GDPR and the Changing Landscape of Ad Tech: How the New Regulations Will Impact Programmatic Advertising

If the question ‘why does GDPR exist’ is bothering you to no end, the most relevant answer to the question would be public concern over privacy. But to know what exactly is GDPR and the impact it would have on digital advertisement, read further.

High profile data breaches and legislative changes are combining to create a perfect storm of disruption in the personal data space. With the increasing consumer awareness of data privacy rights, how are brands and retailers planning to respond to the changes?

But first things first, what’s GDPR?

Protecting personal data has been an important issue in the European Union (EU) for more than 20 years, and the recently ratified General Data Protection Regulation (GDPR) takes data protection to an entirely new level. In addition to a new set of legal requirements that necessitate both organizational and technological responses, the GDPR is applicable to almost every organization around the world that collects or processes data on residents domiciled within the EU, including permanent residents, visitors and expatriates. Compliance is thus predicated on the geographical location of the individuals about whom an organization holds personal data, not the domicile of registration for the organization. This represents a sea change in how organizations must protect the personal data of anyone in the EU, and it may have implications for how they protect the personal data of non-EU residents, as well.

The GDPR is important for two key reasons: First, it is likely to apply to all organizations, even those not based in Europe, because it mandates certain protections and provisions for any organization that controls or processes personal data on EU residents where processing is related to offering goods or services (“irrespective of whether a payment of the data subject is required”) or monitoring behavior that takes places place within the EU. Being located outside of the EU does not grant an exemption to a data controller. Second, the cost of non-compliance is significant, with a financial penalties regime of up to a €20 million fine or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher.

In addition to this, GDPR compliance will add new security responsibilities and obligations, including: Data subject consent such as anonymisation, breach notification, data transfers and the appointment of Data Protection Officers

What type of privacy data does GDPR protect? There are number of them. Basic identity information such as name, address and ID numbers, web data such as location, IP address, cookie data and RFID tags, health and genetic data, biometric data, racial or ethnic data, political opinions and sexual orientation

Effects of GDPR on Online Advertising.

Personal data can be associated with everything from email addresses to payment information, basically anything that can tie to a person’s identity. However, GDPR now also categorizes cookies, IP addresses, device IDs and location data as “personal data”. In a nutshell, it means that once GDPR comes into being, the user must actively agree to the way their data is collected and used. Here are some examples of things no longer acceptable as “consent” under GDPR: Pre-checked boxes on forms or data collection points and the passive “you accept cookies” notices

Customers must be able to freely give consent. No longer is implied consent acceptable. It can also not be hidden in long Terms & Conditions that uses complex legal language. Also, the customer is also given the right to remove their consent at any time.

Effects of GDPR on ad-tech industry.

When it comes to the ad-tech industry, data collection and data sharing practices are obscure due to the lack of restrictions. GDPR will necessitate rewriting the rules of how ads are targeted online, creating a serious challenge for advertising technology companies. In its essence, GDPR is meant to empower users and give them the ability to control what data they are willing to share. GDPR is not a groundbreaking privacy policy, but rather comes at a time when there is a major shift in users’ tolerance for companies misusing their data for profit.

From Facebook and Cambridge Analytica’s latest privacy scandals to the growing demand for transparency, privacy is put in the spotlight. GDPR’s high penalties have gotten the entire industry buzzing, forcing the industry to re-examine how a user’s personal information is used along the supply chain.

Adhering to the GDPR regulations has a direct impact on companies who come in direct contact with the user. Publishers will have to ensure that the data obtained from the users under the GDPR will have all the necessary consent data. Meaning that since much of programmatic and other advertising optimization practices rely on customer data (such as retargeting, cookie matching, mobile ID targeting, frequency capping, etc) traffic is likely to become more valuable. At the same time, Marketing KPIs would become more difficult to measure.

What Does The Future Hold For Advertisers?

The GDPR also makes advertisers liable if they use illegally-procured data for ad targeting, even if done unknowingly. We can expect a short-term squeeze in European ad spend as advertisers mitigate risks by limiting their EU programmatic spend. They may instead push money toward safer, direct platforms like Google, Facebook, and Twitter.

So if you are into ad-tech following are the things you can do to prepare yourself:

  1. Ensure your tech is GDPR-compliant: This involves security audits, breach action plans, and blocking all PII collection/sharing for EU residents.
  2. Work with demand partners to increase the value of non-user-matched impressions: Again, without cookies or mobile IDs, the value of an individual ad impression greatly decreases. The ad tech industry must therefore find ways of identifying impression value via other means (like context, search terms, additional non-PII RTB fields, etc).
  3. Enable consent tracking, consent honoring, and ways to rectify or delete data: Some publishers will still seek consent, so it’s important your tech can accommodate that. Additionally, because of GDPR’s “data rights”, you must offer users a method of seeing and changing the data you have on them.
  4. Rework your contracts and/or offer a Data Processing Agreement (DPA) if applicable: If you’re sent data illegally, you could be on the hook if you use it. Therefore, you should have agreements in place with your publishers/partners/advertisers that indemnify you from their actions.

Blockchain, a potential solution.

Blockchain technology is the ideal match for GDPR — on one hand, rights are protected by legislation, and on the other, they’re secured by technological advances. With this emerging technology, companies no longer need to store customer information in easily-targetable data silos — if anything, they’re incentivised not in order to avoid risking fines under GDPR.

The Blockchain technology has huge potential to check the problem of ad frauds. Basically, a non-editable ledger records all transactions. It would thus help to keep a track of all the activities in the ad transactions and bring in a greater transparency and accountability in the system.

At AudienceBay, we have a robust ecosystem for combating ad frauds by facilitating the implementation of the Blockchain technology. The multiple ad exchanges that send us the ad requests also act as individual nodes in a blockchain. These requests are then analyzed for any anomalies using our data science algorithms designed specifically for fraud prevention and bot traffic detection.

Further, blockchain implementation has helped in AudienceBay’s natural compliance to GDPR & e-privacy norms.

Overall, it is clear that every organization in possession of customer data will be affected by the GDPR. The programmatic advertising sector will feel the brunt of the regulation due to the data requirements it needs for targeting. To stay as effective, algorithmic advertising will have to evolve to incorporate the new guidelines. GDPR will shift the advertising landscape to shun away from (non-consented) data embezzlement and audience buying from illicit markets. We can also expect publishers to get content and advertisements to get tightly woven to deliver not just compliance but also greater user experience.

GDPR will herald a new era of greater trust between organizations and customers still willing to share personal data to access tailored services. Organizations need to clearly explain to customers how their data will be used and how they can expect to benefit from it.

About AudienceBay

AudienceBay ecosystem ring fences ‘Programmatic media’ world by leveraging super and secured blockchain technology. It addresses the need for user privacy and security. The revolutionary platform witnesses unmatched performance for marketers because of elimination of ad frauds. Enhanced transparency and AI driven contextual targeting help AudienceBay publishers get superior revenues.

Tagged with: