The Washington Post went hard to make sure that programmatic advertising didn’t compromise its ability to comply with the General Data Protection Regulation. For European site visitors, the newspaper publisher stopped selling personalized ads through Google’s ad exchange and, for ads that the Post sold directly, it stopped using a third-party ad server to serve those ads. It shut off its data management platform and disabled all header bidding.
“We got rid of basically everything,” said Jason Tollestrup, vp of programmatic strategy and yield at the Post, at Digiday’s Programmatic Media Summit in Scottsdale, Arizona.
Months after the GDPR took effect, little has changed because there remains little indication of how exactly publishers are supposed to comply with the regulation.
“I’m needing the regulators to come in and comment at this point,” Tollestrup said, echoing a common sentiment among publishers in attendance.
Without much clarity for comfort, the Post has maintained its conservative programmatic advertising strategy in Europe. It still has Google’s ad exchange in non-personalized mode, and it still doesn’t allow third-party ad serving.
A major reason the Post has not turned programmatic back on “is because I’m still working through the contracts,” said Tollestrup. It’s not only contracts with programmatic technology vendors that need sifting through but also with advertisers.
Advertisers increasingly want to use their own first-party data to target ads on publishers’ sites. That’s fine in the U.S., but it’s problematic in Europe because of the position it puts publishers in. If an advertiser sends its data to a publisher to target ads on the publisher’s site, the publisher technically becomes the “processor,” a GDPR term that means the publisher cannot do anything with that data other than what the company providing the data has specified. But the “processor” label can be even more burdensome. “If you’re labeled as a processor, they basically have control over every part of your business — the vendors you select, every part of the business,” Tollestrup said.
The Post has pushed back against accepting the “processor” label in the same way it has pushed back against running personalized ads in Europe on the basis of GDPR’s legitimate interest clause, one of GDPR’s most glaring gray areas that companies have embraced to use people’s personal data without first obtaining consent. Other publishers have invoked legitimate interest to continue targeting ads to European visitors, and that has led agencies to pressure the Post to do the same.
“My sales team has to go out in the market, and agencies say, ‘Why don’t you third-party ad serve when this person does?’ or ‘Why don’t you allow personalized targeting when this person does?’” said Tollestrup.
In addition to disabling personalized advertising for European visitors, the Post gave those visitors the option of disabling advertising altogether. In May 2018, the publisher introduced a subscription tier for European visitors to pay $90 a year to visit the site without being shown ads or having their data tracked. People are still signing up for the GDPR-related subscription product. “Definitely not as much as general subscriptions, but there is an appetite for it in the marketplace,” Tollestrup said.