GDPR // A non-technical view of programmatic advertising for brands and publishers
As the industry prepares for the ICO's AdTech Fact-Finding Forum, Damon Reeve offers a guide for the two most important links in the programmatic supply chain
For many attending the ICO’s AdTech Fact-Finding Forum in London this week, hope will be in the air. For some, hope that the work undertaken this year to change aspects of their business and be more compliant with GDPR is going in the right direction.
For others, hope that a clear direction emerges they can emulate and catch up through. And a final group, the hope that there is still a future state for open market programmatic advertising that satisfies the regulators concerns and doesn’t put a lid on the coffin of many companies across the industry.
These are confusing times for everyone involved with data regulation in programmatic advertising. Over the past year the ICO have opted for a dual approach of being consultative with industry and publishing a shot across the bow with their June report giving industry 6 months to sort itself out.
The consultative approach has resulted in detailed discussions with trade bodies and primary actors, designed to encourage new ways of working that introduce better protections for individuals, from an industry not known for putting the consumer first. While the ICO’s approach is frustrating to those that would prefer them to prescribe a clearer direction, the approach they have taken has generated a broad range of ideas and perspectives.
This broader set of ideas and perspectives needs to reach a wider audience - in particular those companies that may not have been involved in discussions thus far and are consequently struggling to know what compliance might look like.
Editorial on the topic has been dominated by two binary positions - end open market programmatic completely, or complete faith in the IAB’s transparency and consent framework - neither of which speak completely to the risks faced by brands and publishers.
Taking a middle ground on some of these ideas there is a practical and pragmatic path, led by publishers and brands that will ultimately lead to a better outcome for all.
I’m addressing this article to brands and publishers as both hold a direct relationship with consumers and are the two parties ultimately accountable for data compliance. In an ideal world, every other participant in the programmatic advertising supply chain would be acting on behalf of either the brand or the publisher. Our current world, however, is far from ideal, and some vendors insist on declaring themselves as data controllers where they should be data processors, requiring compliance in some cases to deviate from common sense.
GDPR compliance is an exercise in managing risk. In any assessment, risk is balanced with potential reward. Understand the work being undertaken, assess the risk, look at ways to reduce the risk, and then decide if the reward is worth it.
For a premium publisher who is reliant on advertising revenue to fund quality journalism, sharing some reader information with advertisers to encourage advertising spend should be a reasonable risk to manage. As long as we consider we are being responsible with what information is being shared, and with whom, then this should be a rational assessment.
In their June paper, the ICO had specific concerns that placed into question whether this responsibility claim could be defended, in particular the real-time bidding process that underpins the open programmatic market.
Of the six primary concerns outlined, quite a lot of text was dedicated to 1) a general lack of transparency in the programmatic workflow, 2) the obtuse and confusing data supply chain and 3) the lack of risk assessment being conducted by companies involved in programmatic advertising.
It’s these points that I want to specifically call out for brands and publishers and propose some simple considerations - rather than trying to address all six concerns which would be a longer and more protracted piece. But first a comment on each of the current points of view in discussion.
Is OpenRTB invalid or will the IAB Transparency & Consent Framework (TCF) save the day?
There are valid concerns we should all have with open market programmatic. That a publisher can’t audit who programmatic ad requests are shared with, apart from their direct SSP partners, is a problem in compliance terms. To assess and reduce risk, there are a number of options available to publishers and brands, but a pragmatic risk assessment should exclude removing personal data from these ad impressions, or solely relying on the IAB’s TCF.
A binary position that all personal data should be removed from open market programmatic advertising, implying this will be good for premium publishing, is impractical and misleading. If the regulators or industry mandated that no personal data be passed in programmatic requests, advertising revenue will concentrate even further with larger advertising platforms and publishers and others that rely heavily on this revenue stream will lose significantly - and for many terminally.
That said, those assuming the IAB TCF will solve all issues in relation to open market programmatic should be disappointed. As a framework the IAB TCF addresses a number of concerns the ICO have outlined - disclosing processing purposes and providing a mechanism for transmitting consent to participants in the supply chain. For a publisher, however, it doesn’t ensure those participants should be in the supply chain in the first place or provide any way to verify their integrity, and relies too heavily on the vendor to be a good citizen.
There is an open and growing question about the reward that exists in open market programmatic for premium publishers. As yields decline, control diminishes and compliance risks increase, other routes to market for monetising audience from advertising will become a priority. This balance test is broader than GDPR compliance and is influenced by the different regulatory enquiries being made by the CMA.
Some ideas and perspectives
There are some great ideas and solutions that I have been exposed to and exploring on our GDPR compliance journey. For those that haven’t yet been exposed to industry and ICO consultations, here are a few perspectives worth noting:
Work with trade bodies. Understanding this world can be complex and overwhelming. Fortunately, many of the UK trade bodies - AOP, ISBA and DMA - are centralising a lot of the heavy lifting and knowledge for their members, developing great guidance and best practice advice and templates to use. Learn from this work and let the trade bodies do the work on the common processing everyone does, and focus your internal efforts on the edge cases that are specific to your business.
Brands, don’t assume agents are dealing with your advertising GDPR responsibilities. Ask questions and be sure you know where your advertising budget is being spent and that the publishers and suppliers you are working with are compliant.
Publishers, don’t assume that by supporting that TCF you are compliant. The TCF is a great framework for dealing with many challenges, but for almost all is not a whole solution. To reduce the risks in participating in open market programmatic publishers and brands should ask more from their SSP and DSP partners.
Ask them to be clear what fields of data they are collecting and for what purpose, list who they are sharing data and ensure you are able to audit, and be clear on how long different datas are retained for. If you aren’t comfortable with the answers, don’t work with those partners. Simplify your operations. A more complex business doesn’t necessarily drive greater value.
Brands, remember, when someone visits your website, you are a publisher too. “But I don’t run advertising on my site!” I hear you say. No, but you have many tracking tags on your site from ad partners keen to track your visitors and site conversions to improve campaign performance. And in the data compliance world this is the same thing. Brands should be supporting the IAB’s TCF the same as commercial publishers.
Be honest in risk assessments and mitigation options. Don’t accept technical answers to questions provided by product teams or vendors if you don’t understand them. It’s their job to explain things in simple terms, not yours to learn new acronyms. It’s too easy to justify the status quo but the message is clear, the status quo is not sufficient.
Be pragmatic and do a proper risk assessment to balance the risks with the potential rewards. Be confident in your own assessment and don’t be drawn into popular points of view because its an easier path. Most businesses are good businesses with good intentions. Evaluate the risks, actively work on reducing risks, and most importantly make sure they pass the common sense test.
I’m looking forward to the ICO’s AdTech Fact-Finding Forum this week and have high hopes for many getting the clarity they are seeking. What is true is that programmatic advertising will be changing. But a practical and pragmatic path led by publishers and brands will ultimately lead to a better outcome.
Damon Reeve is CEO of The Ozone Project