GDPR: The Death Knell For Programmatic Advertising?

Data-Driven Thinking" is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Mark Roy, founder and chairman at REaD Group.

In a little under a year, the EU General Data Protection Regulation (GDPR) will come into force, and for programmatic advertisers, it foretells an end to the concept of automating relationship building.

The GDPR has been developed to directly address customers’ concerns about the safety of their personal data. Like it or not, anyone in possession of customer data will need to be compliant by next May, when the regulation comes into effect. GDPR contains strict new rules around individual data, including customer consent and their “right to be forgotten.” GDPR will be unforgiving to those who fail to comply; organizations will face astronomical fines of 20 million euros ($24 million) or 4% of annual global turnover, whichever is greater.

I cannot see how programmatic can ever be GDPR-compliant unless it is limited to a small number of organizations, rather like a prospect pool. The GDPR will require advertisers to obtain active consent from customers, which will involve them specifically opting in to, rather than out of, a deal.

While some organizations may be able to circumvent this by limiting premium services to those who opt in for data collection, such as customers agreeing to the collection of cookies, obtaining consent for programmatic advertising is going to cause a real headache. As of next May, if advertisers have not obtained specific consent from individuals, they cannot market to them in any shape or form. 

The “right to be forgotten” rule, in which an individual can have their historic data removed from a database, will leave the programmatic industry with a significant conundrum. In order to be “forgotten,” we must be able to know what needs to be forgotten. Every click, path, transaction, request or click-through must be recorded and be deletable. Therefore, by putting data assets into the ether and allowing thousands of organizations to use it, it is nigh on impossible to comply with the GDPR.

GDPR Doesn’t Just Apply To The EU

The EU’s new privacy rules are likely to disrupt the global digital marketing scene by preventing companies from using an EU citizen’s data unless they have obtained their direct consent. This will apply to the data of every EU citizen, regardless of where in the world their data is being used or stored. This means that US companies, such as Facebook and Google, which no doubt possess a large amount of EU citizen data, will have to pay attention to the regulation across the pond and take the same steps as everyone else to become compliant.

The target in the crosshairs of the EU rifle has always been and will be the US tech behemoths. When I first engaged with the EU on this years ago and was talking to legislators in Brussels, it was shortly after Mark Zuckerberg had decided that all those pictures, stories and photos on Facebook belonged to the company and not the millions of EU citizens who had posted them. Legislators were apoplectic, but even more determined to tackle the issue head-on.

What Does The Future Hold For Advertisers?

Overall, it is clear that every organization in possession of customer data will be affected by the GDPR. The programmatic advertising sector will feel the regulation the most due to the data requirements it needs for targeting. The GDPR is likely to shift advertising away from the algorithmic models of communicating, back toward a simpler form of advertising, relying on less volume and better-quality data.

I predict programmatic technology will be used in a far more limited way and largely in a retention and customer management environment, and there will be a return to a more personal touch in advertising facilitated by human beings rather than machines.

GDPR will herald a new era of greater trust between organizations and customers still willing to share personal data to access tailored services. Organizations need to clearly explain to customers how their data will be used and how they can expect to benefit from it.

Follow REaD Group (@REaD Group) and AdExchanger (@adexchanger) on Twitter.

4 Comments

  1. Thanks Mark - interesting blog. With regards to your comment on advertisers not being unable to market if they haven't obtained consent from the individual, that would only be the case if it had been determined that Consent was the legal basis for processing. It could of course be deemed by the advertiser that legitimate interest were the legal basis for processing, and as direct marketing is defined as a legitimate interest, lack of consent wouldn't be an issue.

    Reply
    • john smith

      Rachael, direct marketing is not by default a legitimate interest, and it will be hard in many cases to make that argument although you are right to raise it as an alternative to consent.

      Reply
  2. Hi Mark - you are quite right to highlight the challenges programmatic advertising will face under the GDPR. But it's not quite correct to say that "if advertisers have not obtained specific consent from individuals, they cannot market to them in any shape or form." This only applies if advertisers want to collect data considered Personal Information under the GDPR. Advertiser who want to profile users, remarket to users or apply behavioural targeting techniques will indeed be affected. But the GDPR does not impact contextual advertising or any other zero-data approach to serving ads. So there are plenty of ways to continue legitimately and legally advertising programmatically - you just have to apply the right technologies.

    Reply
  3. GDPR is certainly going to impact some aspects of programmatic implementation, but programmatic isn't purely about data informed strategies. It's also about context and workflow efficiencies. Programmatic as part of the media mix, is broad and made up of many different strands.

    Reply

Add a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>