GDPR: What Does It Mean For The Digital Advertising Industry?

The biggest change to data privacy in more than 20 years.

When you browse the Internet, you probably don’t think much about the data you might be generating. But companies do think about your data, and are aggressively collecting massive amounts of user data including names, email addresses, contact information, browsing histories, IP addresses, geo-locations, and more.

They claim to use that data to improve the experience they can offer users, and serve them more targeted and relevant content and advertising, but that’s usually done inside a black box where users have little to no control over how their data is collected, stored, bought, sold, and used.

All that’s about to change however, as the European Union is set to roll out the General Data Protection Regulation (GDPR), a new regulation designed to control the way companies can collect, store, and use customer data, and give more power back to the user.

“The EU is set to roll out a new regulation to control the way companies collect, store, and use customer data.”
“Companies are aggressively collecting massive amounts of user data.” Photo by Tirza van Dijk

When GDPR goes into effect on May 25, 2018 it will be the most important change to data privacy regulation in more than 20 years. This post provides an overview of the General Data Protection Regulation, and how it will affect Internet users, advertisers, and publishers.

What Is The General Data Protection Regulation?

The GDPR replaces the Data Protection Directive that has controlled data privacy in the EU since 1995. According to the official homepage of the EU GDPR, it was, “designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy, and to reshape the way organizations across the region approach data privacy.”

Data can include a wide array of different things, but GDPR defines it as, “Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”

“Even if you don’t live in the EU, the GDPR is may affect your online experience.” Photo by Slava Bowman.

Even if you don’t live in the European Union, the GDPR is likely to affect your online experience, since it applies to all companies processing and holding the data of any person residing in the European Union, regardless of the company’s location.

If a single EU citizen visits a company’s website, that company is required to comply with the GDPR or risk significant penalties, including fines of up to 4% of their annual global turnover, up to €20 Million. This means international companies will likely take a ‘better safe than sorry’ approach to complying with the GDPR, and roll out changes for every visitor to their website.

“I think ultimately we will be glad that the European Union focussed upon this set of legislation which ultimately makes it a global set of legislation. I think similar legislation will develop throughout the world.”
Adrian McDonald, EMEA President, Dell EMC

Users Gain More Control Over Their Data

You might not think much about the data that’s being collected about you as you browse the Internet, but you’ll probably recognize one of the biggest uses of that data: Retargeted ads. If you’ve ever shopped for something in an online store, only to be followed around the Internet by ads for that item, your data is being used by companies to track and target you. One HubSpot study found that 79% of users feel that they’re being tracked as a result of retargeted ads, so these ads don’t go unnoticed.

For Internet users, there are a number of key benefits to the GDPR:

  • Data Consent — Users must be notified when their data is being collected, what is being collected, and actively consent to the collection of that data.
  • Right To Access — Users will now have the right to know whether or not their personal data is being collected and processed, where it’s being processed, and for what purpose. They can also correct any errors or inaccuracies in that data. In addition, any company that collects personal data is required to provide a copy of that data to the user, free of charge, in an electronic format.
  • Right To Be Forgotten — Also known as Data Erasure, this means that users will have the ability to request their personal data be erased, cease further dissemination of their data, and potentially have third parties stop the processing of their data.
  • Data Portability — This gives users the right to receive a copy of all the personal data that has been collected about them, and give that data to another company.
  • Breach Notification — If a data breach is likely to “result in a risk for the rights and freedoms of individuals,” then the company that was breached must notify the government and users within 72 hours of first becoming aware of the breach.

Advertisers Must Be More Transparent

Previously advertisers could target users with data they gathered or purchased from basically any source, and do so without the explicit knowledge or consent of the users they were targeting. That will all change under the GDPR, and as AdWeek emphasized, advertisers must now get unambiguous consent from any user they wish to target, must be much more upfront with how that data is being used, and must provide a way for users to erase their data if and when they choose.

“Companies will likely need to maintain their own Data Management Platform.” Photo by Carlos Muza

It’s not just the advertising itself that will need to change. Users need to be able to opt-in and opt-out within digital creative as well as any websites or landing pages that creative points to. To provide this level of control, companies will likely need to maintain their own Data Management Platform, or DMP, and not just rely on their ad-server to manage and maintain compliant data.

To becoming GDPR compliant, advertisers are going to need to budget a sizable of time and money. According to a PwC survey of American, British, and Japanese executives of 300 big companies in the process of becoming GDPR compliant, 40% said they had spent more than $10 million, and 88% said they had spent more than $1 million.

Publishers Must Get More Involved

GDPR makes every part of the advertising supply chain responsible for compliance, so publishers aren’t off the hook when it comes to gathering, storing, and using data. A sloppy data partner or ad tech vendor can jeopardize their business, so publishers need to make sure any vendor they work with is going to be GDPR compliant as well.

To prevent a rogue third party from violating the GDPR, publishers will likely limit the number of third party tags they allow on their sites, which could reduce the revenue they generate by providing access to their user’s data. Ensuring compliance means publishers will likely have to review and renegotiate many of their existing third-party vendor agreements, which is going to take time and money to complete.

“Publishers will likely have to review and renegotiate many of their existing third-party vendor agreements.” Photo by Helloquence

If there’s an issue with how data is being used, the first call a data protection authority makes will likely be to the publisher, so publishers need to be confident that the companies they work with are also compliant. This may result in a decrease in programmatic advertising network usage, as these networks can sometimes be used by “unauthorized buyers that can exploit their data for audience modeling, insights and retargeting via programmatic bid requests and code inside ads,” according to AdExchanger.

GDPR Creates Challenges and Opportunities

The Internet runs on data, and there’s tremendous value in gathering, processing, and using that data. GDPR doesn’t cut off the flow of data, but it does put restrictions on it, and gives more power to the user.

While GDPR creates challenges for advertisers and publishers, it also creates opportunities for companies that are able to be more transparent with their data, that can quickly develop new and improved ways of managing data, and that show they respect their users’ privacy.