With its $4.4 billion acquisition of Epsilon/Conversant, Publicis Groupe becomes a data controller – and that ups the regulatory ante under the General Data Protection Regulation and, likely, any other privacy legislation that comes down the pike.
Controllers, in GDPR parlance, determine how and why personal data is processed. Controllers are also required to establish a legal basis for the processing of data, which usually means being responsible for collecting and managing consent, if consent is what’s called for.
It’s the controller’s job to make sure that its data processor partners are doing a proper job under the law.
Being classified as a controller is a new look for Publicis, which before arguably had some level of plausible deniability as a processor in that it didn’t actually own any client data.
Publicis is “not used to that position, and I don’t know how much bandwidth Epsilon’s privacy team has to manage how their data is going to be used across the whole ecosystem,” said Fatemeh Khatibloo, a VP and principal analyst at Forrester.
And the heat is only set to get hotter not just in Europe, but in the United States and countries all over the world.
“The pendulum of consumer data privacy continues to trend toward more regulation, more oversight and more complexity,” said Mykolas Rambus, general manager of Equifax’s data-driven marketing business. “Any organization working with consumer data must be focused on the evolving regulatory landscape, not just to manage risk, but to fulfill data ethics obligations on behalf of consumers.”
But the data assets that Publicis is bringing on board with its mega acquisition – including pseudonymized identifiers for consumer IDs that connect to first-party transactional data – could be viewed as the opposite of a liability.
Keeping data close to home means Publicis has more direct oversight of it, said Jason Bier, who spent more than seven years as chief privacy officer at Conversant before joining digital consultancy The Engine Group as EVP and chief data and privacy officer in 2016.
“Large companies that are responsible for large brands often come to find that there’s a risk and some level of exposure in working with third parties,” Bier said. “But if they become responsible for those assets, they can do what’s necessary to protect the brands that use them.”
Even so, Publicis and all the other holding companies that have been acquiring data businesses as of late – IPG with Acxiom and Dentsu with Merkle – would do well to be cautious, said Johnny Ryan, chief policy and industry officer at Brave.
A smarter strategy might be for global agencies to “develop sophisticated ways to use clean, safe ‘non-personal’ data that is out of GDPR’s scope and exposes agencies and their clients to no shred of risk,” Ryan said. “Alternatively, they could start building relationships with prospective consumers to collect high-quality data of unimpeachable provenance – betting on the data collection business-as-usual is a bad bet.”
Conversant and Epsilon undergo rigorous annual independent audits conducted by PricewaterhouseCoopers to ensure the right processes are in place so that personally identifiable information (PII), of the online or the offline variety, never makes its way into a user profile.
But PII is an American term of art. Under GDPR, there’s a broader concept of personal data, which includes any information that can be used to identify a person, like location data or mobile device IDs.
Ryan pointed to a page on Conversant’s website, which claims that its solution “starts with recognizing millions of real people across all their devices and browsers, and assigning each of them a unique, privacy-protected Core ID.”
“One would have to be very confident about the provenance of these data to feel any degree of comfort about this acquisition,” Ryan said.
But Publicis’ Epsilon acquisition doesn’t immediately open itself up to a higher degree of GDPR-related scrutiny, said Wolfie Christl, a data privacy expert and founder of Cracked Labs, a nonprofit think tank based in Vienna. Publicis isn’t a total noob. It already owns “highly exposed data businesses,” such as Sapient and RUN, Christl said.
“It depends on how they integrate Epsilon’s US business and how they will expand it to Europe, if they expand it to Europe,” he said. “But the Epsilon acquisition may draw attention to the public debate – it’s known as a data broker, it manages loads of personal information and it once provided data to Facebook.”
Conversant declined to comment for this story.
