In one corner, there’s the EU’s Global Data Protection Regulation (GDPR). As of the 25th of May 2018, it will bind the collection, storage and usage of user data for the citizens and businesses of the European Union for the foreseeable future (should the UK ultimately leave the European Union, it is likely to adopt the central thrust of GDPR in its own legislation).
In the other corner, there’s the ever-growing programmatic marketing industry, innovating and automating the contextual purchasing and filling of advertising slots through the detailed (but often mysterious) analysis of vast quantities of user data— data that’s often collected by EU companies and/or from users in EU countries.
Are these two destined for a knock-down drag-out brawl, or is it likely to be more of a gentle tussle with the occasional light shove? In short, is this something that marketers need to be worried about? That’s what we’re going to consider in this article.
How GDPR expands user protections
Among the protections GDPR extends to users is the restriction that implicit consent (which in most cases amounts to total ignorance of what’s happening) is not enough for a company to be legally permitted to collect information about a specific person.
Rather, any business that wants to store data regarding a particular user must explicitly state how they intend to use it and then receive their explicit consent. And that doesn’t then give them the freedom to collect as they see fit— they must only take data that is “adequate, relevant, and […] necessary for the intended purpose”.
Any companies that fail to receive consent, acquire it under false pretences, or go on to operate in ways that don’t fit their stipulated intentions will risk hefty fines. Falling short of the required standard could cost the guilty party up to 24 million dollars or 4% of their annual global turnover (whichever is the larger sum), though they may simply get an official warning, depending on the situation. Realistically, though, the biggest threat is the prospect of a ruined reputation.
Aside from the aforementioned restrictions, there are further structural and procedural requirements that apply to all companies based in the EU and/or handling the data of EU citizens. Every such company must:
- Appoint a Data Protection Officer (DPO) to ensure full compliance with the GDPR.
- Disclose a data breach to the affected customers within 72 hours of discovering it.
The threat of external data
Of all the risks to marketing businesses making use of programmatic services, this is perhaps the most dangerous. Even if you completely adjust to the requirements of GDPR in your internal and customer-directed actions, you’re liable if you use data from external sources that happens to be non-compliant— it doesn’t make a difference if you didn’t know about the problem.
(It bears repeating here that the key factor is making use of non-compliant data— simply storing it evidently doesn’t inherently establish liability. For instance, Shopify, the leader in ecommerce websites, released a GDPR-focused white paper in April 2018 that stated the following: “As its merchants’ processor, Shopify is not responsible for the merchants’ legal bases but only processes buyers’ personal data on behalf of and on the instructions of the merchant.”)
In the long run, the threat of drinking from a poisoned well should mean that companies won’t be able to get away with using programmatic ad networks that use questionable methods, though it remains to be seen how effective governing bodies will be in detecting and punishing breaches.
With no international regulatory service to enforce GDPR’s restrictions, we may well see an ongoing push-and-pull between local regulators and ad networks looking for ways to store non-compliant data without being found out. After all, it’s still quite unclear how exactly the letter of the law will be met in real-world scenarios.
That doesn’t mean that it’s worth taking the risk of using data from questionable sources, however, for reasons we’ll look at next.
How programmatic ads can still work
For the sake of argument, let’s envision the most negative scenario and imagine that no one ever consented to having their data stored. Would the concept of programmatic advertising collapse entirely? Well, no— it would be affected, but it would ultimately be fine.
Here’s why: GDPR affects specific data that is stored and associated with specific individuals. It doesn’t affect the general operations of analytics tracking, or prevent location detection, or otherwise do much to hamper anonymized segmentation— here’s what Recital 26 of GDPR has to say on the topic:
“The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.”
Essentially, you should be fine to use data for segmentation provided it is not sufficient to practically and cost-effectively identify particular individuals (this is described as depending on “the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments”).
You can also go down the road of anonymizing your old non-compliant data. Provided you get it right and ensure that you’re left with no way of linking records to particular people, you may well have no issues using it.
Legality and perception
I noted earlier that the greatest threat posed by GDPR is that of reputation damage, and I maintain that here. In certain cases, extreme fines may well cause companies some small measure of woe, but fines have never proven particularly effective in deterring big businesses from doing whatever they want.
As such, as long as you follow the basic requirements of GDPR and avoid making use of programmatic networks that could plausibly taint your image, you should still be able to make good use of smart anonymized segmentation, and even remarketing through session (not user) identification.
So, is GDPR something ecommercce marketers need to be worried about? Well, in the short term, perhaps, but it won’t prevent the programmatic industry from becoming even smarter. Data protection isn’t a roadblock— it’s just a hurdle. Once everyone adjusts to the new requirements, innovation will continue its march as if it had never been slowed at all.