GDPR is coming, and data management platforms are in the crosshairs
Data management platforms play an increasingly important role in helping digital marketers find high-value audiences, largely based on third-party data collection without much transparency. But with the General Data Protection Regulation being enforced in May, DMPs may face a tough battle to obtain third-party data.
“There is much more legal work ahead for DMPs, especially between them and their data providers,” said Maciej Zawadzinski, CEO of Poland-headquartered ad tech firm Clearcode. “Third-party data will become less accessible because of GDPR, which is likely to cause DMPs to focus more on first-party and second-party data. But it doesn’t mean that third-party data will become irrelevant, or DMPs will stop relying on it.”
Becky Burr, chief privacy officer for Neustar, believes that GDPR will have a significant impact on DMPs and ad tech companies in general. This is because ad tech companies are known to process data based on inferred consent through opt-out mechanisms, but GDPR makes reliance on individuals’ consent as the lawful basis for processing data, according to Burr. “In addition, enhanced data subject rights in the form of access, correction, erasure, and portability will require more robust consumer-facing portals and may create additional processing overhead [for DMPs] in some situations,” said Burr.
Douglas McPherson, chief legal officer for OpenX, thinks that whether — and how — the GDPR will affect DMP operations boils down to how a company defines its role under the regulation: Is it a “data controller” that “determines the purposes and means of the processing of personal data?” Is it a “data processor” that “processes personal data on behalf of the controller?” Or is it a “data subprocessor” that a data processor engages to conduct further processing in addition to what the data processor is doing? The role determines how and why a company collects personal data, said McPherson. For instance, the data processor can’t engage the subprocessor without informing the data controller.
McPherson believes that while DMPs typically act like data processors, they will also be viewed under the GDPR as data controllers in some cases, like when they collect data from credit card companies, look for users’ purchase patterns, create user profiles and then create data products to sell, for instance. And as data controllers, DMPs will have lots of legal responsibilities under the GDPR, like maintaining records of data-processing activities, as well as implementing an internal policy on handling data and data security.
“Some of those things are required by GDPR’s predecessor as well, but few companies took the regulation seriously because there were no significant financial penalties,” said McPherson. “But GDPR will change that. If there’s a data breach, for example, data controllers will get a fine of €20 million [$24 million] or 4 percent of their global revenue.”
In addition to the role of DMPs under the GDPR, the definition of user consent also determines the regulation’s impact on DMPs. “For now, it’s unclear what type of consent is adequate for GDPR purposes — we are told that there will be further guidance on consent over the upcoming months,” said McPherson. “If GDPR requires more robust consent than the existing laws, DMPs may need to ask brands and publishers they work with to obtain explicit consent from individuals, or DMPs can look for first-party data or other data sources.”
While Burr thinks that changes in the treatment of consent under the GDPR are “an important derogation” for DMPs that usually aggregate and analyze pseudonymised website data and log data on publisher, retailer, and advertiser websites. “Because IP address may be personal data under EU data protection law, Neustar stores them for 10 days or less, keeping only truncated or hashed IP addresses for our products and services,” said Burr.
Tiffany Morris, general counsel and vp of global privacy for Lotame that has a DMP business, also believes consent can work smoothly in a first-party relationship, but it is hard to track consent in a third-party relationship, where data may flow into different parties’ hands. “We are talking to our data providers to understand how they interpret GDPR, how they obtain consent and if they follow the IAB consent mechanism,” said Morris.
DMPs like Neustar and Lotame already started adding GDPR-specific language to vendor contracts with their data providers. But Morris thinks the real challenge for DMPs is how they interact with data providers technically. “In many cases, the DMP is acting solely as the processor who is processing first-party data at the direction of the controller or the client. In some instances, however, a DMP may act as a data controller,” said Morris. “GDPR makes it clear that both the data controller and the data processor are responsible for personal data. But we don’t have technical means to validate how [our data providers] obtain consent.”
Despite these challenges, ad tech executives and legal counsels interviewed for this story believe the GDPR creates opportunities for quality data and better data management. They also think the regulation will lead to consolidation in the ad tech space, as media buyers feel pressure to cut vendors that are not GDPR-compliant.
“There’s lots of negativity about GDPR in press, but it’s a positive thing to me,” said Nick McCarthy, svp of data solutions for agency Merkle’s operations in Europe, the Middle East and Africa. “There’s lots of work to do, but it pushes people to be responsible.”
‘How much do we want to get screwed?’: Confessions of an agency exec on lack of payment due to coronavirus
In the latest edition of our Confessions series, we hear from one agency exec who says that the “times are tough” excuse for late client payments isn’t cutting it anymore.
‘Doubling down’: Inside the 49ers social and digital rush to replace lost in-stadium marketing dollars
Without the ability to deliver ads to the 70,000 fans who attend games in-person, the 49ers have had to pivot to focus on digital and social channels.
Member Exclusive‘Can’t really be ignored’: Marketers and media buyers are finally taking the on-going TikTok saga seriously
Marketers and media buyers have said that as long as people are still on TikTok they’ll want to be there, especially as they try to diversify from Facebook and Google.
SponsoredB2B events were broken before the pandemic, their online reinvention is creating positive change
Kim Darling, executive producer, Inbound Farewell lanyards, business cards and branded pens — it’ll be some time before people get their hands on these souvenirs of in-person events again. As the COVID-19 pandemic continues to transform the way people work, buy, sell, socialize and entertain themselves, the global events industry is facing its biggest-ever challenge. […]
‘Clever about how we rest’: As uncertainties drag into fall, agencies are facing a burnt out and fearful workforce
Agency employees and executives say that a feeling of fatigue due to the on-going uncertainty and the need to be always on has set in.
‘A credible voice’: Why Honda is doubling down on esports
Honda has struck deals with Riot Games, pro esports team Team Liquid and Twitch as it looks to maintain its appeal among first-time car buyers.