Europe’s new privacy rules are about shake adland to its core
Brands, agencies and adtech businesses need to prepare for the biggest update to privacy regulation in two decades, writes PageFair’s Dr Johnny Ryan. Here is what you need to know.
In a year and a half new European rules on the use of personal information will disrupt advertising and media across the globe. Since 1996 when cookies were first repurposed to track users around the Web there has been an assumption that gathering and trading users’ personal information is the essence of advertising online. This is about to change.
The General Data Protection Regulation (GDPR) is the most significant update to privacy regulation in two decades. Companies across the globe will have to comply with the GDPR if they want to serve any of the EU’s 500 million people, or handle data for any European companies. European regulators will have the power to fine up to 4% of a company’s global annual turnover. This is big news for brands, agencies, and adtech.
The GDPR’s application sixteen months from now (25 May 2018) is likely to lower the valuations of adtech and martech companies, change user behaviour, and prompt a consolidation in media and advertising that favours publishers who have trusted relationships with users. It will also incentivise CMOs to apply a higher global standard to their marketing and customers’ data.
1. This is bad news for third-party tracking
The Regulation establishes a chain of responsibility for data and a new approach to consent that will disrupt the adtech complex. It will be illegal for companies anywhere in the world to pass a European user’s personal information to another company, or to store these data, without agreeing a formal contract with the “data controller” (normally this is the company that requested the data from the user in the first place) that defines limits on how the data can be used.
To use personal information beyond these limits one will have to obtain consent from (or in the specific case of direct marketing inform users about what it does with the data, and of the fact that the user can object at any time to their data being used in this way). This cannot be buried in T&Cs because users must be informed “clearly and separately from any other information”.
Many brands and adtech companies will find this difficult – perhaps impossible – to comply with because they lack direct relationships with users. While it is conceivable that regulators may regard this as a permissible reason not to inform users, I think it unlikely.
This will make the direct relationships that publishers enjoy with users enormously valuable. This may prompt mergers and acquisitions between the media and adtech industries. Facebook is already vertically integrated in this manner. It has both a direct relationship with its users and the infrastructure to target and deliver ads. It alone does not pass personal information to third parties in order to make money.
It is likely that publishers and service providers will become extremely cautious about permitting tracking pixels and third party JavaScript on their webpages because they could be liable for infringements that result. This would end the practise of introducing unexpected parties to the chain of data sharing. So the number of trackers on sites, cookie syncing, pixel dropping, finger printing, and so on is likely to decrease.
2. Brands, agencies, and adtech companies will face lawsuits and fines
The GDPR sets the stage for a wave of lawsuits against all parties in the advertising chain. Users will have the right to trace data back to its source. For example, a person who receives a marketing communication from a brand is now entitled to find out where the data on them has been obtained from, and can take legal action or complain to a regulator.
Such cases may be significant because multiple companies “involved in the same processing” of a user’s personal data can each be held liable for the entire damages awarded in a case. It is likely that there will be a glut of these cases because the Regulation allows non-profit privacy groups to take legal action on behalf of many users.
According to TJ McIntyre of Digital Rights Ireland, which was involved in the Schrems case against Facebook that prompted the EU-US Privacy Shield, “The fact that representative bodies can act on behalf of individuals will, practically speaking, be very important where actions require either specialist knowledge or deep pockets.”
At the same time privacy regulators will be under pressure to act more decisively because consumers now have the ability to take them to court for not properly responding to complaints.
3. User behaviour will change
The average user is unaware of how brands and adtech companies handle their personal information. This is likely to change as a result of two measures contained in the GDPR.
First, the Regulation requires that an exhaustive level of detail be provided to users on how their personal information is used by every party. For example: who is collecting data? What will they be used for? With whom will they be shared? How long will they be stored? Will the data be passed outside the EU, and if so under what conditions?
Where personal information is used for automated decision-making, including profiling, the user also has to be told what the logic of this process is, and what the significance of the outcomes may be.
The Regulation envisages the establishment of iconography to concisely communicate data use, risks, and rights in plain language. Users must also be notified of their right to access, correct, and remove all personal information held by any company, and how they can lodge a complaint with a regulator.
Second, the Regulation introduces a new focus on security that will further contribute to user fears. All parties that handle data are now required to protect personal information from misuse and leakage, and users must be promptly informed when a data breach occurs.
Users will learn not only how much data exists about them, but also how often these data are exposed. The likely result will be a wave of paranoia. Such a backlash would prompt users to use their new powers to opt out at any time. The Regulation requires that it be as easy for a person to withdraw consent at any time as it was to give it.
What this means
Personal privacy is about to receive a long overdue upgrade. The new requirement to appoint tenured data protection officers at the highest level means that many CMOs will now find themselves sitting across from DPOs at board meetings. It is likely that global CMOs will find it easier to apply common global standards that conform to the high bar set by Europe than carve data on the world’s biggest market from all other territories.
Dr Johnny Ryan is Head of Ecosystem for PageFair