In this piece, Ivan Guzenko (pictured below), CEO, SmartyAds, outlines that the whole concept of programmatic advertising is based on accessible user data, allowing brands to deliver their messages exactly to the right audience. Therefore, the programmatic buying model is the area where we have to address the certifying authority to provide trust. Historically, companies have been using third-party data, getting instant access to audiences. This need has led to the success of various certifying centres that function as arbitrators. Google and Facebook have become the most successful of such certification centres.
The General Data Protection Regulation (GDPR) is part of a larger trend, where companies and regulations are moving to protect consumers from third-party data brokerages – which make the ad-tech world go round. This causes new challenges surrounding the handling of consumer data, altogether with the growing concerns over transparency and fraud still plaguing the industry. That’s when the question of providing additional transparency and switching back to first-party data has first arisen.
The GDPR mainly aims to protect the personal data of EU citizens. But U.S. companies that aren't physically present in the EU collect most of the EU subjects' personal data over the web. They already follow existing data security standards, but now will also have to protect it under the GDPR’s rules.
According to the GDPR's new requirements, a person can request Google to remove certain results that mention their personal data. If this person is an EU citizen, they will have this right, and Google will have to follow. Otherwise, its European structures will be sanctioned.
The challenge to third-party data
The problem for advertisers and their vendors is that under the GDPR user consent is required in order to apply personal data to media. But complexity in the programmatic universe makes that a difficult task. Essentially, there is little clarity as to what approach third parties will, or can, take when it comes to gaining users’ consent. The GDPR itself was designed to provide greater transparency between organisations that collect and control data, and people to whom this personal information belongs (data subjects). But that causes another question: how exactly the first-party data holder can share that data and comply with the enacted regulations?
With the current state of the programmatic industry, switching to first-party data would equal to going blind. Most DSPs utilise DMP data. Therefore, DMPs themselves have to think about the transparency of the data. Advertisers should trace some workarounds. For instance, there is a huge debate regarding the usage of blockchain in ad tech. Nevertheless, based on the SmartyAds Blockchain Ad Stack experience, the integration of blockchain successfully addresses the data transparency issue. But using blockchain also has some peculiarities to keep in mind when it comes to applying the GDPR guidelines.
Blockchain vs GDPR
With blockchain technologies emerging, we have new ways to further strengthen data-ownership, transparency, and trust between entities. Companies can use blockchain technology to meet the strict guidelines outlined by the GDPR. Even though it’s not a fail-proof solution, it still is one way to go.
If we think about some of the requirements of the GDPR, we might start to see that the basic properties of blockchains can be both pros and cons for compliance. The blockchain itself was designed to keep users' anonymity, unless they agree to reveal it. Therefore, there is a paradox when the GDPR regulations are applied to the blockchain.
There are a few main traits of blockchains that make them both a benefit and a challenge for data protection. First of all, blockchains are distributed and decentralised. Because of this, it is almost impossible to identify the person responsible for the data. Second, there is the fact that blockchains are public, which means that all information on the blockchain is accessible to everyone. Thirdly, blockchains are not editable, meaning you can’t make changes to the personal data they contain.
Also, the GDPR is essentially about data subjects' rights. The goal of GPDR is to “give citizens back the control of their personal data, whilst imposing strict rules on those hosting and ‘processing’ this data, anywhere in the world”. So, the fact that blockchain protects identity by making data almost unidentifiable is a good thing.
However, other rights the GDPR focuses on, such as the right to access, to have incorrect data rectified, and the right to erasure, are just as important. Here, blockchain might not be so beneficial. In GDPR terms, an EU resident may request that their details be deleted from the system. But the data on the blockchain cannot be deleted or modified at a later date. This contradicts the right to erasure, or the right to be forgotten. Since throwing away your encryption keys is not the same as ‘erasure of data’, GDPR prohibits us from storing personal data on a blockchain level.
In the same manner, the very fact that the identity of the data subject is completely hidden makes it hard to comply with the GDPR's right to access or to rectification. If blockchains are to be used, then the organisations will have to abide by the GDPR.
Such contradictions stop us from using the technology to its full potential. Despite this, a few possible solutions can be traced to fix the problem of reconciling the GDPR edicts with the blockchain system:
- Do not record personal data on a blockchain: However, this drastically reduces the usefulness of blockchains for any public application.
- Record personal data pseudo-anonymously: Although postal addresses, phone numbers, and even IP addresses can’t be recorded pseudo-anonymously, as they can be used to track down the person behind the data.
- Encrypt the data on the blockchain
- Store the data in a referenced encrypted database: And include a hash of the data on the blockchain. The hash will confirm that the data in the database has not been tampered with, but no actual identifiable data will be present on the blockchain itself.
The GDPR creates a challenge not only within the EU – the regulations will affect global operations. Although the GDPR is a European Union legislation, it applies to any company that handles European citizens’ data. Still, no one really knows how non-EU companies will comply or how breaches will be dealt with. Yet the implementation of the GDPR within ad tech is under control. IAB has already provided the recommendations on how to address the matter. Their OpenRTB GDPR Advisory provides advice to programmatic advertisers on how to use the OpenRTB protocol to “share user consent information among publishers, buyers, and data companies in a real-time bidding transaction”, according to an IAB press release.
And IAB's Transparency & Consent Framework is aimed to help publishers, advertisers, and technology companies comply with key elements of the GDPR. The Framework will give the publishing and advertising industries a common language with which to communicate consumer consent for the delivery of relevant online advertising and content.
As is always the case, additional legislation brings additional overheads, and the GDPR in relation to blockchain is no exception. However, there are solutions waiting to be tried out. And, as we gain more clarity on how the EU intends to apply the GDPR in a practical manner, so the approaches to blockchain implementation and application should become clearer.