This has been an annus horribilis for the ad:tech sector, with the past month being particularly bad.
The Data Protection Commissioner in Dublin does not command much attention in the UK, but she should. Helen Dixon has an over-flowing in tray, as the EU leaves it up to the country where a multinational’s headquarters are based to manage regulations like GDPR – and for many big technology companies, that country is Ireland.
On June 20th, an investigation into Quantcast’s compliance with GDPR was announced. That’s the latest of 51 large scale investigations the regulator is currently running, 17 of which relate to large technology platforms and 10 alone into Facebook or Facebook-owned entities.
Then wrapping things off, Facebook received a $5 billion fine from the FTC relating to the Cambridge Analytica data breach scandal.
Putting Facebook’s fine to one side (although the size of the fine is bound to focus corporate minds everywhere), the other actions all relate to adaptions to the introduction of GDPR in May 2018.
The ICO for instance feels that common practices in programmatic trading are not compliant with GDPR. There are some specific areas of concern:
- Use of ‘legitimate interest’ as a defence when processing customer data is rejected – entities must have explicit customer consent.
- Use of sensitive data like sexual orientation, health history and political views needs clear and explicit consent – instead the ICO has seen evidence of this data being openly used across exchanges.
- Unhappiness with use of contracts to shift liability for breaches to the media owner rather than the ad network.
On the other hand, the ICO recognises that small publishers in particular are financially vulnerable and that income from programmatic advertising is an important income stream. That implies that the pressure is going to fall on the large global adtech companies, at least in the first instance.
The problem is that what is technically possible is somewhat at odds with protecting users’ data and privacy. Here is Simon McDougall, from the ICO, describing the issue in a recent speech:
“Just one visit to a website can trigger an auction among advertisers which involves our personal data and hundreds of interested bidders. It’s impressive; it’s hard to imagine the speed, scale and complexity of this real-time bidding. It’s also the stuff of data protection nightmares. And it’s what has been keeping me up at night recently.”
He goes on to say that complexity is no longer an excuse – that companies need to put resources and talent into solving these problems.
So what is likely to happen?
First party data is less of an issue, assuming that consent is managed properly. Facebook and Google and Amazon have ample first party data to continue to deliver targeted advertising to their user base. Equally, established companies with big customer bases have a big advantage if they can manage consent and link their offline CRM to digital channels. Of course, this is not a level playing field for challenger brands, but it was ever thus.
Third party data is much more problematic, and we have already seen companies like Facebook making it harder (but not impossible) to apply third party audiences to the platform.
However, the big networks are already adapting to a world where third party data is restricted. Here are some recent statements from two massive networks, Quantcast and MiQ.
Firstly Konrad Feldman, Chief Executive Officer & Founder at Quantcast:
“This bet on machine learning has proven to be a good one for our clients. It’s made it unnecessary for us to acquire lots of personal data about individuals, unlike companies with business models that are reliant on knowing everything about a consumer. Instead, we create statistical models, based solely on that pseudonymous information to make accurate, data-driven predictions. We think that strategy has been in the best interests of internet users at large, and therefore the brands and publishers we work with, helping them grow their businesses without crossing important lines on data privacy.”
Secondly, John Goulding, Global Strategy Director at MiQ:
“Marketers need to remember that cookies and device IDs are not the only game in town. Some of the most powerful, exciting and effective campaigns out there are fueled by location data, first-party data and macro data ranging from weather to financial markets to cold and flu season. Using these diverse, non-PID data sets gives marketers endless ways to deliver brand and performance results without relying on identity.”
Statements like this give us confidence that the programmatic industry can adapt to legitimate consumer concerns and continue to deliver great results for clients.