In all the alphabet-soup related to media and marketing—DMP, SSP, DSP, etc.—one set of initials is looming large for the industry: GDPR. At recent conferences held by Forrester and the American Association of Advertising Agencies, as well as in any number of conversations, industry insiders are weighing its potential effects.
The General Data Protection Regulation approved by the European Parliament in 2016 is due to take effect May 25, establishing a tighter set of rules governing data privacy in the nations of the European Union than any time since the birth of the Internet. Marketers and agencies in Europe and around the world are considering alternatives, from contextual data to conversational marketing, to maintain their targeting and personalization practices the customer data flow is subject to GDPR’s tougher rules.
“GDPR is certainly a challenge and it’s opaque at best,” said Sheila Colclasure, global chief data ethics officer of Acxiom Corp. The regulations establish a number of requirements, but don’t necessarily spell out how they will be complied with, said Bénédicte Dambrine, Privacy Counsel of OneTrust, a privacy-management software company
The GDRP wording is very specific about the demands it makes of data users, said Dambrine. The law requires the subject to give explicit consent before any data is collected, a record of that consent must be maintained and if the user withdraws consent the data must be withdrawn. If they fail at any of these guidelines, the company can be subject to large fines.
In practice, GDPR will reshape the experience of accepting terms of service. Consent to share data must be specific, with the controller explaining why the data is being collected and informing consumers of the right to withdraw consent at any time. Information must be offered in accessible form in clear language, not as fine print at the bottom of the form, and the consent must be unambiguous. Explicit consent would include actions like two-step verification; silence or inactivity would not qualify as consent
The record-keeping requirements are also expanding widely, noted Dambrine. Companies now need to keep a record of who gave consent and when, what the person was told at the time and how consent was given. Anything that was a pre-ticked box online won’t apply anymore; GDPR requires a data capture form with a time stamp if the consent was given online, the consent statement or script used if it was oral consent, or similar backup documents. Beyond that, the company needs to have a system to implement requests to withdraw consent.
The European model is strict because the nations of Europe have a different outlook on privacy than the libertarian Americans, said Colclasure, a data privacy expert who formerly advised the U.S. Senate. Europe’s nations have experience with data collection being used to persecute citizens, while the U.S. takes a more entrepreneurial view. In Europe, privacy is seen as a fundamental human right, while in the U.S. it’s a business issue, she said: “In Europe they call people ‘data subjects’ and in the U.S. they call them consumers.”
“Who doesn’t want to vote for privacy?”
Still, U.S. Sens. Edward Markey and Richard Blumenthal followed up the testimony of Facebook CEO Mark Zuckerberg about data privacy breaches at the social media platform by introducing the CONSENT Act, a GDPR-type legislation. While federal legislation may be iffy, California could lead the U.S. into a GDPR-like regulation, noted Colclasure. The California Consumer Privacy Act of 2018, which must still qualify for the November ballot, has similar features as GDPR. It could pass, she said: “Who doesn’t want to vote for privacy?”
If the initiative passes, it could have the same effect as auto emission standards, where California passed more stringent requirements than the federal laws, and automakers enforced them nationally because it was easier than having two standards.
“By forcing privacy by design on international companies, it has an effect, whether it’s here or not,” said Jonathan Steuer, chief research officer of Omnicom Media Group. “The big guys aren’t going to build two ecosystems, one that’s compliant and one that’s not, because it’s too hard to do.”
U.S. companies are actually ahead of the Europeans in applying GDPR; a Forrester survey last year found 33% of U.S. companies said they are already in compliance, while only 26% of European companies were ready. Forrester principal analyst Fatemeh Khatibloo estimated that companies will have a shortage of privacy professionals in the next 3 to 5 years.
“There’s a reckoning that’s happening right now,” Steuer told the 4A’s conference. Gen Z is a generation that claims privacy as a right, and until now, people argued they wanted privacy, but gave it up because they wanted to have Facebook. That could change now, he said: “Now we’re finally having that conversation for real.”
The recent Facebook data issues with Cambridge Analytica have only added fuel to the data privacy debate, say insiders.
“If you ask people, they don’t really trust Facebook, (but) they just hadn’t thought about it very much,” said Steuer. “Part of what I like about GDPR is it starts that conversation in a way the consumers will have more exposure to it. What does it actually mean, ‘the right to be forgotten?’”
Analytics and media companies that depend on detailed personal data for targeting say they will be compliant, but they are looking at alternatives, such as contextual targeting.
“We go back to the old days where I wasn’t able to target you based on the last 50 sites you visited, I could target you based on the content of that page,” said Aaron Fetters, SVP of national agency and CPG at comScore, Inc.
“On one hand, we’re ensuring that we’re going to be ready and fully compliant. On the other hand, we’re trying to bring to light the other capabilities that will still be out there to help advertisers continue to succeed in spite of the absence of personal data,” said Fetters.
One solution would be “some blockchain-y thing” that tokenizes personal information so each consumer owns their identity and remains anonymous online, said Steuer. “I don’t know how we don’t end up there. The question is how long does it take and how does it happen.”
Chris Murphy, head of strategy at LiveRamp, a data unit of Acxiom, wouldn’t chance a prediction, but expects there will be some version of GDPR in the U.S. eventually. Extra oversight is not a bad thing, he said; he noted that transparency audits carried out by marketers on their agencies had in in many cases reassured them that their media budgets were being used efficiently. “I think there could be a similar opportunity to reassert consumer trust” through GDPR, he said.
“I think it’s an opportunity for brands to reassure their customers and prospects of the kind of value transaction for providing data to be more relevant, to tailor messaging; to provide your purchase history so that your shopping experience is easier,” Murphy said. “It’s a good opportunity to reassure both brands and the publishers of how that data is used.”