The May deadline to comply with Europe’s General Data Protection Regulation (GDPR) is swiftly approaching, and ad tech and security startups are forming a new industry: privacy tech.
Companies like PageFair, Evidon, Prifender, Tealium and Segment hope to capitalize with GDPR compliance solutions for brands, publishers and even other ad tech vendors.
The International Association of Privacy Professionals and Ernst & Young estimate that members of the Fortune 500 alone will spend just shy of $8 billion on GDPR compliance efforts.
But before 2015, when it became clear that the EU would adopt GDPR, the privacy tech industry didn’t exist, said Sagi Leizerov, chief data solutions officer at Prifender, a privacy technology company that opened that same year.
“GDPR’s been a real boost,” said Leizerov, who spent 16 years as global privacy lead at EY before joining Prifender in May.
GDPR compliance tech, however, comes in many different flavors.
Block It All
PageFair, for example, an Irish company known primarily for its anti-ad-blocking technology, launched a solution on Tuesday that helps publishers manage data leakage and third-party tracking, both of which are major compliance tripwires under GDPR.
Dubbed Perimeter, the offering neutralizes all GDPR risk by blocking everything, then whitelists trusted partners and enables RTB using segments that aren’t reliant on personal data.
Perimeter automatically removes data-leaking JavaScript from ads before they’re rendered and prevents unauthorized third parties from accessing personal data. Ads are intercepted server-side by PageFair, which strips out anything executable, and then rendered in the browser as a PNG or JPEG.
The solution might sound drastic, but it’s the only way for a publisher to ensure it complies with GDPR by May, said Johnny Ryan, PageFair’s head of ecosystem.
“Asking for consent is meaningless if users have no idea where their data is showing up,” he said.
Managing Consent
Digital governance provider Evidon, however, is taking a very different tack with a solution that aims to help companies obtain consent with enough transparency to satisfy the requirement for clear, concise language and ease of use under GDPR.
Evidon’s universal consent platform lets companies deploy a tag that automatically provides site visitors with notice and choice disclosures and a place where they can opt in to data collection, see what’s being collected and modify what’s being tracked.
“Any form of third-party cookies now count as personal data, so anonymization will be essential to how the ecosystem works, but you still need consent if you don’t have legitimate interest,” said Scott Meyer, founder of Evidon and president of digital governance at Evidon’s parent company, Crownpeak.
Meeting Your Match
How many John Smiths are there in the world? Doubtlessly quite a lot, Prifender’s Leizerov said, and it can be difficult to tell the difference between them within a single system, let alone millions of identities spread out across multiple networks.
Prifender uses what the company calls “identity-aware software” and artificial intelligence to map and match personal data from multiple places within an enterprise and tie it together with the right identity and any related opt-outs or preferences. That gives Prifender the ability to handle GDPR requirements, like cross-border data transfers and the deletion of data.
“When we stumble on a John Smith, we can identify whether it’s John Smith No. 5,847 or if it’s a new John Smith altogether,” Leizerov said. “We then associate those identifiers with the right restrictions.
The profiles also contain information on where each data point is housed within a particular system, where the copies are located, when the data was last updated, how the data is being maintained and which people within an organization have access to and use this data, whether that’s employees or vendors.
Protection Through Consolidation
Tealium is developing a GDPR offering that hinges on tag management, the company’s historical bread and butter.
Because Tealium helps manage customer data across multiple platforms, it can serve as a “central repository for everything that’s known about a consumer,” said Mike Anderson, the company’s CTO and founder.
From that vantage point, Tealium can help its customers manage opt-outs across channels, Anderson said.
Data platform Segment launched a conceptually similar compliance solution in November, the purpose of which is to help its clients honor the rights of data subjects under GDPR, including the right to be forgotten and the right to restrict data processing.
Segment’s main tech acts as what CEO and co-founder Peter Reinhardt calls “a data layer” that allows brands to combine their data from multiple sources into a single spot. The compliance feature Segment added to its platform enables brands to easily delete a customer’s data across all of their systems at once and automatically suppress a user from being tracked in future.
Eighty-two percent of European data subjects plan to exercise their rights under GDPR to limit, view or erase the information that businesses collect about them, according to a December report from Pegasystems.
“GDPR is a really big piece of legislation with a lot of different surface areas and quite a few gaps,” said Chris Sperandio, a product manager at Segment. “The biggest thing I’ve heard echoed across our customer base is a desire to minimize their risk profile.”
Expect the privacy tech industry to answer that call as the clock ticks down to GDPR implementation in May. Some of the solutions will be legit and others will bubble up from the snake oil pit of ambulance chasers, Prifender’s Leizerov said. That’s just inevitable.
And what’s also sure is that “we’ll be in this GDPR phase for a while – it’s not over in 2018,” Leizerov said. “We’re just in the early implementation stage, and I don’t see it plateauing or going back to normal until at least 2020.”