GDPR impact on Programmatic Trading blog series: GDPR three months on
Programmatic technology is now at the forefront of data-driven advertising, indeed, half of European display ad revenue is now traded programmatically and programmatic in Europe has reached a market value of more than €8bn according to IAB Europe’s 2016 Programmatic Market Sizing study. However, with regulatory challenges drastically questioning how the digital advertising ecosystem operates, programmatic trading needs to show that it can adapt to meet the evolving needs of the industry.
In this blog series, IAB Europe’s Programmatic Trading Committee and its members assess the impact and the opportunities of the GDPR on Programmatic Trading.
David Pironon, Board Member, IAB France
GDPR 3 months on…
Even though, 25 May was the most anticipated date in the industry and was known about way in advance, the impact of the fateful day set off more waves than expected. One clear fact was brought to light, that despite the anticipation and the brouhaha, the market was simply not ready, and industry players were not speaking the same language from the get go. Some companies, including the Los Angeles Times, the Chicago Tribune, even took drastic measures, such as suspending their services in Europe, to avoid non-compliance.
Furthermore, during the first weeks of GDPR implementation, the effects on campaign deliveries and the split of advertising spend among sellers was unexpected at times. Publishers and platforms with the highest Consent Management Provider (CMP) adoption rates among their users were not always benefiting from being early supporters of this new tool.
A transition phase that won’t last – Why TCF and CMP are critically important
However, this transition period won’t last, and the real effects of GDPR will be more visible, little by little, once CMP adoption takes off, and when all players apply a strict policy on user consent management. There will be no doubt then, that only the players who anticipated well and have been exchanging user consent information with others in a standardised way, will manage to grow their businesses sustainably.
The IAB Europe’s Transparency and Consent Framework (‘the Framework’) is undoubtedly the only common language, as it helps players in the digital advertising chain ensure they are GDPR-compliant especially when it comes to accessing data and/or processing of personal data. The Framework is particularly relevant to publishers (with first party data) who partner with third party vendors to enable these third parties to process user data. It provides a standardised mechanism for requesting, storing and sharing user consent along the supply chain.
The Framework aims to provide a complete solution to ensure full compliance with GDPR by enabling user consent management for every involved vendor. Publishers need to be aware of this when they are making their choice (and when implementing their consent management solution).
Let’s focus on in-app, which currently has much lower CMP adoption rates. Indeed, in-app is often wrongly perceived as a secondary issue compared to web traffic, whereas it is directly impacted by GDPR, as the use of mobile advertising IDs and other personal data are also restricted to users who have explicitly given their consent. In the mobile app environment, the IDFA / Advertising ID / Lat-long are the typical types of personal data that will require consent from the user before being processed by any vendor.
Hence, the risks for app publishers who don’t implement a CMP and don’t collect consent for each vendor involved are significant. Every user should be able to freely accept the processing of their data by being clearly informed; and each user has the right to know who accesses their data, and for what purpose. There’s a lot to be seen post GDPR, and the topic of user data and consent will be sticking around for quite some time.
Why GDPR impact will be broader than just the EU
It is interesting to observe that other regions could follow the example of GDPR and pass / update their own data protections laws.
In the US, the state of California recently passed the Consumer Privacy, giving residents of the state significantly more control over how their data is collected, used and handled. It allows consumers to know what information companies are collecting about them, why they are collecting that data and who they are sharing it with. Although the law will not go into effect until January 2020, it will without question have massive implications for every brand, agency and tech company.
The trend to more closely govern personal data will continue, as people are interested to see what third parties can gain access to their data. Technology companies, media groups, retailers and banks are among those most affected because of the vast amounts of information they hold on customers.
Daniel Sepulveda, VP, Government Relations, MediaMath
The EU General Data Protection Regulation (GDPR) has elevated the importance globally of data protection and forced new public and private efforts to rise to the challenge.
At MediaMath, we have worked feverishly to get GDPR compliance right by: consulting with legal counsel, partners, providers and others; ensuring compliance of technology products and services used; and holding discussions and working groups with consumers, policymakers, marketers, publishers and technology companies. Elsewhere, in companies as large as IBM to companies our size, and small and medium-sized start-ups engaging Europeans online, multiple millions of dollars and Euros and thousands of manhours are going into doing right by the consumer as directed in the GDPR. Marketers are mostly continuing their campaigns (including those traded via programmatic technologies) as they were designed prior to GDPR implementation. There was an initial dip in supply that is beginning to return to where it was before.
The industry has heard the message from European citizens and their regulators that we should focus on consumer protection in the digital age by putting consumers in charge of their experiences and identity.
It’s early days and we don’t consider the work done, but there is reason to celebrate and embrace the work and cooperation taking place both within and across stakeholders in industry, civil society and government to rise to the GDPR challenge.
What we are witnessing in Europe is an evolving model for achieving public interest ends that combines self-regulatory work like the construction of the IAB Europe Transparency and Consent Framework (TCF) with public-private cooperation and conversations through multi-stakeholder forums like the German Marshall Fund and the World Economic Forum with an open and inclusive approach on the part of regulators to interpreting and implementing the GDPR. These are positive developments. It is important for suppliers like Google in particular to integrate into the iAB Europe Framework to give the market greater certainty and sense of joint problem-solving.
Within these developments, we believe that the importance of the IAB Europe’s Framework cannot be overemphasised. It offers a good faith effort on the part of the industry to respect the GDPR and enable continued digital growth. By creating a mechanism for website operators to make clear to consumers which other digital actors are involved in the processing of their data and for what purposes, we are making the digital supply chain visible and a matter of choice for consumers. We hope regulators and thought leaders will recognise and work with us as we iterate on the Framework and urge all actors in the digital economy to support and use the Framework as we continue to endeavour to both comply with the GDPR and hold ongoing global discussions about privacy in the digital age.