Home Privacy Data Onboarders Have A Tough Road Under GDPR

Data Onboarders Have A Tough Road Under GDPR

SHARE:

Data matching and cookie syncing aren’t verboten under the General Data Protection Regulation (GDPR) but getting the consent to do it is another story altogether, since consumers need to know exactly what they’re signing up for when they provide unambiguous and specific consent.

Like most vendors in the ad tech ecosystem, companies that onboard data and perform cookie syncs, like LiveRamp, Adobe, Neustar and others, have generally relied on opt-out mechanisms in the past. Users are tracked by default, and if they don’t want to be, they’ve got to actively say “no mas.”

“The requesting of vague or blanket consent will not suffice,” said Robin Caller, CEO of lead-gen and data company Overmore Group. “And the need to be more granular will be a challenge for onboarders.”

Agree (to disagree?)

It’s hard to imagine how any third-party data processor has a snowball’s chance of clearly and concisely spelling out the specifics and value of what they do to the average consumer. That’s why IAB Europe and the IAB Tech Lab are attempting to help vendors enlist their publisher partners in the quest for consent.

But data onboarding vendors are controllers, at least when they’re dropping their own cookies and operating an identity graph with data coming in from multiple sources. And controllers are either responsible for getting consent themselves, when consent is the legal basis being used for processing, or their first-party partners need to mention them by name in their own consent requests.

Now figure out a way to explain to consumers that their offline data is being collected, hashed and cleverly matched with online cookies to target them with personalized advertising and that a company they’re probably not familiar with is also maintaining an identity graph that aggregates their data and stitches it together across hundreds of different platforms, data providers, publishers and brands.

“The whole benefit of onboarding is to take the friction away from moving data around and the nature of a graph is that the data is from many sources – but marketers may not have explicit consent to push data to a given controller,” said Ari Paparo, CEO of Beeswax. “It seems to me that they’d need to rebuild their graph with consent from each input and that’s, like, impossible.”

Sheila Colclasure, global chief data ethics officer and public policy executive for Acxiom and its subsidiary, LiveRamp – the biggest data onboarding vendor on the block – recognizes the challenge that third parties face in their reliance on first parties to gain consent.

LiveRamp uses consent as its legal basis for dropping cookies. But Colclasure claims the company is in a good position to obtain consent through its large ecosystem of third-party partners that work directly with companies that themselves have first-party relationships.

“Consent is a challenge, no question, but it will not have an impact on our ability to operate,” said Colclasure, who declined to comment on rumors that Acxiom is looking to sell LiveRamp, a potential move some have theorized could be connected to the burden of GDPR compliance.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

Prove it, hash it

But compliance is not just about obtaining the consent. Controllers are required to perform “rigorous checks” that their contracted partners are compliant.

Even if controllers get consent, they must document the process and, if asked, provide evidence of consent to all of the parties with whom personal data is being shared. For onboarders, that means needing to be able to explain and name all of the firms they partner with, Caller said.

“There will certainly be a greater administrative burden on onboarders, because they will be responsible not just for contracting the suppliers to ensure that cookies are dropped legally, but they will also be responsible for ensuring that these suppliers remain compliant,” Caller said.

According to Colclasure, LiveRamp has invested a great deal of time and effort educating its network of third-party partners and also checking to make sure they’re “maintaining the pseudonymity of the data.”

Because proper pseudonymization, also known as hashing, is crucial for GDPR compliance.

As a privacy precaution, onboarders hash the data they ingest from their clients as a matter of course. Hashing is encouraged under GDPR, but hashing alone isn’t enough to satisfy European regulators.

Hashing cookies and then matching them using the hash is pointless, and if it’s possible to re-identify pseudonymized data with reasonable effort, that data is considered personal under GDPR, and the compliance stakes rise.

Network of networks

Onboarders face some of the same problems as cross-device providers, which have been pivoting away from media in the lead-up to GDPR.

A company like Drawbridge, for example, is similar to a company like LiveRamp, in that they both onboard data across channels and use encrypted personal information to link a network of publishers, brands and cookies across channels. And therein lies the rub, said Paul Cimino, head of global data strategy at Prohaska Consulting.

“Even as large as LiveRamp is, it’s still not the entire internet and it’s nowhere near as large as Facebook or Google, and so it’s a network of networks,” Cimino said. “And that is the real thing under pressure here – the opacity of networks – whether we’re talking about an ad network or an identity network. We’re going to see this clear up over the next couple of years.”

Must Read

Google in the antitrust crosshairs (Law concept. Single line draw design. Full length animation illustration. High quality 4k footage)

Google And The DOJ Recap Their Cases In The Countdown To Closing Arguments

If you’re trying to read more than 1,000 pages of legal documents about the US v. Google ad tech antitrust case on Election Day, you’ve come to the right place.

NYT’s Ad And Subscription Revenue Surge As WaPo Flails

While WaPo recently lost 250,000 subscribers due to concerns over its journalistic independence, NYT added 260,000 subscriptions in Q3 thanks largely to the popularity of its non-news offerings.

Mark Proulx, global director of media quality & responsibility, Kenvue

How Kenvue Avoided $3 Million In Wasted Media Spend

Stop thinking about brand safety verification as “insurance” – a way to avoid undesirable content – and start thinking about it as an opportunity to build positive brand associations, says Kenvue’s Mark Proulx.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Comic: Lunch Is Searched

Based On Its Q3 Earnings, Maybe AIphabet Should Just Change Its Name To AI-phabet

Google hit some impressive revenue benchmarks in Q3. But investors seemed to only have eyes for AI.

Reddit’s Ads Biz Exploded In Q3, Albeit From A Small Base

Ad revenue grew 56% YOY even without some of Reddit’s shiny new ad products, including generative AI creative tools and in-comment ads, being fully integrated into its platform.

Freestar Is Taking The ‘Baby Carrot’ Approach To Curation

Freestar adopted a new approach to curation developed by Audigent that gives buyers a priority lane to publisher inventory with higher viewability and attention scores than most open-auction inventory.