GDPR is coming, and data management platforms are in the crosshairs
Data management platforms play an increasingly important role in helping digital marketers find high-value audiences, largely based on third-party data collection without much transparency. But with the General Data Protection Regulation being enforced in May, DMPs may face a tough battle to obtain third-party data.
“There is much more legal work ahead for DMPs, especially between them and their data providers,” said Maciej Zawadzinski, CEO of Poland-headquartered ad tech firm Clearcode. “Third-party data will become less accessible because of GDPR, which is likely to cause DMPs to focus more on first-party and second-party data. But it doesn’t mean that third-party data will become irrelevant, or DMPs will stop relying on it.”
Becky Burr, chief privacy officer for Neustar, believes that GDPR will have a significant impact on DMPs and ad tech companies in general. This is because ad tech companies are known to process data based on inferred consent through opt-out mechanisms, but GDPR makes reliance on individuals’ consent as the lawful basis for processing data, according to Burr. “In addition, enhanced data subject rights in the form of access, correction, erasure, and portability will require more robust consumer-facing portals and may create additional processing overhead [for DMPs] in some situations,” said Burr.
Douglas McPherson, chief legal officer for OpenX, thinks that whether — and how — the GDPR will affect DMP operations boils down to how a company defines its role under the regulation: Is it a “data controller” that “determines the purposes and means of the processing of personal data?” Is it a “data processor” that “processes personal data on behalf of the controller?” Or is it a “data subprocessor” that a data processor engages to conduct further processing in addition to what the data processor is doing? The role determines how and why a company collects personal data, said McPherson. For instance, the data processor can’t engage the subprocessor without informing the data controller.
McPherson believes that while DMPs typically act like data processors, they will also be viewed under the GDPR as data controllers in some cases, like when they collect data from credit card companies, look for users’ purchase patterns, create user profiles and then create data products to sell, for instance. And as data controllers, DMPs will have lots of legal responsibilities under the GDPR, like maintaining records of data-processing activities, as well as implementing an internal policy on handling data and data security.
“Some of those things are required by GDPR’s predecessor as well, but few companies took the regulation seriously because there were no significant financial penalties,” said McPherson. “But GDPR will change that. If there’s a data breach, for example, data controllers will get a fine of €20 million [$24 million] or 4 percent of their global revenue.”
In addition to the role of DMPs under the GDPR, the definition of user consent also determines the regulation’s impact on DMPs. “For now, it’s unclear what type of consent is adequate for GDPR purposes — we are told that there will be further guidance on consent over the upcoming months,” said McPherson. “If GDPR requires more robust consent than the existing laws, DMPs may need to ask brands and publishers they work with to obtain explicit consent from individuals, or DMPs can look for first-party data or other data sources.”
While Burr thinks that changes in the treatment of consent under the GDPR are “an important derogation” for DMPs that usually aggregate and analyze pseudonymised website data and log data on publisher, retailer, and advertiser websites. “Because IP address may be personal data under EU data protection law, Neustar stores them for 10 days or less, keeping only truncated or hashed IP addresses for our products and services,” said Burr.
Tiffany Morris, general counsel and vp of global privacy for Lotame that has a DMP business, also believes consent can work smoothly in a first-party relationship, but it is hard to track consent in a third-party relationship, where data may flow into different parties’ hands. “We are talking to our data providers to understand how they interpret GDPR, how they obtain consent and if they follow the IAB consent mechanism,” said Morris.
DMPs like Neustar and Lotame already started adding GDPR-specific language to vendor contracts with their data providers. But Morris thinks the real challenge for DMPs is how they interact with data providers technically. “In many cases, the DMP is acting solely as the processor who is processing first-party data at the direction of the controller or the client. In some instances, however, a DMP may act as a data controller,” said Morris. “GDPR makes it clear that both the data controller and the data processor are responsible for personal data. But we don’t have technical means to validate how [our data providers] obtain consent.”
Despite these challenges, ad tech executives and legal counsels interviewed for this story believe the GDPR creates opportunities for quality data and better data management. They also think the regulation will lead to consolidation in the ad tech space, as media buyers feel pressure to cut vendors that are not GDPR-compliant.
“There’s lots of negativity about GDPR in press, but it’s a positive thing to me,” said Nick McCarthy, svp of data solutions for agency Merkle’s operations in Europe, the Middle East and Africa. “There’s lots of work to do, but it pushes people to be responsible.”
‘The sky is very blue:’ Why U.S. beauty brands see global opportunity, along with challenges, for CBD products
Despite regulatory challenges, brands in the CBD beauty market are forging ahead as demand for the products remains promising.
Brands rethink their in-housing plans after tactic was ‘put on ice’ amid pandemic
Brands had begun in-housing efforts before the pandemic put those plans on ice. The strategy shift has worked in agencies favor, as brands are returning to their shops to guide marketing efforts.
Member ExclusiveMarketing Briefing: How marketers and agency execs are approaching vaccine awareness campaigns
Marketers and agency execs are taking more care with the language and strategy of campaigns due to the politicization of the vaccine.
SponsoredWhat sustainable app monetization looks like in 2021
Apple’s iOS 14 changes are driving significant shifts in the app ecosystem. For gaming businesses, these new changes will make it challenging to show targeted ads. That said, the mobile game economy continues to boom, and analysts predict long-term growth; global in-app ad revenue in 2021 will rise by 6.2% for non-gaming apps, and 19.1% […]
‘Dispensaries knew they had to change’: How the cannabis industry adapted in the pandemic
Pandemic stress and new legalization led to a lift in cannabis use last year and businesses have pivoted to adapt to those trends with new marketing.
‘We don’t post much organic content’: Pepsi sees TikTok as a pay-to-play platform
PepsiCo is seeing success on TikTok as a pay-to-play platform, which is using the platform to release popular challenges for users.