Recently, I’ve been writing a great deal about GDPR and the impact it will have on the digital marketing ecosystem. Worldwide, not just in Europe. Beyond the required compliance, I see it as an opportunity for brands to build stronger relationships with their customers (and make more money!) by creating offerings and policies that respect privacy and offer the consumer real value in exchange for use of personal data.
But none of this will happen overnight. For the most part, advertisers, publishers and ad tech companies are in a mad scramble to comply with the law by the deadline of May 25th, or at least show good faith efforts. Points for trying and all.
Here a short primer on how the GDPR deadline impacts consumers.
Overflowing email boxes
The most visible immediate impact for the consumer is all those emails with opt-ins and links to privacy policies. GDPR requires companies to obtain consent for use of the personal data of EU citizens, but for practical purposes, most companies are executing their plans worldwide. Consent is required down to the specific uses, and brands must provide mechanisms for consumers to manage or withdraw their consent. This is an oversimplification but it will do for today’s purpose.
Most privacy policies were written much too broadly to be acceptable under GDPR. Even if they specified the uses the company would make of the data, they didn’t offer a mechanism to withdraw consent. And many more issues beyond that simple one, from sites that didn’t really offer “true consent” in that “free” functionality was contingent upon the submission of private data, to collection of data that wasn’t really necessary for the business purpose at hand, but helped the collector understand more about its customers for future targeting. For example, if you are buying a ticket for an event open to the general public, does the organizer need to know your gender or income to process the transaction? No. That information is used for marketing and audience targeting. Under GDPR, the event organizer has to provide much more information about, and justification for, the personal data they are collecting and potentially sharing onward with other partners, and give you a mechanism for managing that consent.
You will probably get an email from every site and every email newsletter you ever registered with, even ones that you long ago forgot. And if they DO share or sell your data, they are looking for an opt-in to the new policy, so that can claim they have your consent. In the long run, I don’t expect that’s going to be sufficient consent for the regulators, but it is why you are being asked to “renew” your subscription. Even though it may damage their subscription numbers in the short term, it is a whole lot easier to scrub the list and move forward with consumers who’ve consented than to keep people on for whom they have no audit trail, of any kind. That’s also why multi-nationals and companies conducting international e-commerce are generally applying the same policies across the board. It makes no sense to have double overhead by having one system for the EU and another for the rest of the world. Especially since other nations may follow suit with similar privacy laws and matching IP addresses to physical locations is far from foolproof.
What exactly are you giving permission for?
From a casual reading of my own emails, companies are keeping these communications pretty simple. They outline the uses they make of your data, and provide guidance on how you can manage consent. The thing you need to watch out for is whether they share or sell your data to other parties, and how you can manage consent once they have shared your data on. Companies are required to have a mechanism to manage this, and quite frankly, my take is that many haven’t gotten very far along with this part of the complex GDPR compliance process because it requires cooperation among multiple partners in the technology chain. And that has been slow in coming, even though the deadline has been known for a long time.
Generally speaking though, in my opinion, the more specific the policy is, the better off you are, even if it seems like a PITA to read all these policies. The thing I would be most wary of is when the site/firm uses “legitimate business interests” as a general reason for sharing your personal data with a third party. That’s a handwave that won’t pass muster. Especially if they haven’t produced a consent mechanism.
You should also expect more detailed sign-up forms going forward, both when you are signing up for access to content and subscribing to newsletters.
Some advertising terms that will help you better understand this privacy debate.
First-party data — That’s the data that you share directly with the website you are visiting. It can be personal data that you share or anonymous data that the site collects as a result of your use of the site. Privacy regulations are most concerned with personal data that can be used to identify or target you, and how companies will protect it and your rights to your own data. The opportunity for brands inherent in GDPR is to build a stronger relationship with you so you have incentive to share personal data with them — to make products better, to get more relevant advertisers, and so on.
Second-party data — This is not used that frequently. It refers to when a site shares/sells first-party data about you with a second-party, who then uses that data to contact or market to you. For example, a conference shares its registration list with its sponsors, who then contact you directly with offers. The conference (the first party) is obligated to get your permission to share your data with the second party, but the data is typically used as is, not combined with other information to create super-sets of data.
Third-party data — This is where all the action is with regard to GDPR compliance. The basic issue is that the digital advertising ecosystem relies on a variety of technologies to target and deliver ads to consumers, using data aggregated from multiple sources to create new “super-sets,” which identify consumers even more discretely than the original data sources. As a vastly oversimplified example, we combine the data from a media website with data from a luxury goods company to target ads to site visitors based on their past purchases of luxury goods. The basic concept is sound; it helps advertisers deliver ads to the people most likely to be interested in the products, BUT it also introduces a privacy issue. If I am the consumer, I did not give my information to the luxury goods company to facilitate delivery of ads on a media website. I intended to buy a product. There was probably a blanket consent within the transaction to the advertising use, but it most likely doesn’t pass the GDPR sniff test.
Right now, a lot of very smart people in the ad tech world are working to figure out how to manage consent for third party data. It’s tough, because it isn’t simply about the initial consent; the consumer has the right to withdraw that consent at any time, and then all the partners in the chain have to remove the data. In my opinion, it is worth solving but it will increase advertising rates for this premium targeting. As it should. There will be a whole lot of infrastructure to manage the consent as well as a burden on the first-party who collects the data initially to market the downstream use to its customers.
Consumers won’t “see” the impact of GDPR on advertising delivery. Behind the curtain, though there is a lot going on. Ad tech innovation to manage consent but also, I believe a return to more reliance on first-party data and contextual targeting, showing ads based on the surrounding content, not presumed consumer behaviors.
I’ll be participating in a Conference Board webcast next Wednesday May 23rd at 11am ET to talk about GDPR and its impact on the digital economy. It’s free, so if you’re inclined to know more, please join us.