Home Data-Driven Thinking Most Ad Tech And Mar Tech Companies Should Stick To Data Processing

Most Ad Tech And Mar Tech Companies Should Stick To Data Processing

SHARE:

maciejzawadzinskiData-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Maciej Zawadziński, CEO at Clearcode.

Control and security over customer data, especially personally identifiable information (PII), is a hot-button issue among advertising tech and marketing tech companies due to the wide array of regulations and stiff penalties for noncompliance.

Any company that touches customer data is labeled either as a data processor or data controller. On the surface, the distinction seems one of semantics, but in reality, the implications of being one or the other carries serious weight and potential consequences. For ad tech and mar tech companies, one is definitely more desirable than the other.

A data controller is a company that is responsible for adequate treatment of the data. It determines the purposes and processes for which any personal data are to be used or processed. A company that uses a marketing automation or ad retargeting tool, for example, could be considered a data controller.

A data processor serves as the intermediary between the data subject – the individual customer using the app or visiting the website – and the data controllers, which may also include tool or service providers, specialized analytics consultants or digital and media agencies that process data on behalf of the data controller.

Typically, marketing cloud vendors and providers of standalone ad tech and mar tech software-as-a-service (SaaS) solutions that store data, including PII, are considered data processors. This is because they don’t use the data for any purpose other than what is mandated by the data controller, their customer. They simply provide software for the data controller to use at its own discretion.

There are some situations where a B2B ad tech or mar tech company could be both a data controller and processor. For example, an email marketing software vendor used by brands to market to consumers is a data processor because it processes end-consumer data for its brand customers. If this email marketing software vendor were to also provide market research services to its brand customers using the same data, it would also be a data controller.

While data can be as valuable as physical currency for marketers and control over this data has many revenue-driving benefits, my take is that it’s more favorable and safe for ad tech and mar tech companies to hold as few data controller roles as possible and vigilantly not use collected data in any way that crosses into data controller territory. This is especially true for companies located in or have customers in the European Union, due to the recent EU data protection overhaul.

This is for a couple of reasons. First, data processors have fewer regulatory requirements than data controllers. These responsibilities concern the necessity to keep personal data secure from unauthorized access, disclosure, destruction or accidental loss.

Second, there are fewer legal liability risks attached to being categorized as a data processor versus a data controller. Under the new EU General Data Protection Regulation, “Data controllers could face more severe regulatory fines than data processors for failing to keep personal data appropriately secure.”

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

Additionally, “If data processors are at fault for data breaches then it is the data controller who contracted with them who is on the hook for any noncompliance with data protection laws, although the data processor could be liable to the data controller under their contract.”

This isn’t to say that data processors are free of all responsibility. Ad tech and mar tech companies that are considered data processors should have a data processing agreement that they can sign with customers and should also assign a data protection officer to ensure they comply with all data processor obligations, regardless of what the letter of the law requires.

The regulatory framework along with definitions of data, PII, processing and controlling will likely continue to evolve. Most importantly, although there are often competing interests, risks and benefits, data processors and controllers should work together toward the same goal of ensuring all customer data is secure and used properly by all parties at all times.

Follow ClearCode (@clearcodehq) and AdExchanger (@adexchanger) on Twitter.

Must Read

Scott Spencer’s New Startup Wants To Help Users Monetize Their Online Advertising Data

What happens when an ad tech developer partners with a cybersecurity expert to start a new company? You end up with a consumer product that is both a privacy software service and a programmatic advertising ID.

Former FTC commissioner Alvaro Bedoya speaks to AdExchanger Managing Editor Allison Schiff at Programmatic IO NY 2025.

Advertisers Probably Shouldn’t Target Teens At All, Cautions Former FTC Commissioner

Alvaro Bedoya shared his qualms with digital advertising’s more controversial targeting tactics and how kids use gen AI and social media.

Wall Street Turned Against Ad Tech – But May Learn To Love It Again

What can pureplay ad tech companies do to clean up their rep on the Street?

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

AppsFlyer and Roku’s New SRN Integration Will Shed Light On CTV Campaign Impact

Roku and AppsFlyer announced the launch of a new self-reporting network (SRN) integration between both companies, which will allow mobile app advertisers to more effectively measure their streaming video campaigns

Comic: Gamechanger (Google lost the DOJ's search antitrust case)

DOJ v. Google: How Judge Brinkema Seems To Be Thinking After Week One

Where the DOJ v. Google ad tech antitrust trial stands after one week’s worth of remedies arguments.

Swish, A Company That's Bringing Programmatic to Product Sampling, Announces Seed Funding

Swish, a startup that partners with retailers to provide product full-size CPG samples to people doing their grocery shopping online, announces $2.3 million in seed funding.