After a relatively sleepy start to 2019 in terms of enforcement of the General Data Protection Regulation, regulators have begun to dig in over the last few months.
In the U.K., that’s involved the Information Commissioner’s Office revealing its intent to issue multi-million-pound fines to two major consumer-known brands: British Airways and Marriott International. It also released a stark warning to the ad tech sector that current use of personal data within programmatic advertising on the open exchange isn’t compliant. Plus, further ICO guidance has been released to shed clarity on what sort of cookies can be used for tracking under GDPR and the Privacy Electronics Communications Regulation, which now has to comply with GDPR rules.
The flurry of activity has put the whole ad industry on notice, with many vendors having admitted the ICO has given the industry a second chance. No one wants to blow it. But it’s not all doom and gloom.
Here’s what we’ve learned:
Cookie-less ad tech is the future
Whether it comes from publishers or ad tech vendors, ad-targeting options that don’t rely on third-party cookies are the future. In this new era in which browsers are restricting the ability to track people via third-party cookies for advertising purposes, solutions that are designed to leverage first-party data at scale will be gold dust. Increased scrutiny of data-protection regulators worldwide has also accelerated the need for that push so that advertisers can feel reassured they won’t fall foul of regulations like GDPR or the California Consumer Privacy Act.
The post-cookie trend has already prompted a cottage-industry effect, with all sorts of ad tech vendors cropping up to tout cookie-less, first-party-data tools cropping up. Otherwise, existing and established vendors are revealing pivots. This next wave of ad tech innovation, though welcome, will also require some scrutiny to sort the so-called wheat from the chaff in the early days.
Amped-up contextual ad targeting is the new black
Contextual targeting is hot, again. Traditionally regarded as the unsexy cousin of more finely tuned data-targeting methods like behavioral advertising, contextual targeting has regained prominence on the media plan. Granted, agencies maintain they have always used contextual targeting in some capacity, but most have agreed the method has increased in importance, spurred by the arrival of GDPR and Apple’s anti-tracking moves on the Safari browser. Google has also given users control of whether they switch off third-party cookies or not, and most in the industry expect this to be a mere precursor for the wave of data privacy-focused tools the tech giant releases in order to stay on the right side of regulators, while also keeping in step with Apple’s consumer-friendly privacy stance. The most advanced media agencies are now actively pursuing new options which allow them to tap advanced contextual targeting capabilities with user intent and other metrics that ensure they can continue precision marketing in a world where the third-party cookie is restricted. Meanwhile, publishers that are rich in technology resource, such as the Jeff Bezos-owned Washington Post, will benefit from being among the earliest to cater for this requirement.
Fines aren’t the worst of it
Until the ICO announced it intended to fine British Airways £183 million ($228 million) and Marriott £99 million ($124 million) for GDPR breaches earlier this month, the only other consumer-known business to be fined (excluding Facebook as it was fined by ICO under the former Data Protection Act law which has a far lower fine cap than GDPR) was Google. But fines alone aren’t necessarily the worst outcome.
Many in the ad industry have questioned just how much of the general public really cares about how their data is used for advertising purposes, bar the cohort of privacy activists. But the more high-profile fines that hit the headlines, the more likely they will start to. U.S. tech provider Acquia has just released research that showed of 1,000 people polled, 65% said they would stop using a brand that was dishonest about how it was using their data. Meanwhile, due to the nervousness around compliance, companies that have been called out by regulators may face difficulties when it comes to reassuring their partners or securing new ones.
GDPR acers will make smug CCPA-ers
Several ad tech executives have recently remarked on the irony of U.S. ad tech vendors exiting Europe on the grounds of GDPR, only to be faced with the California Consumer Privacy Act back home. Take Teemo: the location data vendor that was pulled up for GDPR violation by French data protection regulator CNIL. After a few months, the business had managed to meet GDPR compliance, and it has since reportedly expanded to the U.S. with more confidence that it can meet the CCPA head-on, once it goes into effect on Jan. 1. But over the last few months, U.S. media businesses have been on the hunt for consent management platforms — keen to get ahead of the CCPA, and not procrastinate as was the case with GDPR compliance, according to ad tech sources. Those that have been thorough about their compliance, and not taken short cuts, won’t have too much to fear from CCPA or other similar laws.
ICO does have teeth after all
It’s possible that many in the ad industry mistook the ICO’s silence in the year after GDPR’s enforcement for lenience. While it’s true the ICO stressed its preference for the carrot versus the stick in terms of its enforcement, it’s become clear that when it comes to breaches where large volumes of consumer data are affected, the regulator will come down hard. In reality, the non-action was more likely due to the large volumes of complaints and notifications the regulator had to wade through, plus when investigations are warranted they take a long time to complete. The ICO currently deals with an average 1,276 monthly GDPR complaints and notifications, according to research from international law firm Pinsent Masons. In the nine months since the arrival of GDPR last May to February this year, the ICO received a total of 11,562 notifications, said the same report. In contrast, the data-protection regulators of other large EU nations like France and Spain receive notifications in the hundreds.
“The high levels of reporting of personal data breaches under GDPR mean that the ICO is facing a backlog in dealing with notifications,” said Freya Ollerearnshaw, associate in Pinsent Masons’ Cyber Practice. “This may result in organizations waiting longer to receive final decisions.” However, she also stressed that the ICO appears to have gone through an adjustment period in which it has begun closing down more notifications than it is receiving, deeming them not in violation of GDPR.