There is a strong sense of déjà vu about the current response to GDPR from within the digital marketing community, especially ad tech firms. Like in 2011, there is both disbelief about the scope and scale of the Regulation, combined with attempts to underplay the commercial implications. As a result, I doubt most of the ad tech companies will be in full compliance by May 2018.
The biggest stumbling block is consent (although this is far from the only shift these companies need to make). Until now, online trackers have been covered by cookies notices which tell web site visitors that they are tracked in order to optimise the service and serve targeted ads. The consent, however, is given to the site publisher who takes responsiblity for what ad networks and online behavourial targeting services do.
GDPR changes this fundamentally. Any decision which is made about a visitor, from what content to serve through to which ads get seen, is profiling - and that requires a separate, specific consent. It is no longer possible to see the collection and use of this data as simply part of the core service, ie, using a site, and therefore covered by the first-party consent or claim of legitimate business interest.
Ad trackers are clearly third parties. Indeed, many site publishers do not even know all of the cookies and pixels which are being dropped from their URL. So gaining consent for those thrd parties to collect data for profiling and to allow individuals to withdraw that consent as easily as it was granted becomes complex. Site publishers might do it, but will have to explicitly name the third parties and the purpose for which data is being collected. That might get in the way of their first party consent. Or ad networks and trackers might have to win consent directly.
To understand the impact on ad tech this will have, try this thought experiment - name three OBA or ad networks. As a DataIQ reader, you may have a head start on this, but it is unlikely the vast majority of consumers will ever have heard of these companies or even realised what they are doing.
Once that gets foregrounded, the question is what level of conversion rate will be achieved. How many of these companies have attempted to explain the value exchange around their data collection? If each ad tech company has to get its own consent, since most leading sites currently drop dozens, who is likely to spend time clicking to consent to each and every one of those?
But GDPR has even deeper implicatons. Because of the expanded definition of personally indentifiable information, all of those networks and technologies now fall under the Regulation’s remit. That means they have to comply with everything else it contains, not just rules on consent. It arguably shifts them into being data controllers, but even as data processors they are now answerable.
Just how hard will it be for ad tech to get compliant? For most, it is a massive leap from being B2B oriented to having a B2C focus, requiring changes to everything from processes and policies through to technology changes. Never having dealt with subject access requests or data deletion, the 18 months left before enforcement of GDPR looks like not enough time.
As a result, I believe the industry is about to be caught out. It may be hoping that, as with the Cookies Law, there were no major regulatory actions. But GDPR is different in scope and purpose and, in my view, Elizabeth Denham will start 25th May 2018 with a hit list that is likely to include some big names that consumers have never heard of, but which digital marketers currently rely on.