GroupM has told publishers that they don’t have to sign its Data Protection Addendum if they are willing to join the Interactive Advertising Bureau’s proposed framework or provide the agency group with other evidence of their compliance with the General Data Protection Regulation.
The media agency group’s data privacy officer and global general counsel representatives attended a meeting last week in London with about 50 publishing executives across 25 media brands. The purpose of the meeting was to let publishers get more clarity on areas many of them had concerns about in the DPA GroupM had sent them in preparation for the GDPR.
One reason many publishers felt harried after receiving the addendum was GroupM gave them a deadline by which to sign it, telling them that if they didn’t, the agency group might cease trading with them on the grounds that it wouldn’t be able to guarantee a publisher is GPPR-compliant.
GroupM has said its intention wasn’t to pressure or use its leverage to make publishers sign its DPA — although the notice said GroupM would not do business with entities that did not sign — but that GroupM needed assurance of its own, and its clients’, supply chain compliance. Richard Reeves, managing director of the Association of Online Publishers, which called for the meeting, said the AOP was satisfied those concerns were addressed fully in the meeting, though he wouldn’t reveal specifics.
The DPA was also developed to ensure GroupM would only receive personal data — whether its own or controlled by a third party — that was collected in a way that complies with the GDPR, according to Nicola McCormick, global general counsel for GroupM, who attended the meeting with publishers.
“There is a lot of anxiety around the implementation of the law, which is understandable,” said McCormick. “Publishers are finding themselves on the sharp end of the legislation, and that puts a lot of onus on them. I sympathize with them, and it wasn’t our intention to add to that pressure.”
She added that the DPA was devised before the arrival of the IAB’s framework. Publishers now have three options: Sign the DPA, join the IAB framework or demonstrate their own compliance for GroupM to assess individually.
“Where we can have alternative means of comfort from publishers as to their compliance with GDPR, we will accept that comfort,” McCormick said. “Signing up to the IAB framework is a good way of providing such comfort.”
The timing of the DPA couldn’t have been worse, coinciding with news that Google wanted publishers to gain consent on its behalf, while it assumes a co-controller position. The interpretation of the GDPR has been so broad that the question of who is expected to gain consent from users and take liability for it remains unclear. In short, publishers have felt pressure from all angles.
In last week’s meeting, GroupM committed to providing more explanation to publishers on how businesses like Xaxis and mPlatform process data, according to McCormick. The idea is to help clearly distill how these businesses use data, so publishers can in turn be transparent with consumers on how it all works when getting their consent.
The response that publishers no longer have to sign the DPA came as a surprise to many publishers in the room, according to sources who attended the meeting. “It was a big surprise, as it seemed a total change of tune: The initial way it seemed to be presented was, ‘You must sign,’” said a publishing executive who attended the meeting.
Overall, publisher attendees were positive about the outcome. “We were pleased they accepted the offer to meet,” said another publishing executive. “It can’t be easy to sit in a room with 50 irate publishers. But they showed they were willing to confront it.”
“It was an encouraging meeting,” said Reeves. “The publishers felt there was a positive explanation and gained a better understanding, which includes greater clarity around the intended use and implementation of the addendum, and its future application.”
GroupM and the AOP plan to reconvene in a few weeks.