‘It’s a learning curve’: Marketers scramble to dodge GDPR liability

“Advertisers are concerned that the data-processing agreements they’re being asked to sign don’t give them enough protection as the data controller,” said Matt Green, global lead for media and digital at the World Federation of Advertisers.

In the weeks leading up to and then immediately after the arrival of GDPR, advertisers were flooded with DPAs, created to comply with the regulation — from agencies and ad tech vendors they struggled to understand. Nissan, for example, is currently working with its agencies to assess the privacy policies of ad tech firms it uses.

“We’re working with our agency partners to rank our data partners,” said Nissan’s top marketing executive in Europe, Jean-Pierre Diernaz. “Some will become clear winners against others. It’s a learning curve. You could argue that the industry is currently in a wait-and-see moment when it comes to the GDPR before the ecosystem is properly restructured. I would assume that once that’s done the programmatic environment is going to improve.”

But not every advertiser can call on the media, data and procurement expertise that Diernaz can. Data-protection officers and legal-counsel staff have been heavily overburdened with companywide GDPR projects. The WFA, like the British advertiser trade body ISBA before it, has launched a DPA addendum with the Dutch Advertising Association that Green claimed will show brands how to reapportion liability more evenly between themselves and their partners.

A key part of the addendum, which has been devised by digital media consulting firm Digital Decisions, is to give advertisers the leverage needed to manage the data processors and sub-controllers they share data with. It won’t just cover operational partners, like agencies or trading desks but ad tech firms, Facebook and Google, as well as the different cloud providers like Amazon Web Services.

“It’s inevitable that the DPAs written by publisher or an agency, for example, will represent their data-processor perspective,” said Green. “There are many documents out there that don’t always represent the data controller so what we’re trying to do seeks to re-address that balance.”

Agencies, ad tech providers and law firms say many clients were caught unprepared for the ramifications of GDPR and thought they could simply shift liability off on partners.

“Some brands used their DPAs as an excuse to send massive (30-page plus) addenda, and some agencies signed without really reading what was in there,” said one exec at a law firm. “Other agencies took control of the issue and sent our pro processor DPAs, which tired to apportion risk in a way that is favorable to agencies. Lots of those DPAs were sent out prior to the May deadline for the GDPR, but I’m still seeing lots of clients negotiating them because not all DPAs were signed prior to the deadline.”

Advertisers admit they will probably need to work with fewer advertising businesses post-GDPR, and yet knowing which ones to pick is as complicated as it is urgent. Large swathes of the third-party data market have clearly decided that legitimate interests is their best bet. It probably is, but that’s fundamentally different to it being a good bet.

“It’s easy to see how the more established platforms and partners will benefit in the short-term,” said Sam Fenton-Elstone, CEO of media agency Anything is Possible. “For many, the bigger platforms reduce risk. They are a safer bet. This remains to be seen, however. We’ve seen how even the biggest [online] media platforms have dealt with personal data, and it wasn’t pretty.”