Home Privacy GDPR Will Be A Day Of Reckoning – But It’s Far From The End Of Days

GDPR Will Be A Day Of Reckoning – But It’s Far From The End Of Days

SHARE:

Forrester principal analyst Fatemeh Khatibloo will speak at AdExchanger’s upcoming Industry Preview conference on Jan. 17-18, 2018 at the Grand Hyatt New York.

If marketers and publishers don’t know how many third-party tags lurk on their sites, Europe’s General Data Protection Regulation (GDPR), which takes effect in May, will change that.

“A client will tell me, ‘We use this vendor and that vendor,’ but then I’ll pull up a Ghostery tracker map on their site and ask, ‘Well, what about these other nine vendors getting your user data – do you also have a contract with them?’” said Forrester principal analyst Fatemeh Khatibloo. “And they’ll say, ‘But we stopped doing business with those companies a year ago.’”

“Well,” she said, “the code is still on their site and it’s still getting data.”

AdExchanger spoke with Khatibloo.

AdExchanger: What is the No. 1 piece of GDPR-related wrongheadedness that makes you crazy?

FATEMEH KHATIBLOO: That GDPR is going to destroy the data brokerage industry. There’s a lot of FUD [fear, uncertainty and doubt] around GDPR, and it’s understandable.

Marketers are notoriously terrible at paying attention [at things that won’t] cost them something. When privacy practitioners try to get marketers and businesses to listen up about GDPR, they talk about the 4% fine. Few will be hit by that, but it’s still being held up as something that will run thousands of companies out of business.

The other bit of baloney I’d really like to see marketers stop parroting is that GDPR doesn’t apply to them. So many clients I talk to have been told, even by their lawyers sometimes, that GDPR doesn’t apply to them, because they don’t do business in Europe – and that is just not true.

The ad tech ecosystem can’t function as is under GDPR. What has to change?

Beyond ad tech, I don’t think the entire advertising and digital ecosystem can continue to operate the way it does. There is too much opacity and marketers need better control of their user data.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

The middleware vendors, those vendors that sit one layer beneath the companies that publishers or advertisers sign contracts with, are at tremendous risk.

That doesn’t necessarily seem like a bad thing.

When publishers tell me they only see something like 12 cents of every dollar spent on advertising on their site – where’s it going? It’s going to the vendors, whether that’s the agency, the DMP, the DSP, the SSP or the layer cake of companies all ostensibly trying to do better targeting and behavioral advertising.

If we agree that they don’t bring enough value to this ecosystem, it changes the balance of advertising. That means more money in the pockets of publishers, better quality ads and fewer, less intrusive ads – and now we’ve actually started to solve the ad blocking problem, too.

Do third-party vendors have any chance at obtaining consent or an opt-in?

Some vendors are hiding behind legitimate interest, anonymization or using data at the aggregate or segment level, but they don’t have a first-party relationship with the consumer. That will fly for some of these guys. What they aren’t considering, though, is whether ePrivacy comes to pass in the format it’s in now.

Millions of lobbying dollars are being thrown at making legitimate interest a legal basis for processing data under ePrivacy, but if that’s not successful, it doesn’t matter if GDPR provides a legal basis. The vendors heading this way are more interested in being compliant with the letter and not the spirit of the law.

How often are European citizens likely to invoke their various data subject rights, like the right to be forgotten, the right to access and the right to object to data collection?

Two things will happen. After the first big media push around the fact that people have these new rights, a whole group of people, mainly armchair activists, will go through every spam email they’ve received and send tons of data deletion requests.

But what’s more interesting to think about are browser plugins people use to get a little more privacy or do some truly incognito browsing. These types of plugins have a not insignificant adoption rate. Very quickly, we’ll see simple tools created that automate deletion and portability requests and it’s going to open up that world to a lot of people who might not otherwise have made requests because it looked too difficult.

May is just a few months off. Where should companies be at this stage in terms of preparation?

There isn’t a single answer and companies have different levels of risk tolerance and exposure.

But if you’re a company with headquarters or employees in Europe, you’d better be 65% to 70% of the way to compliance by now. At this point, you need to be doing UI testing for data management and cookie management and thinking about third-party data disclosure. You should also have named a data protection officer by now and have your data flows completed.

But companies mainly in North America with maybe 1% or 2% of their business coming from Europe a year have limited risk exposure. I’d want them to have started on the process of asking how exposed they are and what they need to do to get their data house in order in case a regulator does come calling, but these are not folks that are going to be compliant by May 25. They’re hanging back and watching to see what enforcement actions the data protection authorities will actually take.

Must Read

After The Election, News Corp Has Harsh Words For Advertisers Who Avoided News

News Corp’s chief exec blasted “the blatant biases of ad agencies and ad associations,” which are “boycotting certain media properties” due to “personal political prejudices.”

LiveRamp Outperforms On Earnings And Lays Out Its Data Network Ambitions

LiveRamp reported an unexpected boost to Q3 revenue, from $160 million last year to $185 million in 2024, during its quarterly call with investors on Wednesday.

Google in the antitrust crosshairs (Law concept. Single line draw design. Full length animation illustration. High quality 4k footage)

Google And The DOJ Recap Their Cases In The Countdown To Closing Arguments

If you’re trying to read more than 1,000 pages of legal documents about the US v. Google ad tech antitrust case on Election Day, you’ve come to the right place.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

NYT’s Ad And Subscription Revenue Surge As WaPo Flails

While WaPo recently lost 250,000 subscribers due to concerns over its journalistic independence, NYT added 260,000 subscriptions in Q3 thanks largely to the popularity of its non-news offerings.

Mark Proulx, global director of media quality & responsibility, Kenvue

How Kenvue Avoided $3 Million In Wasted Media Spend

Stop thinking about brand safety verification as “insurance” – a way to avoid undesirable content – and start thinking about it as an opportunity to build positive brand associations, says Kenvue’s Mark Proulx.

Comic: Lunch Is Searched

Based On Its Q3 Earnings, Maybe AIphabet Should Just Change Its Name To AI-phabet

Google hit some impressive revenue benchmarks in Q3. But investors seemed to only have eyes for AI.