Love it or hate it, GDPR is coming
As everybody should know by now, GDPR is coming into effect in May 2018. The big question is:
Are you compliant? If your business operates as any part of the supply chain in digital media, you could be facing fines of up to €20m Euros or 4% of your annual global turnover. As an example, for a breach of protocol by say, Marmite, this fine would be linked to parent company Unilever’s global revenue. Some $2bn
The regulation has been created to build privacy by design for consumers and to make it illegal for advertisers to use user data that can identify an individual to then serve them a tailored message unless specific consent has been given.
All personal cookie data falls under GDPR, and it cannot be processed without a GDPR compliant basis. IP address and mobile device IDs are included here too – the reach of the regulations is far and wide.
Consent is now king – if as a user you have not freely given clear, specific, informed and unambiguous consent to a request to use ‘your’ data in order to tailor messaging to you then you will be undergoing a non-compliant experience and you’ll be able to raise a complaint with the ICO.
What does this really mean directly for our industry?
Media owners will not be allowed to sell audience extension campaigns using user targeting, where you push an audience as ‘your users’ off-site.
Media owners will need to figure out how to ask for permission without destroying the user journey and still harvest value from them. With further rulings under discussion about not being able to restrict the media experience of users who refuse to have ads served to them at all, this is going to get complicated.
You are only allowed to collect the data you need. ‘Big Brother’ is not allowed to know about those erm, other sites you may like!
This means as buyers, you can’t run look-alike campaigns, and more importantly cannot use one advertiser data to power another advertisers’ campaign.
I would expect GDPR compliance checks to be an essential service to offer clients
As any kind of data or tech intermediary you will only be able to use the data for the purpose it was originally given, and it will be incumbent upon you to check that what is passed to you is compliant
For advertisers, it is not a fundamental right to reach out to your customers in order to sell them something else. You need specific permission to advertise. It will be interesting what this means for retargeting. Advertisers too are responsible for the supply chain you use being compliant
We should be looking to appoint CDOs – Chief Data Officers to make sure that not only use, but storage and protection of user and customer data is of paramount importance. Compliance is not restricted to media.
We need to move now. There are examples of safety checks happening that are resulting in breaches of UK ePrivacy ruling. Let’s try not have fines on day one.
If you feel that you are already compliant as a UK advertiser under UK Law, you should check as not all measures in place in the UK reach the minimum requirements of the European GDPR ruling, and regardless of your Brexit persuasion, we are still part of the EU.
Some data, however, is excluded from GDPR
- if there is a contractual legal obligation for its use
- if it fulfils the public interest
- if there is a legitimate business interest or there is explicit user consent
Data collected with GDPR compliance is not allowed to be kept for eternity and the user has the right to being forgotten and having their data returned to them in a portable format. You will also have the right as a user to know where and how your data is being stored, what it is being used for, and by who.
We are moving full circle with programmatic media. We have the pipes in place that now allow automatic buying of media in the digital space – these pipes will need to be pointed at data sources that are based on environmental data or confirmed consensual data.
I hope that out of this, we can start returning art to the process of media planning and buying rather than relying too heavily on science.
I encourage regulation in our industry, so I’m embracing the arrival. Let me know if I can help