The broad definition of personal data within GDPR means that anonymous online identifiers such as cookies and device IDs are well within its scope.
Retargeting – whether based on cookies or device IDs – will therefore involve use of personal data under GDPR and it’s likely that some form of consent will need to be gathered – and passed to any 3rd parties (eg a DSP) – before retargeting could commence. The implications of this are considerable – as are the fines that businesses will incur if they don’t comply.
The bottom-line for advertisers would be a drop in retargeting volumes and a higher administrative burden to ensure that privacy policies and user-controls are up-to-scratch. While this in many cases may be viewed negatively, it will likely increase the need for brands to apply a greater amount of creativity to their online advertising.
There are potential silver linings. Compliance technologies such as Evidon are looking to streamline the consent acquisition process and data consortia (such as the one launched in May by MediaMath, AppNexus & LiveRamp) are emerging which promise to protect (even enhance!) cookie volumes and liquidity across exchanges.
There is also moment marketing, which in 2016 70% of marketers said they would be testing. It moves away from personal data to moment or macro data. This type of data doesn’t require to know who I am, just where I am and what’s going on around me at a particular moment in time.
John Goulding is the global product director at Media iQ.
Wondering how, or even if, you need to worry about GDPR compliance? Watch out for our series of GDPR Q&A pieces. Got a burning question on the subject? Send it to firstname.lastname@example.org