Ad tech vendors offer customers rosy pictures of GDPR compliance
Any ad tech vendor clinging to the notion that legitimate interest alone will render them compliant for the General Data Protection Regulation may need to think of a plan B — and fast.
Less than four months remain until GDPR enforcement, yet confusion remains about compliance and how the regulation will be enforced, at least in some quarters.
It appears that location-based ad tech vendors are among those in the worst pickle, with many claiming loudly that their businesses comply with the GDPR under its “legitimate interest” clause, according to sources. In doing so, they hope to skirt some of the more arduous hurdles around obtaining consumer consent for data use. While some businesses will be able to claim a legitimate interest in using people’s data without having to seek explicit permission, no ad tech vendor that relies on bid-stream data to create segments and audiences can use the legitimate-interest loophole.
But that is indeed what many are doing, according to sources. The lack of detail on how the GDPR will be enforced has lulled some into a false sense of security, which could backfire on them later.
“If a [location] ad tech vendor tells you they can use legitimate interest and they can’t explain why, they’re morons and don’t understand at all what GDPR means,” said one ad tech executive, who spoke on condition of anonymity. Most location vendors that rely on bid-stream data are claiming legitimate interest, with nearly none of them having grounds for doing so, the executive added.
Some agency groups have sent out RFPs for location data, and responses from location vendors have not impressed them regarding plans for making their businesses compliant with the law, according to sources. “They’re [agencies] getting high-level claims of legitimate interest but no real meat on the bones,” said the same executive. “It will likely result in agencies culling [location] vendors.”
Some third-party vendors have appeased agencies, saying they are reducing their dependence on bid-stream data. Regardless, agencies aren’t satisfied. “The feedback you get with [independent] tech providers is way too high-level,” said a senior media agency executive, who preferred to stay anonymous. “They say they’re 100 percent compliant or that they have these ‘high-level’ principles, but they don’t really answer my questions around what levers they have in place to act on the right to be forgotten, for example, or to send me all the ways they process data.”
If the vendors are important partners to this agency group, then they’ll undergo data protection impact assessments to assess whether they’re compliant, according to the same agency executive. “If they’re not important partners, we will drop them.”
To some extent, it’s understandable that some vendors are latching on to legitimate interest as a get-out-of-jail-free card: Details on how the GDPR will be enforced remain broad, leaving companies searching for loopholes. “Companies risk being wiped out partially, if not entirely, and many are fighting tooth and nail, climbing mirrors to avoid the collapse of their commercial relationships, buying time and getting some oxygen while waiting to see what will happen,” said a media executive, who spoke on condition of anonymity.
But the core rules seemingly ignored by vendors assuming they are safe under legitimate interest are clear: A business must balance its interests against an individual’s when determining if it has a legitimate interest in using the individual’s data. Data processing must be necessary, and if other methods of achieving the same result are feasible, then legitimate interest won’t apply.
“Legitimate interest can’t protect people,” said Amir Malik, digital marketing lead at Accenture. “The permission procedure is to remove all ambiguity, and legitimate interest is rigidly defined, so can’t be used as a hack. Consent is ultimately required.”
In short, attempting to hide behind legitimate interest won’t work in the long run. Instead, vendors should be proactive in finding ways to use the GDPR as an opportunity to clean up their processes. “Rather than try to slip through the net of GDPR, the ad tech sector should rather reinvent itself, focusing its energy in developing new solutions that fulfill the need for more genuine, earned and not forced engagement with audiences, serving publishers’ and advertisers’ legitimate interest and not their own,” said Alessandro De Zanche, independent consultant and former News UK executive.
Member ExclusiveDigiday Research: Over half of brands say they handle marketing ‘mostly’ with internal resources
Digiday’s quarterly benchmarking survey found that about 83% of marketers are managing their marketing either mostly in-house or completely in-house. That's up from the 55% of marketers six months ago who said the same.
Member Exclusive‘Our job is to sell’: Marketers, moving past coronavirus response, return to selling products
Marketers need to get back to the job at hand: Keeping the squeaky wheels of capitalism turning.
‘We lose track of time’: How agencies are helping employees with mental health issues now
Agencies across the country are finding ways to help employees manage their mental health needs now due to the coronavirus pandemic.
SponsoredVideo advertisers are turning to format innovation to push beyond interruptive experiences
In a new video, experts from GumGum, The Martin Agency and Pinterest discuss the future of video advertising — and outline their vision for how video ads can be less disruptive.
The Bundesliga offers sponsors and broadcasters a sanitized glimpse as to how sports will restart
Viewing figures for Germany's top soccer league have soared. The league, clubs and sponsors are adapting with more digital marketing and interactive in-game features.
‘I carry my phone to the bathroom’: How remote work can foster a new kind of ‘presenteeism’
It’s a problem rife across organizations exacerbated by our current virtual, distributed lives. Call it the rise of virtual presenteeism, the need to be “present” at all times and demonstrating that through “always-on” availability, despite not fully functioning.