GDPR – The Ad Tech Industry Gears Up for Change: A Collective Q&A
by Sonja Kroll on 22nd Mar 2018 in News
2018 is set to be a year of disruption for the advertising industry. While fighting against fake news, invalid traffic, and a lack of transparency, the industry has another challenge to address: GDPR. Brands and agencies are coming together to understand the implications of the new regulation and how to comply with it; frameworks like the IAB's GDPR transparency consent framework have been published. But how are technology partners gearing up for the change? In this collective Q&A, dataxu, Rubicon Project, Sizmek, Adform, Quantcast, and AppNexus are sharing their plans and preparations for GDPR, with a focus on finding out how companies expect GDPR to affect availability of data for advertising.
While every company is working towards their own plans, there is a unanimous view that an amazing opportunity lies under the new regulation: GDPR will help calm consumers’ concerns about their personal data. The regulation will help the industry create a more clear, open interaction with consumers and, ultimately, improve transparency across the ecosystem. We asked some of the industry’s leading experts a number of questions relating to GDPR regulations. Here’s a snapshot of the different preparations and expectations out there at the moment.
ExchangeWire: When did you begin preparing for GDPR and what were some specific actions you took both for your own internal compliance, as well as for your platform/services?
Zareena Javed, Corporate Counsel, dataxu: "dataxu began preparations two years ago, engaging deeply with our counsel in the EU. We developed a detailed project plan that initially began with a data-mapping exercise across our platform, HR, IT, and marketing groups. A cross-functional team called 'Team Voltron' has worked diligently on our project plan and will be ready in time for May’s deadline."
Eve Filip, VP, Deputy General Counsel & Data Protection Officer, Rubicon Project: "We started preparations in 2016. We appointed a DPO to manage our compliance and have been executing against our compliance checklist throughout 2017. We have been augmenting our platform support for user requests, in response to Chapter III of the Regulation. We have also been conducting an extensive review of all recipients of EEA personal data to ensure that such recipients can adequately protect the data in accordance with requirements of the regulation."
Ari Levenfeld, Chief Privacy Officer, Sizmek: "Sizmek began preparing for GDPR four years ago, even before the law had been passed in the European Union. The law is unprecedented in its potential impact to the digital advertising industry, so we have taken this very seriously from the start. We recognise that we have a responsibility to help our clients navigate complex and important laws, rules, and regulations. As a result, it was important to us that we took action early, as compliance requires significant effort, understanding, resources, and development time."
Jochen Schlosser, Chief Strategy Officer, Adform: “Adform has been a processor of personal data already since 2013 and, as a result, has been acting accordingly for years. Specific preparations to meet detailed requirements of GDPR then started in mid-2016. From then on, we started to dive deep, as the overall impact of GDPR came to light. The main effort was from 2017, when we built a library of compliance documentation for our clients and added several thousand days of development tasks for right-to-be-forgotten, data-retention processes, and processing consent signals.”
Ghita Harris-Newton, Chief Privacy Officer & Deputy General Counsel, Quantcast: “Quantcast has been preparing for GDPR for over a year and a half. In addition to playing a central role in the development of IAB Europe’s Transparency and Consent Framework, standard best practice with any changing regulation is to conduct a ‘gap analysis’, to determine if any of our current practices weren’t already meeting the requirements of GDPR. Quantcast’s principles of privacy-by-design, and giving consumers control over their data, closely match the objectives of GDPR, so we were already on track in many areas.”
Julia Shullman, Deputy General Counsel, Commercial & Privacy, AppNexus: "Our previous head of privacy was involved from the beginning, as GDPR was being drafted and adopted in Brussels, and we began preparing from that point. Internally, we put together a cross-functional team including legal, engineering, operations, communications, and commercial leaders. We also partnered with others in the industry, including the IAB Europe, peer technology companies, and our clients, to ensure we fully understand the regulation, the various interpretations and confusion surrounding it, and its implications on our technology and the broader industry. We will meet its requirements, as they are understood and interpreted today, while keeping consumers’ privacy and rights top-of-mind, ensuring our publisher clients can continue to provide their services, and enabling our advertiser clients to continue to serve advertisements to the audiences they wish to reach."
How will publishers and advertisers obtain GDPR consent and then activate that data for advertising/marketing?
Levenfeld: “The GDPR does not explicitly require consent. However, there are some who argue that the intersection of the soon-to-be-enforced GDPR with the already existing ePrivacy Directive means that the only lawful basis for accessing a consumer's device and processing personal data is when consent has been obtained. So, it's essential that publishers, advertisers, and ad-tech providers all work together to obtain consumer consent and transfer it to those who it has been granted to, in a standardised way. Sizmek is working with a number of different providers to create a standardised way for obtaining consent.”
Javed: “Whether processing personal data based on consent, or any other basis, we believe that publishers/advertisers will need to convey more clearly the processing that will happen and the idea that other parties may utilise that data as well. We like the IAB’s current technical spec and framework, because it allows for flexibility in basis for processing decisions, but ensures that parties know which data subjects may receive advertising and which should not.”
Schlosser: “Although many are preparing for different opt-in scenarios, it is our understanding that most publishers will keep this as a plan B and will preferably use Legitimate Interest as legal base in the near future. However, heavy preparations are under way to adapt to the changes that are on the horizon with the new ePrivacy regulation in later years. When it comes to handling consent in the future, all relevant actors are aiming to provide the necessary (higher) levels of transparency, e.g., into the categories of data processing, while living up to the requirements of 'unambiguous consent' for cookies.”
Harris-Newton: “Consent for setting cookies has been one of the most challenging aspects of GDPR. So, we’ve been looking at developing a solution with the IAB Europe that balances flexibility and control for companies on the one hand, and user experience, transparency, and choice on the other. Companies may wish to develop their own approaches, but this could lead to inconsistency within the market and companies would be unable to communicate easily whether visitors have given consent to the website and its partners to set cookies. Without a common language, consumers would see irrelevant advertising, meaning they’d be less likely to engage with it.”
Shullman: "Although it seems to be the only broadly discussed aspect of GDPR, the regulation isn’t just about consent. In fact, there are six different grounds a company can rely on to process personal data. Consent is just one. The real reason consent needs to be discussed is because of the interplay between GDPR and the current ePrivacy Directive which, as implemented in most countries in Europe today, requires some form of consent to access a user’s device. GDPR, meanwhile, requires greater transparency and control for consumers, and for publishers and advertisers to dynamically inform their users about how their data is used and, in certain instances, gain consent from those users for various uses of their data.
"Companies need a standardised method of exercising greater control over the parties who can access their users’ devices and collect their data, the ability to offer dynamic and real-time transparency to their users about who those parties may be, and what they’re doing with users’ data and, finally, gain and pass on consent, where necessary. The IAB Europe Open Transparency and Consent Framework has a specific and limited remit: to create technical specifications and pipes that enable publishers working in different countries and regulatory regimes to meet local transparency and/or consent requirements. This includes a standard infrastructure to provide transparency to end users and pass information between publishers and their technology partners without imposing a single policy interpretation. We’ve been working closely with partners and clients in the industry to develop that standard."
Do you expect a significant drop-off in available data for advertising/marketing after the GDPR is effective?
Levenfeld: “It depends on how much time and energy different companies put into their GDPR-compliance efforts. Those that have prepared, and planned for multiple contingencies, should see less drop off than those that do not think the law applies to them, or feel overwhelmed, and as a result have not prepared.”
Javed: “We do not predict a material drop in data availability and other data partners plan to continue to provide data at scale. Some advertisers may wade in slowly to see the impact of the regulation over time.”
Schlosser: “No, not a general drop-off, but some publishers, advertisers, and ourselves, are scrutinising the significant cookie-matching happening, which in certain cases is unnecessary. Consequently, a reduction in the number of third-party cookies on some websites could come at some point, but we believe that it would likely affect smaller unknown platforms or enterprises that might be considered risky for publishers to synchronise with. There are, of course, certain studies pointing in another direction, but it is not our belief that a general drop will happen at a significant scale.”
Harris-Newton: “The jury is still out on the impact of GDPR in many parts of the advertising industry. While publishers may see a short-term dip in traffic as consumers get used to the new requirements of giving consent, we’re confident that, with the IAB Europe Open Transparency and Consent Framework, publishers will be able to continue to deliver relevant online advertising at scale. In the age of ‘fake news’, access to reliable and trustworthy news and information has never been more important. The majority of online news today is funded by advertising; and we’re optimistic that consumers will understand this value exchange, and help publishers continue to thrive post-GDPR.”
Shullman: “What exactly will happen after 25 May is not clear. But, we think much of it could be for the better, including driving more trust in the system and removing bad players. In terms of trust, GDPR will give consumers more insight into, and control over, how their personal data is collected and used. We believe this knowledge and control will provide consumers with a greater understanding of – and confidence in – the advertising ecosystem that finances the online content they consume. Additionally, these changes are a great opportunity to clean up the market by giving consumers, publishers, and marketers more control over which vendors and partners they trust to monetise their content and deliver advertisements. Those who play by the rules and act in a transparent and trustworthy manner are best able to drive a better, more trusted marketplace for everyone, especially consumers.”