Post GDPR, Are Data Clean Rooms The Answer To Accessing Walled Gardens For Programmatic Buyers?

As GDPR enforcement becomes a reality not only in Europe but also here in the US, advertisers are struggling to find a way to scale the walled gardens and optimize their data assets.

As of May 25, 2018, Google announced that DCM users will be unable to use cookies or mobile device IDs to connect impressions, clicks and site activities from the DCM logs, users will be limited to Google’s own Ads Data Hub for those metrics.  For some, this means that they are satisfied to stay within the Google stack but not every brand’s solution will be and should be limited to Google.  But if media buyers want to analyze their spend outside of Google’s platform and offer up any attribution, then just using Google won’t work.

“Some marketers who spend 75 percent or more of their budgets on Google will be fine just letting Google do the analytics,” says Alice Sylvester of Sequent Partners.

Google wasn’t the only one to lock down their platform.  In response to the combined pressure of GDPR and the Cambridge Analytica scandals over its handling of personal information, Facebook decided that it would shut down ad tools called “Partner Categories” powered by outside data brokers. Those tools let Facebook advertisers target ads at people based on third-party data such as their offline purchasing history.  This means advertisers will have access only to their own data and data Facebook collects itself.  If an advertiser wants to pull campaign-level insights to inform future campaigns or use the data for the basis of an attribution model then they are out of luck.

Introduction of Data Clean Rooms

Data clean rooms allow large inventory partners like Facebook and Google to share customer information with brands, while still maintaining strict controls in place.  Data clean rooms were named for the completely airtight rooms where microchips and other sensitive materials get made.  In this case, the rooms enable a shared environment between two or more companies that is completely secure from external access (no wifi) where each company decides the level of visibility to their data.  This eliminates the possibility of data leakage for companies like Facebook which caused the Cambridge Analytica mentioned earlier.

“We and a partner combine a data set with very specific rules and controls around how each party can operate within the shared environment,” said Scott Shapiro, a product marketing director for measurement at Facebook, who noted that Facebook didn’t invent the clean-room concept.

The concept is to create a safe space where data can be share and manipulated without leaving the inventory partner’s environment.  Specifically for Facebook, a brand can create an audience based on first-party data, like a list of email addresses and then push that list into Facebook, match it, and grab a copy which they can later combine with their data as the basis for attribution, measurement and modeling.
How it happens in reality is that an advertiser will lead a clean or wiped laptop or device that has never been connected to the Internet with that advertiser’s first party data, which in most cases is an email list.  A second clean computer is loaded by Facebook or Google with impression-level and non-PII campaign data.

Maybe, The Answer to Scaling The Walled Gardens?

For advertisers with a lot of data and substantial programmatic advertising budgets this is a great opportunity to scale the otherwise elusive walled gardens.  The data clean rooms create a safe environment for data providers to share the marketing data that brands need and crave to model future media buys and advertising strategies. If managed in the right way, with the right methods and standards, this would be the tool for brands to really understand their walled-garden ad spends within the larger marketing ecosystem.  For advertisers and publishers there is a lot at stake in the post GDPR world of data governance.  There is no room for unintended data sharing because the consequences are too great.

Marketers have been eager to get more insights out of Facebook and other walled gardens but it’s unclear how many brands or agencies will take advantage of this opportunity to get more out of their spend with the largest inventory providers.  From Facebook’s perspective they are not advertising the data clean room solution because if they gave advertisers too much access to data buyers might eventually become less reliant on their platform for scale and identity data.  But Facebook and Google also don’t want to piss off their advertisers because they are demanding more data so this is the solution that they can offer for brands that pressure them to giving them more insights.  There is still the issue of the manpower involved and the fact that the data is limited to a snapshot in time but advertisers who buy into this solution are fully aware of what they are getting and have to decide if the value is worth the effort.

Programmatic Media Buying 101: What is GDPR (General Data Protection Regulation)? What Does It Mean For Digital Advertising?

Over the past few months, the GDPR (General Data Protection Regulation) acronym has been thrown around often in the programmatic media industry, as everybody scrambles to define what it means for them and how to apply it.  At least on this side of the ocean, it seems like most digital marketers are still unaware of what the GDPR is and the heavy implications it holds on their programmatic media buying future.

What is GDPR?

The GDPR Transparency & Consent Framework was launched in Europe on April 24, 2018,  with the objective to help all companies in the digital advertising industry ensure that they comply with the EU’s General Data Protection Regulation, when processing personal data or accessing non-personal or personal data on user devices.
The General Data Protection Regulation (GDPR) has recently established new requirements for companies that collect,use, and share data about EU citizens. As of May 25, 2018, all companies handling data of EU citizens must adhere to these new data privacy and security measures, regardless of whether the organization is located within the EU or not. After this date, companies around the world will no longer be allowed to collect or process consumer data from EU citizens without identifying their legal basis for doing so.  Not only that, but the same companies will also be barred from using any previously collected data if it wasn’t on-boarded with the appropriate notice and consent. Companies that fail to comply with any of these new rules and regulations could be subject to fines as high as 20 Million Euros or 4% of their annual global revenue.
However, the new European privacy policy affects more than just data miners and web developers and more than just European businesses.  Data controllers and any subcontractors will be obligated to maintain written records of their data processing activities, including why they’re processing the data and how long they plan to keep it and must be made available to data protection authorities upon request.  It’s crucial that digital marketers prepare themselves, because even if you’re operating outside the borders of the EU, if any of the data your organization collects goes through the region, then it’s subject to the legislation.

GDPR Starts Right Now

For digital marketers the changes will start immediately with websites. For example, we are accustomed to reading this message on many websites: “We use cookies to ensure that we give the best experience to the user on our site. If you continue browsing we will assume that you agree.” With this notice, or similar messages, the editors would be considered authorized to insert cookies for the visitor, but now, this will change. 
With GDPR, the copy used by the organizations to obtain legal consent must explain in a clear and concise manner why their data is being collected and what it will be used for, before it can be stored, processed, analyzed, and transmitted. When referring to personal or identifiable data, this that means personal data which is now classified as any information that could be used to identify a person, including location data, mobile device IDs and, in some cases, IP address. (Biometric and genetic data is considered to be “sensitive personal data.”)  Data that can be re-identified by data scientists or analysts with effort, by combining it with additional data points, is also considered personal data.

Article 4.1: “personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

What Does That Mean for Programmatic Advertisers on the Other Side of the Ocean?

While companies figure out how to comply with the new rules there might be a loss of momentum with data tech innovation.  GDPR will require programmatic advertisers to obtain active consent from users to use their personal information, and also give them the power to erase their accumulated historical data from any database they wish, thus being more transparent.
With the rise of Machine Learning and Artificial Intelligence, there has been a lot of progress on the way programmatic advertising technology uses consumer data to provide intelligent and automated ad targeting. With these regulation changes we might see a halt in the progress made to enable automated and personalized advertising.  The implications of GDPR could somewhat restrict the extent of the role that AI-driven data insights and intelligence technology plays in the future. This will create significant challenges for the innovation of programmatic advertising.  That said, it is even more important today that programmatic service providers introduce other emerging technologies with the capabilities needed to address the goals of GDPR and ensure both secure and efficient advertising.
One emerging technology that could have a significant impact on programmatic advertising and how marketers deal with GDPR is blockchain. Blockchain has the ability to create a highly secure trading network for advertisers, by publicly storing data to create a permanent audit trail with an unchangeable record of all transactions that occur within the programmatic buying marketplace. This provides marketers with full visibility into their ad buy, to better track all transactions that are taking place automatically and a record of all transactions taking place throughout the ad-buying and selling process.

Possible applications for Blockchain to abide by GDPR rules and regulations:

  • “Do Not Record” personal data on a blockchain
  • Record personal data pseudo-anonymously
  • Encrypt the data on the blockchain
  • Store the data in a referenced encrypted database

What Else Should we Expect from GDPR?

Trust and transparency have been leading many of the conversations about programmatic advertising, and GDPR may serve to accelerate the industry-wide push for more accountability.  Blockchain is one solution but there are other solutions waiting to be discovered and tried out.  Over the next several months we will see more on how the EU applies GDPR in a practical manner, so the approaches and implementation of new technologies like blockchain should become clearer.
Programmatic advertisers, marketers and publishers may be held accountable for non-compliance by third party data providers, which means all players in the ad tech ecosystem will become more reliant on one another. What this also means is that the ad-tech ecosystem will be a lot pickier with who we choose as partners and how many partners and publishers we all work with. Contracts will need to be revised to ensure compliance, and for publishers it will be an opportunity to gain leverage to demand transparency regarding the data used by any of their partners or platforms.

For more information on the GDPR, its goals, what you need to do to be compliant, and Digilant’s commitment to the regulation, download our white paper below.

You can also check out our privacy policy or contact us at privacy@digilant.com to learn more.

Like what you see? Join the 500+ clients that have partnered with Digilant.