“It reminds me of Y2K - a bonanza for consultancies and software vendors to feast on the fear that their clients have about what they should do.” So said Scott Meyer, CEO of privacy compliance technology vendor Ghostery, in an interview with DataIQ about the way third parties are using fear, uncertainty and doubt over how to comply with the General Data Protection Regulation (GDPR) to create a market for their services.
Ghostery is well placed to observe this behaviour and to criticise it from a position of strength. As a patent holder for its solution, around half of its business comes from leading site publishers and ad tech companies using ts data mapping tool, MCM, to identify the digital elements being used to track site visitors and target ads, or its Site Notice solution, which can automatically populate privacy notices on web sites and mobile apps with information about the elements in use by over 2,000 global vendors.
As Meyer pointed out: “Our software-as-a-service works with the big ad networks and publishers on their digital governance. Site publishers don’t understand what cookies and pixels are being dropped on their sites and we have built a business on that. With GDPR, ad tech companies and site publishers are worrying about how to get it right because there is so much noise in this space about it. They have got to get it right and build consumer trust.”
The other side of Ghostery’s business provides it with a helicopter view of exactly what is being done with cookies and pixels in the name of behavioural targeting and digital advertising. Its browser extension is offered free to consumers, either directly from the vendor or by brands as part of their privacy policies. Those 50 million-plus installations show exactly what is being dropped via browsers - a key step towards the transparency required by GDPR.
“We are working with clients to go through their data governance process identifying what cookies are being used, what they do and the potential implications,” said Meyer. “To become end-to-end GDPR compliant is not an easy task, so the question is, where do you start? Our view is that companies should start with the visible points of contact through data mapping and the ability for individuals to make informed consent.”
In a live demo during our interview, Meyer showed how MCM maps trackers, using the dataiq.co.uk site as an example. This revealed that a social sharing tool called Add This, which had been deliberately added to our site in the early days of its development, was also dropping a cookie on behalf of a third-party without us being aware of it.
Whether this kind of oversight will attract enforcement action once the ICO gets to work on it in May 2018 remains to be seen. As Meyer points out, the regulator will not have an army of 5,000 enforcers travelling around, “kicking in doors and asking where the data is”. Instead, there is more likely to be an intelligence-led approach to identify those companies who are deliberately choosing not to be compliant.
As he sees it: “There are three types of company. The first doesn’t want to be on any regulator’s hit list, so it is putting best practices in place to show it is complying with the rules. The second type is waiting to see what those leaders are doing and will then jump in, but they don’t want to be first. The third type doesn’t care and sees it as a bureaucratic obstacle. Their mindset is, ‘sue me’.”
With 17 months to go before enforcement, understanding what compliance will look like is still not easy. Todd Ruback, chief privacy officer and VP legal affairs at Ghostery, points to the need for consent to profiling as an example. “GDPR doesn’t specify what it means by profiling, only that it has to be done in the right way. If companies don’t, the highest penalty is 4% of their turnover. Ad tech and brands who use profiling to identify individuals they want to reach need to get themselves compliant quickly,” he said.
A number of agency networks and media groups, like GroupM, are working with Ghostery to develop compliance solutons for clients. What gets implemented will depend on the level of compliance they are aiming for. For Myer, it is a question of either “mapping themselves onto opt-in or a catastrophe because they don’t know what’s going on.”
Not that GDPR is the only regulatory game in town. As Ruback pointed out, “The ePrivacy Directive is also being revised and we are part of the stakeholder group involved in that. One of two things is going to happen: either PECR gets revised or it gets subsumed under GDPR.” One of the reasons for a degree of panic in the world of ad tech is that what it collects is now categorised as personal information under the new Regulation, whereas before the legal framework only related to consenting to storage of information on the user’s device.
GDPR is highlighting just how much data collection has been going on without consumers’ knowledge. Ruback noted: “If you re going to be a good organisation onlne, there is an obligation to help educate the consumer about these new rights and how to exercise them. We are tryng to help with that before the Regulation comes into effect through webinars and content. When GDPR does go live, companies will have to be able to provide an easy way for consumers to act on, for example, their right to erasure.”
Resourcing these data governance projects will not be easy. IAPP estimates there are over 20,000 companies which will need to employ a data protection officer (DPO), while other estimates put it as high as 72,000. There will be a fight to recruit or retrain in the time avalable, as well as a lot of innovation and investment into alternative solutions.
For companies like Ghostery who sit on the right side of the ad tech fence and have compliance solutions to offer, this is all good news. As Ruback said: “GDPR is a full employment opportunity for privacy professionals - but there won’t be enough people to go around.”