It’s generally understood that if you’re putting the data subject at the heart of your design, policy and risk management then you can’t go far wrong. This underlying strategy of accountability and transparency are the fundamental principles of the new GDPR and businesses all around the UK have been busy developing new privacy frameworks to ensure compliance.
It’s true that the GDPR offers brands, publishers, agencies and technology vendors the opportunity to forge stronger and more transparent relationships with their audiences and customers – transparency being the new key to brand loyalty. It also offers the whole industry the chance to clean up its act, improving data pool quality and accuracy.
“Increased consumer expectations for privacy – whether or not they are enshrined into law – do not have to spell doom for brands that have embraced data-driven marketing and advertising. In fact, it could help marketers in the long run by fueling a flight to quality with cleaner data and an increased emphasis on where ads run – ultimately creating better experiences for consumers.
But whilst this is easy to state, it’s much harder to implement. Navigating the new, more complex and stringent processes of GDPR has been, let’s be honest, more than a bit painful. Getting management buy-in, staff training, documenting data flows and rewriting policies, contracts… These are just a few of the hurdles businesses had to clear pre-May 25th.
Reshaped by major trends such as digitisation, globalisation and the rapid expansion of regulation, the data protection landscape is shifting quicker than ever before. Despite it being almost two months since GDPR came into force, many businesses are still grappling with the new regulation, not helped by a constant stream of misinformation that has led to some rather confused and nervous decision making. See recent headlines such as major US news sites blocking European access; US uncertainty as to which vendors are now GDPR compliant; and big drops in demand for European programmatic advertising – all further fueled by the lack of leadership, some might say arrogance, wielded by a leading tech player.
The great news is that the IAB (Internet Advertising Bureau) has come up with a ‘common language’ framework which will offer brands transparency and consent controls, hopefully ironing out at least some confusion. The IAB is also making significant headway with its ad fraud/brand safety initiative ‘Gold Standard’, with 27 companies already awarded (and 61 awaiting) certification. These efforts will certainly help spotlight the best-in-class tech and help publishers simplify the consent chain. Developments definitely worth keeping a close eye on.
But whilst we’re all recovering from May 25th (realising that the world is in fact still turning…), the ad tech industry is already preparing for the next challenge. In 2017 the European Commission proposed a new regulation on Privacy and Electronic Communications (ePR). The ePR will replace the 2002 ePrivacy Directive, also known as the cookie law. This, in turn, updates the UK’s Privacy and Electronic Communication Regulation (PECR).
PECR currently governs the UK regarding the use of electronic communications – email and SMS in the main. Still in draft, the ePR’s aim will be to bring PECR right up to date with advances in tech and have a broader scope to encompass the development of social media messaging, communications and metadata – think OTT (Over the Top), VOIP (Voice Over IP) and IOT (Internet of Things). ePR’s basis comes from the Treaty of the European Union and the Charter of Fundamental Rights, stating that “Everyone has the right to respect for his or her private life, home and communications”.
There is a simple way to differentiate between the two laws. The GDPR sets rules on the processing/storage of personal data while the ePR is lex specialis to GDPR. What this means is that when a privacy issue is raised in relation to communications, the regulators will default to ePrivacy. It’s worth noting though is that where GDPR covers personal data, ePR will also cover non-personal data. In short ePR updates are likely to have a substantial impact on online advertising, direct marketing, media and digital services.
Oh, and we must not forget the penalties for non-compliance. ePR will be similar to the eye-watering fines of the GDPR, so it’s crucial these are also taken seriously. The ICO won’t be shy of handing out penalties, we’ve even seen this in evidence recently – ICO fining BT £77k for sending out five million nuisance emails.
ePR was meant to come into force with the GDPR however it’s still being widely debated, and is thus unlikely to hit us until 2019. That said, there’s already quite a bit to consider and to avoid the apocalyptic style scramble of the GDPR, savvy businesses are already taking advice on the matter and incorporating ePR into their compliance planning.
Most notably businesses using cookies to deliver their services, monitor and/or track users, will already be considering how to build consent management into their UX. In publishing, consent plays a huge part in the role of operational data and so getting a clear view of what is permissible under legitimate interest is key. Establishing cross consents across different data types/usage will save businesses time and resource, so it makes sense for all to address and align approaches.
An area causing the most head-scratching will be the proposed rules on tracking technologies, such as cookies. Mirroring the GDPR, ePR consent to these must be freely given and unambiguous. ePR is proposing a ban of cookie walls, encouraging users to set cookie consent at a browser level and may remove the need for consent if their use is deemed as ‘non-privacy intrusive’ e.g. analytics for improving UX.
The proposed blanket setting on cookies at browser level might improve the user experience by reducing pop-ups but there’s serious concern how this could be inefficient and significantly reduce ad revenues. Plus there is still so much to be ironed out with ePR – the extremely broad definition of direct marketing for one, and how ePR will impact the world of B2B with regards to corporate email addresses. Brands in this space will have to think very carefully whether to seek out consent or hedge their bets on legitimate interest.
So what’s the delay? Well, as ever, it depends who you ask but my view is that big business might have something to do with heel dragging (telcos in the main). You would think that with Cambridge Analytica fresh in our minds, that public and political opinion would push ePR through – however Brexit and immigration also sit high on the European Council’s to do list and therefore the privacy debate may have to wait its turn. We should find out in the next few weeks if headway has been made but we may not see any real progress until later in the year.
The adoption of GDPR and incoming ePR is certainly prompting a clean up of the ad tech space with many ‘bottom feeders’ forced to bow out, no longer able to rely on their black box tactics. On the other hand more reputable players (dare I say more publisher/ advertiser-friendly models) are being snapped up by the big 10, including Oracle buying Grapeshot back in April. The clean up was also evident at Cannes Lions where the number of ad tech vendor yachts had halved, this year replaced by a number of consultancies Deloitte, IBM and Accenture.
In summary – Updates to the law are essential for the UK to stay in step with developments in privacy principles and technology, but change needs to be carefully weighed against the financial and business impact. The UK publishing industry currently generates over £10 billion in advertising revenue a year, many publishers using ad models to enable free access to content. Take away their ability to target ads effectively and you risk pulling the rug on the digital publishing industry, potentially leaving a huge hole in the economy. Striking a balance could never be more important. It’s going to be really interesting to say the least, how this next wave of privacy law plays out. I look forward to bringing you updates on ePR and other forms on data governance in the coming months.
Catherine Dunkerley – Director, Data Integrity Ltd