification” as such:
"Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them."
Importantly, cookies are considered “personal data” when said cookies are used to identify an individual — as is often the case in programmatic advertising. The same is true for IP addresses, location data, and device IDs.
Article 7 of the GDPR spells out “consent” as it relates to the new regulation. A few key notes here:
Article 8 details consent as it relates to children below the age of 16. If the child is below the age of 16, consent to use personal data must be “given or authorised by the holder of parental responsibility over the child.” (Individual EU member states can move the age from 16, but it can go no lower than 13; Spain has so far kept their age of consent at 14.)
A handful of Recitals go into further detail regarding the process of consent as it relates to personal data, including:
Article 17 of the GDPR details the consumers’ “right to erasure,” colloquially known as the “right to be forgotten.”
It means that consumers have the right to request that their personal data be erased from specific data controllers for a variety of reasons, including basic withdrawal of consent.
Recitals 65 and 66 go into further detail regarding the consumers’ “right to be forgotten.”
An important takeaway here is that programmatic marketers who deal with consumers’ personal data must also have the ability to erase that data, should the consumer exercise their “right to be forgotten.” This applies even if the consent has already been obtained because the consumer can still withdraw their consent and request the right to erasure.
Article 20 details the consumers' right to "data portability." This means that consumers have the right to receive the personal data they provided to a controller "in a structured, commonly used and machine-readable format." The consumer also has the right to transmit their personal data to another controller, per the regulation.
As detailed in Article 3 of the GDPR, the regulation “applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union,” so long as the data processing is related to:
Recitals 22, 23, 24, and 25 further detail the territorial aspects of the GDPR, but the takeaway is clear for programmatic marketers: Even if you aren’t located in the EU, if you monitor the behavior of an EU consumer, or offer them goods or services, you are still required to abide by the GDPR regulations.
The exact implications may not be known for some time, but there are a handful of potential paths.
For starters, given that DSPs, SSPs, and other players tucked into the ad tech stack do not have as much direct exposure to consumers, the onus may largely be on consumer-facing companies to communicate with consumers as to why data sharing can be beneficial to them. Publishers, websites, and marketers figure to assume much of this responsibility — thus making first-party data even more paramount.
The conversations that take place may look similar to those that have occurred throughout the recent ad-blocking phenomenon, in which publishers have attempted unique ways to communicate with customers regarding the use of ad-blockers.
Publishers that have relied heavily on programmatic advertising to support their businesses are primed to undergo the most significant changes, but they are also in a good position to obtain consent. High-quality publishers could benefit the most from the GDPR, as they are more likely to receive consent from consumers than low-quality or little-known publishers.
Here’s how Digiday describes “data leakage”:
"Data leakage typically occurs when a brand, agency or ad tech company collects data about a website’s audience and subsequently uses that data without the initial publisher’s permission."
If a publisher obtains consent from a user, they must also protect that data — e.g. prevent data leakage — which means they must have tight contracts with their partners and processors. Trust and transparency will also be paramount, which will likely lead to a shift in the number of platforms publishers team up with.
Under the GDPR and its terminology, publishers will most often be “controllers.” Article 4, Section 7 of the GDPR defines a “controller” as the “... body which … determines the purposes and means of the processing of personal data.”
The “processor” is the “... body which processes personal data on behalf of the controller” (Article 4, Section 8).
As detailed in Article 33, data breaches must be reported within 72 hours by the controllers.
Trust and transparency are already at the forefront of the conversation in the programmatic ecosystem, and the GDPR may serve to accelerate the industry-wide push for more accountability.
Marketers and publishers may be held accountable for non-compliance by third parties, which means all players in the ad tech ecosystem will become more reliant on one another. This also means that the ecosystem may undergo a significant change in the number of partners marketers and publishers work with. Consolidation may be expedited as well.
Contracts will likely be revised to ensure compliance, and publishers will likely gain significant leverage in demands for transparency regarding the data used by any of their partners or platforms.
The scale of data used for programmatic buying will likely decrease (not every EU consumer will give express consent), but the quality of that data figures to increase (those that do give consent are affirming that they understand and are okay with the value proposition).
As such, there is a potential for an increase in CPMs as competition intensifies as marketers focus on more intentional, transparent spending.
Want more data-driven insights? Sign up for our blog!
