It’s been almost a year since the adoption of the General Data Protection Regulation (GDPR) but there are still various issues and questions out there.
The issues facing data collection and processing continue to grow in complexity, especially post GDPR. Ahead of The Drum’s Programmatic Punch New York, executive vice president of Americas at Smart Ad Server, Joseph Lospalluto, discusses the problems businesses face and how they can attempt to solve them.
Implementation of GDPR seems like a lifetime ago. What’s happened since May 2018 and is there anything else that businesses should look out for?
GDPR is indeed almost one-year-old but implementation and clarification are still being worked out and the situation in Europe differs from that of the US.
In France, the country of which the local data watchdog (the CNIL) is the most active, the industry is still waiting for a concrete recommendation on UX to collect valid consent. While in Belgium, the “Fashion ID versus Facebook” case is expected to become the global jurisprudence on the positioning “data controller'' versus “data processor”.
US businesses today have to find a good balance between strict legal interpretation (cut EU traffic, which could have only a small effect on revenue today) and a long-term approach (CMP implementation) to comply with GDPR today and whatever regulation comes about in the US.
CMP Adoption is an ongoing process in the US and perhaps not taken as seriously as it is in Europe as some US publishers have simply cut European traffic rather than implement a CMP. This is a short-term solution at best. Even if they’ve taken this approach for GDPR they can’t ignore American privacy regulations that are already introduced at the state level (e.g. California) and those being debated at the federal level.
Mechanics aside, the legal definitions of “consent”, how it’s collected, and “legitimate interest” are still fluid in Europe and the US.
What else should businesses look out for?
We are still at the very beginning from a US perspective. We have to remember that our industry is largely global. GDPR affects all, and some publishers will still want to evolve their infrastructure to address and monetize EU audiences. At the very least, publishers should seek to understand the business implications of European customer ad revenue vs. American consumer ad revenue.
The California privacy laws and proposed national legislation in the US will mirror many aspects of GDPR. If regulation is indeed inevitable, then national legislation is advantageous for our entire industry as managing multiple state regulations would be impractical or even impossible for most. Publishers should monitor this closely and even attempt to influence regulatory bodies and advocate for national rather than state regulation. This will have implications for both the publishers and the publisher’s partners.
Contextual targeting is nothing new, so what is new today?
Ever-increasing CPU power in machine learning is making a seismic impact, allowing more signals to be processed faster. This technology democratization benefits the entire industry. The more signals processed, the more nuanced we can be about context, which is a boon for the industry, especially in helping publishers better create custom audiences for buyers. This becomes even more critical as risks of third party data are growing while efficacy is increasingly challenged.
This is also a promising way for publishers to provide enhanced audience data vs. the deterministic data provided by the big walled gardens. In summary, contextual is becoming far more powerful and avoids the risks associated with other types of targeting under privacy regulations. The publisher’s content and understanding of context is a unique asset for publishers, especially when married with first-party audience data.
What are the risks for app publishers who don’t collect consent for each vendor involved?
Under GDPR, publishers and ad tech vendors are allowed to process personal data under two legal bases: either consent or legitimate interest. Consent is not the only way, but legitimate interest implies a clear framework and information.
IAB TCF v2 that is expected to be rolled out in June will fully support both of those legal bases. This is a great milestone, as publishers will be free to choose the method that better fits their needs. The question is more business oriented: if some important actor - insert big platform name here - has decided not to take into consideration one or the other legal basis, this will drive their choices, as the revenue impact could be significant.
Mobile devices are viewed as inherently more personal than desktops and they collect certain data (real-time location, location history, etc) that are even more sensitive than desktop cookie data. There is a higher sensitivity among consumers and regulators as a result. Anyone in the mobile app ecosystem should address GDPR and privacy issues very seriously.
What conversations are you having with marketers in the post-GDPR world when it comes to managing data?
GDPR has put data in the place that it deserves: at the center of the table. It has also been a wake-up call for marketers regarding data use and abuse from some bad actors and the need for the ad tech supply chain to be “healthier” and more transparent.
Publishers are our primary clients and they have highly valuable - and often very sensitive - first-party data. Our conversations center on how we can help them safely leverage that data to provide significant value to marketers while protecting them and their users. We do this now for many clients and it takes a tech platform that is data neutral and built to serve the interests of the publisher and the marketer in a non-data-exploitive way.
Marketers and their agencies are interested in limiting risk. They ask if the performance enhanced by data is worth the risk they take in using it. This leads to a growing interest in leveraging data more safely. For example, the renewed interest in contextual targeting and first-party data.
What would your advice be to publishers and brands thinking about ethical data use?
Over 2019 and 2020 will be clearly the year of data privacy. The entire industry needs to think of their audience and prospective buyers as “citizens” (not as “consumers” or as “profiles”. It’s hard to apply ethics without making this shift in mindset.
Publishers must be sure that their first-party data, their most valuable asset, is kept safe by their tech partners (criteria number one in their due diligence).
Brands should be asking themselves if the performance uplift they get from data use is worth the risks they take by using it.
My advice to both: Make sure the juice is worth the squeeze. The future of your business may depend on how you proceed.
Lospalluto will appear on the Data, Data, Data panel at Programmatic Punch, a full day event serving insight and practical advice on the latest developments in programmatic trading. Tickets can be purchased for the event at Ogilvy and Mather, New York on June 6.