Earlier this week, we broke the news of GroupM requiring publishers to sign a “Data Protection Addendum” in advance of the enforcement of the General Data Protection Regulation in May.
Why this matters is more interesting. GroupM is scrambling to make sure it won’t take on significant liability. (The GDPR calls for fines of up to 4 percent of a company’s global revenue.) What it’s doing is using its leverage as the biggest ad buyer to play a game of pass the liability. The demand is simple: You take all the liability, or you get cut off our media plans. From GroupM’s standpoint, it’s simply ensuring a compliant supply chain. In its view, it’s a leader, much as it was in pushing onerous viewability standards on publishers. Those in the front take all the arrows.
The view from the publisher side is, to put it mildly, different. Many publishers are saying the agreement is far too vague and sweeping. Here’s what one publishing industry executive said about what’s really happening with this data-protection contract:
GDPR puts significant liability on the “controller” who has to have specific, informed consent for narrow purposes. These moves appear to be last-minute attempts to push liability on the publishers (controllers) in this instance, while at the same time allowing them to operate with status quo where they can capture data from each instance, and use it elsewhere on the web and with other clients to maximize their own profit and welfare. This is where advertisers should actually care, too. Ultimately, any intermediary between the advertisers and publisher is for the most part going to need to adjust to being a processor contractually liable to the data terms between the consumer and the controller.
A less technical take from a U.K. publisher: “It’s unreasonable, but it shows I think they have to try to use their scale to be unreasonable because they are hugely exposed. Publishers suddenly have a powerful position, but are not at WPP skill levels of when to be a gorilla!”
Most U.S. publishers have blown off the GDPR. It’s too bureaucratic, too European; they’ve got a quarter’s numbers to make. Google and Facebook have not blown off the GDPR. In the EU, regulators, legislators and government officials have long viewed the duopoly with skepticism. The obvious way for platforms and agencies to protect themselves is to try to pass liability to publishers. Whether this flies or not is an open question. More from a publishing source:
“[The GroupM data-protection contract] doesn’t spell out any restrictions on GroupM and its many divisions, or even whether they’ll function as a processor. No doubt they see nearly as much data as the publisher for any page containing one of their tags. I’m not sure where they plan to get consent for interest-based advertising, but that’s likely a legal gymnastics game for them with less risk if the publisher is liable.”
One interesting point that a couple publishers made: GroupM is sending these notices to fairly junior people in ad ops. That’s probably not a coincidence. “You can see how vague the language was, and it also revealed a pretty limited understanding of the issues presented by GDPR and future regulations,” said one publisher. “We are happy to pursue a two-way [agreement] with them and their clients, but it wouldn’t look like this. Finally, this was delivered to us in such an informal way that I have to think they were hoping some junior person would just sign the agreement.”
This publisher isn’t signing.