For better or worse, preparing for the General Data Protection Regulation is a do-it-yourself exercise for advertisers in the absence of stronger direction from regulators.
Unclear guidance on the finer GDPR points, like when and how consent must be obtained and updated, kept advertisers in a holding pattern for much of 2017. Marketers, publishers and ad tech companies expected the latest round of guidelines, a draft of which was released in early December, to shed further light on how to plan for obtaining consent under the regulation, only to be disappointed with more vagueness. The ad industry won’t get those answers until sometime after Jan. 17, when feedback to the latest version of the guidelines is gathered and then adopted by the regulator.
Ad execs spent much of 2017 flitting between panic and confusion over when they need to get consent to process personal data and when they have legitimate business interests to process data without permission under the wide-ranging regulation. Understanding changes to what consent is required is the biggest issue, agreed several data privacy experts interviewed for this article. Confusion also exists around when legitimate interests can be claimed when consent is otherwise difficult or impossible to obtain. There is no guidance on how strict the legalities of legitimate interests will be, which makes it tough to determine how to build watertight data protection processes into a business, according to Jonathan Clough, data compliance specialist at Intermarketing Agency.
Until more guidance emerges, the pressure is on advertisers to lean on their own internal expertise. L’Oréal ended 2017 with a data privacy officer in all its Western Europe markets, including the U.K., France and Germany, while other businesses like Warner Bros., McDonald’s, The New York Times and Snap have made GDPR expertise a key requirement for data privacy experts they’re recruiting. That influx of expertise is already helping advertisers clarify what they can and can’t do with consent and privacy preferences, areas that Stéphane Bérubé, L’Oréal’s CMO for Western Europe, believes should be key objectives for the ad industry in 2018.
“I don’t think the [ad industry] has done a good enough job convincing and explaining to the consumer why sharing their data can be good for them,” Bérubé said. “GDPR is a good thing if we explain to the consumer that their data will lead to personalization and relevancy without intruding on their privacy.”
Now that larger advertisers like L’Oréal, Panasonic and Lloyds Bank have a firmer grip on how their data is collected and managed, their marketing teams are focused on communicating the value people get in return for sharing their data.
Due to the amount of publicity the GDPR will get in May, consumers will pay more attention to the consent notices they read from businesses. If the notices are not trustworthy and explicit, then those businesses risk losing customers’ data, warned Adam Rubach, the U.K. managing director for mobile data platform Ogury. On the flip side, Rubach reasoned that if notices are written “in plain English” and are “very transparent about the data that is being requested and not hidden away in pages of legal text,” then that will likely make the end user feel more comfortable.
Creating that “consent experience” is new territory for many marketers because historically that experience was not as transparent and simple as it must be in a few months, said Ian Woolley, chief revenue officer at Ensighten, a data and tag management provider, which works with TUI Group, Nestle, United Airlines and other global brands. Some of Ensighten’s clients are considering testing different ways of asking for consent, tweaking the wording on video messages and other privacy notices, in order to see which combinations deliver the consent needed to process data lawfully.
Some advertisers are identifying which players in the supply chain will be responsible for certain data under the GDPR. Todd Ruback, Evidon’s chief privacy officer and vp of legal affairs, believes certain players in the system will struggle, as advertisers and publishers push liability for certain data further downstream to other ad tech vendors.
“If advertisers and publishers use contract revisions [with ad tech players] to push liability downstream, then there’s going to be a knock-on cost,” he said. “If you [as a vendor] want to continue being on a publisher site, then your company is going to have to agree to new levels of indemnification, which could cause consolidation in the market when the smaller players can’t take on that level of risk.”