GDPR is Fast Approaching: Are You Ready?

A new era of enhanced online privacy is around the bend. The General Data Protection Regulation (GDPR), an update to the 95 Privacy Directive, which is currently the law throughout the EU, will explicitly hold accountable any marketer that 'utilises online identifiers' such as cookies, email address, IP addresses, etc., that are considered personal data under GDPR. And while most will view GDPR as an EU-only issue, it will have a widespread impact on all of marketing and ad tech regarding how they operate across borders, writes Keith Petri, chief strategy officer, Screen6, exclusively for ExchangeWire. 
The heft of the new regulations, which give more control and transparency regarding data use to European consumers, will impose many additional, potentially cumbersome, requirements on the entire ad tech industry. For example, GDPR grants users with new data access and portability rights and imposes strict controls on sub-processors of personal data. Moreover, unlike the 95 Directive, GDPR imposes liability on data processors in addition to data controllers – those companies that work with the data to better understand audiences.
As a result of these new regulations, there could be a seismic shift in the digital ecosystem when it comes to which tech providers are responsible for adhering to the new standards. Equally important to adherence to the new rules is fostering the precedent for compliance and the burden of responsibility – one specific relationship dynamic that will be affected is the communication between demand-side platforms (DSPs) and sell-side platforms (SSPs). The big question is: how will both sides collaborate to determine consent?
Today, audience segmentation, and the privacy onus, are primarily seen as demand-side responsibilities. DSPs need to integrate with audience segmentation vendors, third-party data providers, and build audience segments based on location and other identifiable information. As a result, they have all of the responsibility to comply with groups such as the NAI.
Today, SSPs only manage the ad space inventory. However, with GDPR, there could be new 'consent requirements' for publishers, and possibly third parties, that could make it necessary to have consumers opt-in to tracking, changing the responsibility significantly.
Any technology that is building a profile on a consumer will need to get an explicit opt-in by the visitor on a publisher’s page. There are nuances in the understanding of the GDPR text, which will affect how consent is determined – explicit consumer opt-in is required, but some would argue that legitimate interest might suffice. This means that if a publisher works with one SSP, and that SSP works with ten DSPs via cookie-syncs, then the individual visitor to the publisher's website will potentially need to opt-in to the publisher tracking them, the SSP tracking them, and each of the DSPs that get their data.
Publishers simply won’t want to have hundreds of popups appear where you need to opt-in to each company being able to track you through cookies just to monetise their website – let alone analytics and other service providers. This approach will only lead to bad, even costly end-user experiences. As a result, they are most likely going to cut down on their waterfall by limiting the number of SSPs that are integrated, as well as data partners.
One potential solution to simplify this process is to look at the way private marketplaces (PMPs) operate today. PMPs, similar to the known IO business model, report single publisher inventory at a set price or set creative to an exchange.
The same functionality that allows PMPs to be communicated to demand-side businesses, allowed the facilitation and delivery of deal identifiers (Deal IDs), which represent inventory available across multiple publishers, but filtered by a specific audience. If these audiences are built by the SSP under the opt-in gathered by its direct interaction with the visitor, then there would be no need to sync identifiers with the buy-side and would limit the number of explicit opt-ins required in the current chain.
The functionality that supports PMPs are single publisher, single deal passed to the buy side; whereas Deal IDs can be across multiple publishers, but they deliver a specific audience to the buy side. With this in mind, SSPs can build a Deal ID with an audience of 18-29-year-old males with an annual income over USD$55,000 who are Auto Intenders. They can build and pass that segment across any of their publishers without any duplicative opt-in requirements of the site visitor.
If consent is the mechanism that companies choose in order to secure the right to process their data, as described above, it sounds like a lot of manual consent mechanisms (read: popups) intruding on the user’s experience, given the complexity of the digital advertising industry and the number of vendors necessary to facilitate a transaction. We’ll see how the adoption of GDPR pans out in the coming months between granted consent versus passive signals of legitimate interest.
All ad tech companies should be taking steps to be compliant with the new privacy regime. It’s important to note that the GDPR may impose compliance obligations on both agencies and advertisers that are distinct from those imposed upon third-party data processors. Any ad tech entity that is building an audience should be investigating alternative and future-proof solutions.