GDPR will lead to a scramble to pass off liability to others
When it comes to the General Data Protection Regulation, it’s a dog-eat-dog world.
For many in digital media, that will mean a giant game of hot potato, as clients want agencies to assume risks, while agencies insist publishers assume them, and publishers then do the same to tech vendors. It’s hard to blame everyone from running away from responsibility: Maximum fines of €20 million ($24 million) or 4 percent of annual revenue are at stake.
In an effort to dodge the GDPR-fine hot potato, agency groups are tweaking contracts to ensure any risk gets passed back down the supply chain to the data source, putting ad tech vendors and publishers closer to the line of fire. Publishers themselves aren’t standing still either, calling their biggest ad tech suppliers and demanding they agree to compensate them if the publisher is fined for something that happens on the ad tech vendor’s watch.
Under the GDPR, businesses that are defined as “data controllers” are most liable for fines, as they are the source of the consumer data. That means publishers in particular are in the line of fire, as are advertisers that operate websites with first-party customer data. Ad tech vendors can be a mix of data controllers and data processors, but either way, they’ll also be expected to gain consumer consent for using both publishers’ and advertisers’ data.
Publishers on either side of the Atlantic are renegotiating contracts with ad tech vendors that guarantee the publisher will get compensation should it be fined for something the vendor has caused, while also demanding the vendor prove they’re GDPR-ready. They’d be crazy not to. “Ad tech vendors can’t hide in the herd anymore but must get their houses in GDPR order fast,” said Todd Ruback, chief privacy officer and vp of legal affairs at marketing analytics company Evidon.
But the buck doesn’t stop there. The biggest ad tech vendors are in turn pushing their own GDPR-specific contracts further downstream to their own subcontractors. “Indemnification and liability is becoming the hot potato, getting passed from company to company,” Ruback said. “It’s getting very complex.” Smaller ad tech vendors won’t necessarily have the funds to cope with paying compensation to publishers should they be found in breach, which will lead to consolidation in the ad tech market, he added.
Meanwhile, agency groups are also trying to cover their backs, updating contracts to push the liability back to the data source, which ultimately is the publisher. Sequential liability has long been a standard part of agency-client contracts. It’s there as a backstop for agencies, so if a client fails to pay up, the agency can then refuse to pay the media owner that supplied the inventory. It’s only recently that they’ve started writing in GDPR sequential liability — an approach that’s angered some in the market, who believe agencies should take more responsibility for isolating how and where data is shared in their own supply chain in preparation for the GDPR, not just push back on the publishers. Others believe agencies will try to bury the new terms in 2018 trading deals with publishers.
“This is just another example of the buy side raping and pillaging the sell side,” said an ad tech exec who spoke on condition of anonymity. “The smart publishers will be savvy to it, but most will be resigned to it because agencies have the buying power, and publishers need the money.”
While agencies with the most leverage and buying power can more easily dictate GDPR contractual terms with publishers, publishers with the most clout will be able to make indemnification demands of vendors, and the biggest vendors will be able to do the same with smaller vendors. When it comes to GDPR readiness, size will likely matter a lot.
But the skirting of liability from either end of the supply chain can’t last. “There is a collision happening. But the market will eventually right itself,” Ruback said. “If agencies want to do business with publishers and publishers want to do business with agencies, they’ll have to come to some kind of middle ground about liability.”
Cheat Sheet: Google unveils timeline for a more ‘responsible’ cookie death clock
Google elaborated on its timeline for killing off third-party cookies as part of its promises to the UK's antitrust authority.
‘Weak Sauce’: New industry tool for opt-out from email-based tracking misses ID tech and key players like Facebook and Liveramp
The Network Advertising Initiative's new privacy control is intended to stop email-based audience matching — often referred to as onboarding.
How news publishers are using the Olympics and AR to flex their emerging tech storytelling
Big publishers like The Washington Post and USA Today are developing and expanding AR storytelling around the Olympic Games.
SponsoredHow the ad industry can use its borrowed time to future-proof first-party data solutions
Trent Lloyd, co-founder and head of brand solutions, Eyeota Google’s updated timeline for its Privacy Sandbox rollout, including its two-year delay of third-party cookie deprecation on Chrome, didn’t come as a surprise to many industry observers, given the limited utility of Google’s FLoC and the slow momentum of the Privacy Sandbox in the World Wide […]
Member ExclusiveMedia Briefing: Publishers’ programmatic ad businesses have rebounded to pre-pandemic levels
This week's Media Briefing looks at how the pandemic and the cookie's eventual demise have created the conditions for the programmatic ad market that publishers have been pushing for, with a shift to private buying coinciding with prices pushing past pre-pandemic levels.
‘They will need to use multiple routes’: Shifts appear in the publisher-SSP union, as alternative identifiers proliferate
As the ad tech industry rewires itself around the contours of privacy, supply-side platforms are reinventing themselves (again).