Can programmatic survive GDPR?

The General Data Protection Regulation (GDPR) comes into force on 25th May 2018 and is going to impact businesses large and small. No matter who you are, there is no escaping the regulation as all businesses dealing with EU data need to shape up.

The repercussions will be widespread as companies seek to alter how they work, but some sectors are going to find it a lot harder than others. One sector finding it harder than most is programmatic advertising.

Estimated to be worth as much as $64 billion in 2018, the industry has already generated huge profits. But GDPR could mark the end of this lucrative business. Largely controlled by tech behemoths like Oracle, Google and Facebook, programmatic is big business.

>See also: Practical steps to deal with the GDPR

It has transformed the face of digital advertising; making the process extremely cost efficient and reducing the role of ad sales to the point where it is almost redundant. But… it also depends on the free flow and use of data in a way never really seen or indeed envisaged by legislators. This widespread uncurtailed cross border use of European citizens’ data will next May be no more.

If you speak to these American companies, they suggest, in somewhat “Trumpesque” fashion that it’s all going to be fine and they’re not worrying. But should this be the case?

The challenge is made more complicated for programmatic in that practitioners are having to deal with two different, sometimes opposing, changing pieces of legislation – GDPR and the E-Privacy regulation.

GDPR recognises that big corporations have gone unchecked for quite some time. The new regulation is designed to empower consumers; handing back control over their personal data.

It replaces the Data Protection Act, which was introduced in 1998 and therefore makes little mention of online issues. Plus, it’s backed by serious repercussions for non-compliance. With potential fines of €20 million or four per cent of annual turnover, businesses need to play by the rules.

>See also: Who is more prepared for GDPR? The UK, Europe or the US?

The E-Privacy regulation, PECR today, will almost certainly become opt-in across the board. Many currently rely on a soft opt-in, but GDPR in collaboration with the E-Privacy consigns that to the bin, forever.

Consent under GDPR must be “freely given, specific, informed and unambiguous”. This regulation is still in debate in Brussels and could yet still deliver the killer blow of demanding “explicit” consent. Which would in fact consign the vast majority of digital marketing to the annals of history.

There are other challenges for the programmatic sector to deal with.

Right to erasure

The technicalities present an issue for programmatic advertisers too. One of the key principles of GDPR is the right to erasure. Otherwise referred to as the ‘right to be forgotten’, this will allow individuals to withdraw consent and request that their historic data is erased.

For this to be made possible, companies must keep an accurate record of every path, click-through and transaction made, which causes issues for those using programmatic. It is almost impossible to determine how data is being used and who is using it, therefore making it difficult to ensure compliance.

Obtaining consent

Under GDPR, consent must be given freely, and businesses must be able to prove they have it. Duping customers into sharing their data is a thing of the past; pre-ticked boxes will no longer be acceptable, and any business caught using data without the appropriate levels of consent could face serious consequences. Obtaining any type of consent will be a huge challenge for anyone using programmatic.

>See also: GDPR compliance naivety in the face of disaster recovery

There has been a great deal of debate around the use of cookie opt-in to ‘get around’ these issues. Some believe that any current cookie opt-in would fulfil the requirement to be either informed or unambiguous and is never going to wash with the regulators. Further, cookie opt-in is scheduled to move to the settings box and will then be regarded as far too broad to constitute consent of any kind.

Industry debate

As with any legislation as complex as GDPR, there will inevitably be instances where the rules are not black and white. For example, active consent may not apply in circumstances where businesses have a legitimate interest in contacting customers. Nearly everybody has a contract of some kind, whether it’s for a phone, broadband or household energy.

In this instance, businesses would not need to obtain active consent to contact customers about their contract, but they would need permission if they were to market to them. Things have moved on from can we have your data, to we’d like it, to do this, and to talk to these people about that. Today it’s a more sophisticated discussion.

Also, marketers may need permission to use insight analysis, the application of behavioural targeting techniques, which identify patterns and preferences through unidentifiable data.

Alternatively, other approaches which do not rely on personal data, such as contextual advertising, can be done without active consent. However, these methods often only form part of a broader marketing strategy, so it’s unlikely that any advertisers will fully escape the effect of GDPR.

>See also: Only 5% of EU companies ready for GDPR compliance – Alert Logic

With so much money at stake, GDPR is inevitably going to be met with a level of resistance by certain companies. However, GDPR is law and will have to be taken seriously to avoid damaging financial repercussions.

Many can expect to return to a more human-focused approach to marketing, with increased certainty over who is being targeted and direct accountability if mistakes are made. Not only will this ensure compliance, it will increase trust between brands and consumers.

In today’s competitive markets, this will satisfy a recent demand from consumers, who have more choice about which companies they spend money with, and who will soon have more control over their data.

With just over six months to go until GDPR implementation, it is likely the “big boys” with programmatic interests create a stink about the technical specifics and ensuring compliance.

But Brussels is not listening, and the programmatic boys have arrived very late to the party. There remains a significant role for programmatic, but for largely controlled audiences more closely affiliated to CRM programmes or loyalty schemes.

As this legislation cracks down on current data practices, there will be see a welcome return to more personal advertising, and more engaged audiences facilitated by people rather than machines.


Sourced by Mark Roy, founder and chairman, REaD Group

The Women in IT Awards is the technology world’s most prominent and influential diversity program. On 22 March 2018, the event will come to the US for the first time, taking place in one of the world’s most prominent business cities: New York. Nominations are now open for the Women in IT USA Awards 2018. Click here to nominate

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics