- European regulators will start cracking down on the use of data for web ad targeting starting next May. Any digital media company or ad tech firm doing business globally will need to make adjustments or risk major fines, says web privacy expert and Evidon CEO Scott Meyer. “Somebody is going to get strung up really fast.”
There’s been a lot of chatter in the digital ad industry lately over the coming impact of GDPR, or the General Data Protection Regulation. This regulation, passed by the European Union Parliament last year, goes into effect next May.
The law was signed ostensibly to give European consumers more control of their digital data. And while the way the law is implemented and enforced remains to be seen, the thinking is that the GDPR puts much more burden on digital media companies, publishers and ad tech firms to get permission when using people’s data.
At its highest level, under the GDPR rules, people have to give consent for their data to be used, and have to be able have full access to their data. Here’s how the GDPR language on consumer data consent reads:
Consent The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
That’s a big difference from the way that digital publishing and services have traditionally operated, where people are shown specific content or targeted with ads based on their recent web behavior, regardless of whether they are aware or have given consent to being tracked. Basically, when it comes to using web cookies and other tactics, permission has been an afterthought for most digital companies.
The new regulations could theoretically make it hard for a publisher to do simple things like show a person content based on their location (like local news and weather) or more sophisticated ad targeting – such as showing an ad for a product they recently searched for.
And while GDPR is a European law, the ramifications for many US web companies are potentially huge, since so many operate globally. GDPR violators face substantial fines.
Thus, there have been doomsday headlines such as the recent AdExchanger post:
Or this Digday story from a few weeks ago:
Business Insider caught up with Scott Meyer, founder of the digital privacy firm Evidion who’s now president of Crownpeak’s Digital Governance division, to try and get a better understanding of what GDPR means for the ad world.
Mike Shields: Ok, so what’s going on as this GDPR deadline comes closer? Haven’t there been lots of ‘let’s regulate data on the web’ efforts in the past that seemingly haven’t had a big impact?
Meyer: This regulatory push has the potential to have the most impact most quickly, because it’s the only one starting with the user. That’s what distinct about it. It’s a consumer thing. GDPR, it’s sole intent is to give consumers better control of their data. That’s a business issue. How do you give consumers more control? The law goes into effect on May 25 of next year whether anyone likes it or not.
Shields: And why isn’t this just a European business issue?
Meyer: It’s not based on where the company is. It’s based on the user. Any company dealing with European citizens has to deal with this.
Any company dealing with European citizens has to deal with this.
There’s never been a regulatory rule in US that carried specific fines [other than COPPA, which focuses on protecting kids on the web]. This regulation, the fine starts at 10 million euros and go up to 4% of profits
Shields: So numbers like that can get big and scary.
Meyer: Businesses always have to evaluate how much they want to invest in compliance and be best in class or not. They do basic math. How much is this going to cost me versus relative risk of me being harassed or sued? And when it comes to advertising specifically, the fines start at $20 million. All of a sudden whatever I might invest in compliance seems like a pretty small thing.
Also remember the ad component is one slice [of GDPR]. There are 99 articles in this thing. It’s a monster.
Shields: What is this really about?
Meyer: What is at the heart of this law, for people that haven’t been following closely, is it’s people saying, I want to see my data. I want to control consent for all forms of tracking. And, there’s whole new set of rules on data breach notifications [which has been a major issue lately].
So if you’re a brand, the supply chain you depend on can put you in a bad spot. One of the big things that’s coming in the ad tech industry is that contracts are going to be changing. This is putting more liability back onto the supply chain.
One of the big things that’s coming in the ad tech industry is that contracts are going to be changing. This is putting more liability back onto the supply chain.
Shields: Can a brand that is trying to do the right thing get screwed if one of its partners screws up?
Meyer: In an extreme case, yes. It’s essential for you to know who your vendors are and what their data practices are. If one of them are not being a good data custodian, you can get in trouble.
Shields: So theoretically, this could be a winning issue for ad tech companies that get out in front of it or are already data sensitive?
Meyer: That’s exactly right. You can look at this in two ways. One, this is a disaster, we’re all screwed. Or, for brands, it’s – the user experience on websites and apps has to change no matter what, so you can do the bare minimum or you can use this as a way to communicate with consumers better.
For ad tech companies, they can use this as an opportunity to put themselves in a much better position. It can’t hurt. It’s going to raise the bar for who brands will work with. You have to prove your self and there’s nothing wrong with it.
Shields: Are there any US-centric web companies that don’t have to worry? After all, the regulatory climate right now in the US is very different than Europe.
Meyer: There are no black and white issues here. Unless you are positive you never serve any European citizens [you have to worry]. The letter of the law would say you have to be on top of that. If you have revenue coming from Europe you need to know. At a minimum, you need to know where your traffic is coming from.
If you’re [a very US publication] like the Philadelphia Inquirer, you have to weigh the risk. The one thing is the disclosures are really not that complex. You do have to watch out for public opinion.
Shields: This may be a dumb question, but is there any chance that there’s a backlash? Such as, if consumers don’t like the idea of having to think too much about their data and just want websites to work like they always do?
Meyer: That is always the risk. That’s where the role of the regulator becomes extremely important, and how it’s enforced. That could lull some companies into ignoring things.
Shields: Is there a reason to be skeptical about how big this will all end up being?
Meyer: There are certainly other European laws that have not been enforced. And there is a line of thinking along the lines of ‘I’ve seen this before. I’m gonna sit tight. I’m not Google. They’re not going to come after me.’ That’s a business decision. It’s not like these regulators have this data force that is going to be knocking on your door.
However, there is an incentive [to get something done]. Somebody is going to get strung up really fast just to show they are serious. On the flip side, it’s really hard for a regulator to see what is happening [outside of a publisher or ad tech company’s disclosures].
Overall, what’s obvious is that an opt out world [of data-driven digital advertising] is becoming much more opt in.