Europe’s General Data Protection Regulation (GDPR) will kill the third-party data ecosystem. Or third-party data isn’t going anywhere.
The truth sits somewhere in the middle, said Alice Lincoln, MediaMath’s VP of data policy and governance, at AdExchanger’s Programmatic I/O in San Francisco on Wednesday.
“Third-party data is here to stay – if it’s high-quality,” said Lincoln, who’s both a man and a woman – if you go by the data floating around about her in the third-party ecosystem. She’s been targeted as both.
Patrick Salyer, CEO of SAP-owned Gigya, is slim and around six feet tall, but when he looked up what data the brokers have on him, “weight-loss products” was listed as an interest.
“I question the validity of third-party data moving forward,” Salyer said. “The brands we’re working with, including large CPGs, are realizing that a direct digital connection with consumers is extremely important – in fact, it’s a differentiator.”
Third-party data has been having a hard time lately.
Post-Cambridge Analytica, Facebook decided to kill third-party partner targeting through its platform to the great consternation of data brokers, like Acxiom. And with GDPR coming down the pike, advertisers are increasingly looking inward to foster their first-party relationships.
But that doesn’t mean third-party data is circling the drain in a GDPR world.
Some brands will always need to supplement with third-party data, and the data will just have to get cleaner out of necessity. Not every brand has enough first-party data to power a digital advertising strategy, said Fatima Khan, chief privacy officer at Demandbase
“I don’t want to go to a website and for it to think that I’m a man in his 40s,” she said. “Third-party data … is an important thing, but it will need to be fixed going forward.”
GDPR will help by encouraging data controllers to shore up their supply chain partners, as it lists clauses that have to be included in data protection agreements, including a requirement for processors to help their controllers fulfill data subject requests and cooperate in the case of a breach.
But third-party vendors shouldn’t just sign whatever lands on their desk, said Emily Jones, a data privacy and technology partner at law firm Osborne Clarke LLP, where she leads the Silicon Valley office.
GDPR codifies what should be in these agreements, but that “doesn’t mean every agreement looks the same,” she said. “Be careful about what you’re asked to sign, and don’t just assume it’s covering the bare minimum. We’ve seen a lot of companies try to include additional obligations.”
But the risk cuts both ways.
In doing its due diligence on partners, MediaMath has seen some try to claim in their written responses that they’re 100% GDPR compliant already – and there’s just no way that’s true.
“I have to call BS on that,” Lincoln said. “I don’t think anyone can say that with certainty at this point. The spirit of GDPR is clear, but what that means practically is unclear. May 25 is just the beginning of how regulation will be implemented and applied, especially across an ecosystem as complex as ours is.”