How will the GDPR affect adtech and martech? Nobody really knows.

In May of 2018, or, “Way too soon” if you ask most adtech or martech companies, the General Data Protection Regulation will go into effect.

The reason that marketing and advertising technology companies might be apprehensive about the encroaching deadline is that many of them are operating in ways that run contrary to the regulation, which is a set of laws that become immediately enforceable in all EU member states on May 25.

The new laws that make up the GDPR address concerns regarding personally identifiable information (PII); specifically, the method in which a business collects data from citizens of the EU, the protection of that data, and the ability to which citizens of the EU can control the use of their data.

For a thorough and approachable overview of the GDPR, I recommend this pdf from Bird and Bird: “Guide to the General Data Protection Regulation”

The most important laws for adtech and martech companies to study in the next few months have to do with consent; they stipulate that:

  • Before any PII (or data that is specific to an EU citizen) is collected, the “controller” or “processer” (business that handles the data) must obtain consent from that individual to collect the data.
  • The agreement between the EU citizen and the business has to be a clearly written statement of what data will be collected and what the business intends to do with it.
  • Also, any EU citizen who agrees to the data collection must have the ability to withdraw their consent. Plus, they can request that all of their data be deleted, as well as to receive a digital copy of all personally identifiable data that the business has collected.

In all, the GDPR affirms the rights of EU citizens to control the use of their data and any data that is specific to them; it also enacts serious fiduciary penalties against companies that are proven to have broken the laws contained in the 88-page regulation.

You can look at any of the bullet points above and see right away the problems that these new laws pose to any business utilizing advertising and marketing technology; for instance, take bullet point #1 and think about how cookie-based retargeting works.

A user loads a company’s webpage, and within that webpage is a “cookie;” a piece of code which is stored on the user’s device within an innocuous folder. Then, when the user visits other webpages which use certain advertising networks, such as Google DoubleClick, that advertising network is able to see what cookies that are on the device and therefore identify specific users.

The company who owns the original webpage can create audiences on multiple advertising networks, and then bid against other advertisers to try and reach those users on other websites. Hopefully that makes perfect sense.

Adtech and martech will have to do an as-near-to perfect job as they can explaining how their technology works to the users that interact with their services, since many of their services record data that is personally identifiable.

These companies will have to obtain consent from each user before continuing to operate after May 25, and that agreement has to include detailed information about what data is being recorded, what it will be used for, and what other companies are involved in the processing of the data. They also have to obtain consent if the data being recorded ever leaves the EU, and there are special considerations made for activities that qualify as “profiling,” or, automated decisioning based on user-specific data.

Now, to put the idea that these companies must obtain explicit, informed consent from users into a ridiculous perspective, here is the “LUMAscape” — a map of the advertising and marketing technology landscape.

Bird and Bird said in their guide to the GDPR, “Recital 42 also notes that consent will be informed only where the data subject is aware of (at least) the identity of the controller and the intended purposes of processing.”

Some advertising campaigns utilize multiple advertising networks, making bids on multiple ad exchanges, and advertisers may use multiple DMPs to store their audience targeting and performance data.

Meaning, for any single ad impression, there might be a dozen companies involved in handling personally identifiable information. Plus, the route that the PII takes through these companies is complex.

Herein lies the problem, then: for consent to be “informed,” the subject giving the consent has to understand the processing that will happen and know the companies that are involved. Conveying that information may be technically difficult, as the amount of processes and companies on the LUMAscape grows.

Here’s another problem: consent to data monitoring cannot be mandatory for any services. The line from the regulation about this goes:

“the performance of a contract, including the provision of a service, is dependent on the consent, despite such consent not being necessary for such performance.”

Meaning, if an adtech or martech company doesn’t receive consent for a specific instance to use PII, they can’t complete that instance.

What remains unclear, though, is which companies on the LUMAscape need to obtain consent for certain actions. If companies are designated as “processors,” meaning they process PII and don’t determine the business use of it, they don’t need separate consent from each user involved in the processing. This distinction is unclear just by nature of the GDPR not being enacted yet; there will surely be disputes over this because companies will instinctively wish to be within the more lenient class of processor.

There is another large aspect about the GDPR that remains unclear, and that is what the EU citizens will or will not consent to, and how many of them will outright object to all data monitoring. If today’s adblocking technology can serve as a proxy, that would suggest that around 25 to 30 percent of EU citizens would refuse all data monitoring. Though, not everyone has been specifically asked if they would like to download an adblocker, so in reality it could be more than 30 percent of EU citizens who choose to stay completely anonymous from businesses.

I think the advertising technology that will be most affected by these new laws is pixel- and cookie- and IP-based retargeting, just by the very nature of digital forms. Completion rates are always lower than you expect, and if in order to load a cookie onto a user’s device you must first explain to them all of the different services their information will be passed through, then get them to confirm their consent, don’t expect a 99% form completion rate. The coming May 25 deadline really represents a cliff, then…for instance:

If a significant amount of users opt out of allowing a retargeting cookie to be loaded on to their device from a retail brand’s website, then the various advertising efforts that incorporate retargeting may cease being cost-effective, due to the sudden drop in available users and commensurate drop in available ad inventory.

This is a microcosm of what will happen to adtech and martech generally, due to the General Data Protection Regulation: less users will be available for these services to interact with, and the relative cost to advertisers will increase. That is pretty much certain.

There is a benefit for adtech and martech from the GDPR that I can think of , and that is accuracy. The GDPR contains specific laws that in combination mean it will be a crime for a company to attribute false information to an individual from the EU, which is a rather large incentive for adtech and martech companies to improve the accuracy of their algorithms and input processes…the fines for breaking these and many other laws in the GDPR reach into the 8 digit zone, and to every company except the largest handful, that would be an insurmountable penalty.

On a happier note, if companies are forced to have more accurate systems for recording data, then the data that is generated from those compliant systems should be more valuable; there may even be new insight capabilities created just by the nature of these new laws.

The best case scenario for the GDPR and how it affects adtech and martech in the long-run (think 10 years…) to me looks like this: Companies adopt more unified, less complex strategies for digital marketing, and in turn, customers become more engaged with personalized services and provide more accurate data to the businesses they are loyal to. In such a scenario, the customers would end up learning about themselves and benefiting just as much from their use of these services than the businesses that operate them.