Programmatic Media Buying 101: What is GDPR?

Back to Blog - by Kyle Malone

Over the past few months, the GDPR (General Data Protection Regulation) acronym has been thrown around often in the programmatic media industry, as everybody scrambles to define what it means for them and how to apply it.  At least on this side of the ocean, it seems like most digital marketers are still unaware of what the GDPR is and the heavy implications it holds on their programmatic media buying future.

What is GDPR?

The GDPR Transparency & Consent Framework was launched in Europe on April 24, 2018,  with the objective to help all companies in the digital advertising industry ensure that they comply with the EU’s General Data Protection Regulation, when processing personal data or accessing non-personal or personal data on user devices.

The General Data Protection Regulation (GDPR) has recently established new requirements for companies that collect,use, and share data about EU citizens. As of May 25, 2018, all companies handling data of EU citizens must adhere to these new data privacy and security measures, regardless of whether the organization is located within the EU or not. After this date, companies around the world will no longer be allowed to collect or process consumer data from EU citizens without identifying their legal basis for doing so.  Not only that, but the same companies will also be barred from using any previously collected data if it wasn’t on-boarded with the appropriate notice and consent. Companies that fail to comply with any of these new rules and regulations could be subject to fines as high as 20 Million Euros or 4% of their annual global revenue.

However, the new European privacy policy affects more than just data miners and web developers and more than just European businesses.  Data controllers and any subcontractors will be obligated to maintain written records of their data processing activities, including why they’re processing the data and how long they plan to keep it and must be made available to data protection authorities upon request.  It’s crucial that digital marketers prepare themselves, because even if you’re operating outside the borders of the EU, if any of the data your organization collects goes through the region, then it’s subject to the legislation.

GDPR Starts Right Now

For digital marketers the changes will start immediately with websites. For example, we are accustomed to reading this message on many websites: “We use cookies to ensure that we give the best experience to the user on our site. If you continue browsing we will assume that you agree.” With this notice, or similar messages, the editors would be considered authorized to insert cookies for the visitor, but now, this will change.

With GDPR, the copy used by the organizations to obtain legal consent must explain in a clear and concise manner why their data is being collected and what it will be used for, before it can be stored, processed, analyzed, and transmitted. When referring to personal or identifiable data, this that means personal data which is now classified as any information that could be used to identify a person, including location data, mobile device IDs and, in some cases, IP address. (Biometric and genetic data is considered to be “sensitive personal data.”)  Data that can be re-identified by data scientists or analysts with effort, by combining it with additional data points, is also considered personal data.

Article 4.1: “personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

What Does That Mean for Programmatic Advertisers on the Other Side of the Ocean?

While companies figure out how to comply with the new rules there might be a loss of momentum with data tech innovation.  GDPR will require programmatic advertisers to obtain active consent from users to use their personal information, and also give them the power to erase their accumulated historical data from any database they wish, thus being more transparent.

With the rise of Machine Learning and Artificial Intelligence, there has been a lot of progress on the way programmatic advertising technology uses consumer data to provide intelligent and automated ad targeting. With these regulation changes we might see a halt in the progress made to enable automated and personalized advertising.  The implications of GDPR could somewhat restrict the extent of the role that AI-driven data insights and intelligence technology plays in the future. This will create significant challenges for the innovation of programmatic advertising.  That said, it is even more important today that programmatic service providers introduce other emerging technologies with the capabilities needed to address the goals of GDPR and ensure both secure and efficient advertising.

One emerging technology that could have a significant impact on programmatic advertising and how marketers deal with GDPR is blockchain. Blockchain has the ability to create a highly secure trading network for advertisers, by publicly storing data to create a permanent audit trail with an unchangeable record of all transactions that occur within the programmatic buying marketplace. This provides marketers with full visibility into their ad buy, to better track all transactions that are taking place automatically and a record of all transactions taking place throughout the ad-buying and selling process.

Possible applications for Blockchain to abide by GDPR rules and regulations:

  • “Do Not Record” personal data on a blockchain
  • Record personal data pseudo-anonymously
  • Encrypt the data on the blockchain
  • Store the data in a referenced encrypted database

What Else Should we Expect from GDPR?

Trust and transparency have been leading many of the conversations about programmatic advertising, and GDPR may serve to accelerate the industry-wide push for more accountability.  Blockchain is one solution but there are other solutions waiting to be discovered and tried out.  Over the next several months we will see more on how the EU applies GDPR in a practical manner, so the approaches and implementation of new technologies like blockchain should become clearer.

Programmatic advertisers, marketers and publishers may be held accountable for non-compliance by third party data providers, which means all players in the ad tech ecosystem will become more reliant on one another. What this also means is that the ad-tech ecosystem will be a lot pickier with who we choose as partners and how many partners and publishers we all work with. Contracts will need to be revised to ensure compliance, and for publishers it will be an opportunity to gain leverage to demand transparency regarding the data used by any of their partners or platforms.

For more information on the GDPR, its goals, what you need to do to be compliant, and Digilant’s commitment to the regulation, download our white paper below.

You can also check out our privacy policy or contact us at [email protected] to learn more.

Subscribe to our monthly newsletter.

Get the latest insights on advertising trends, industry news, and product updates delivered straight to your inbox.

Ready to scale with us?