The unintended consequences of GDPR

3 minute read

25 May 2018

SUBSCRIBE

After two years of preparation, speculation, an abundance of pleading emails – and even outright panic – it’s finally here: GDPR.

As of today, Friday 25 May 2018, the EU will start enforcing its new data privacy regulations – but even as we stand on the cusp of GDPR, it’s still unclear what exactly it will mean for programmatic advertising.

Among its many changes to data privacy law, GDPR widens the scope of what is considered personally identifiable information to include device IDs. Previously considered an anonymous identifier, device IDs are used to match a mobile user to an impression – and are thus a cornerstone of digital ad targeting.

That could be a problem for programmatic, which is built on a foundation of user data. Its promise was improving the process of serving the right ad to the right person. With GDPR demanding that users give explicit consent for their personal data to be used in this manner – along with the challenges of explaining and obtaining this consent – this promise could be compromised.

Efforts by IAB Europe, with their Transparency & Consent Framework should be applauded, however, some are claiming this is not true to the spirit or intent of the law, providing as it does holistic rather than binary vendor consent. Is this the specific, informed, unambiguous and freely given consent that regulators intended?

The other significant challenge, particularly for an ecosystem so interconnected as programmatic, is the differing interpretations, opinions, and advice being proffered, which has ramifications for how compliance is then implemented. Some companies are claiming Data Controller privileges. Others, in the same space, state they are Data Processors. And then there’s even Data Co-Controllers.

This uncertainty creates reticence to act. Or act in a way that provides no consistency across the industry, creating headaches for Product and Ad Ops everywhere. No-one wants to be the one to make a wrong move and become the sacrificial lamb with a crippling fine. As a result, I am sure programmatic liquidity after Friday, at least in the short term, will decrease.

Unfortunately, it seems inevitable that some of this confusion will only be resolved when the ICO’s executioner’s sword falls and the regulations are clarified, with precedents that can be referenced going forward.

That should clarify some of the many grey areas – but in the interim, everyone is exercising supreme caution. Rumours abound that some of the largest exchanges may denude device IDs entirely, if clear consent is not identified. At the same time, it is unlikely brands will want to bid on inventory where there is any confusion.

This could then lead to a clear bifurcation in impression value: increase CPM costs for impressions with clear consent and a floor rate for those without.

If this does play out, is it reasonable to expect we will see a new rogue element within adtech – consent fraud? Whenever a signal for high value exists – like video and location before it – organised crime invariably follows.

However, it’s not at all doom and gloom.

Programmatic direct, which uses the automation benefits of the technology but applies it to inventory bought only from a pre-approved publisher should continue.

Indeed, we are likely to see a return to the days when publishers are custodians of customer insights and their audiences’ preferences, shifting the balance of power to a part of the value chain that has not always received the most robust adtech solutions.

In fact, a carefully-controlled environment with permission-based assets should be fine under GDPR. Unlockd’s model means that consumers actively opt in, by choosing to download the app and agreeing to be shown ads and share their data in return for a tangible benefit to themselves, like money off a phone bill. That means the need for explicit consent is met.

Until now the adtech industry, which employs millions and is worth £11.55bn in the UK alone, has largely been obfuscated from consumers. GDPR and the avalanche of privacy policy update emails has changed that for good.

The planning and preparation should, by now, be over. Now we have to wait and see.