Believe it or not the original proposal for the EU General Data Protection Regulation surfaced back in January 2012, and now after five years of debate, and despite the Brexit vote, the new rules will become law in just nine months’ time – 25 May 2018 to be precise.
Arguably the biggest impact on the online ad business will be the widening scope of what’s defined as personal data, to include device IDs, IP addresses and ‘anonymous’ browsing cookies. Thus far, publishers and networks have been able to display an "opt out" cookie banner and merrily collect behavioural data to power targeted campaigns.
In the UK, according to the IAB, digital display grew at 26% to £3.8bn in 2016 with 72% of that traded programmatically, powered by consumer data – which from next May will require specific, unambiguous consent.
So, what of the consumer, and would they really trade their personal data for a holiday offer?
Undoubtedly, consumer awareness of how their data underpins online advertising has grown sharply. In 2012 only 13% were aware of the AdChoices icon next to targeted ads and that figure grew to 34% last year.
But in 2017 – with Internet advertising all over the main news for the wrong reasons – it’s fair to say our consumer is a lot more savvy. Even a Google search for GDPR gleans an impressive 5.3 million results.
This year’s Consumer Study by the Mobile Ecosystem Forum, covering ten markets and over 6,500 respondents, highlighted the importance of consumer trust and the value exchange. So, what would motivate the digital citizen to give specific consent for their data? 13% said nothing would entice them to share their personal data; but an aggregate 44% said a fair exchange could include gifts, holidays and discounts on real-world products and services.
Given how under-prepared most publishers are in gaining consent for that valuable first party data, I foresee the next annoying phenomenon as the incentivised specific consent pop-up, commonly served by small businesses and website owners who rely on programmatic advertising revenue. We’re not talking about the big guys here.
GDPR played into the hands of the web giants
When the key tenants of GDPR were announced – with eye-watering fines of up to 4% of global turnover for proven non-compliance – many thought the EU commissioners were gunning for the big American giants – particularly Facebook and Google, as is their want. Just imagine the size of those fines! But anyone thinking the new rules might stifle their access to customer data are mistaken.
The fact is, Facebook and Google have developed products and services people simply can’t live without, so gaining consent from their users to continue enjoying free access was never going to be that difficult. Back in 2012, in a judicious move, Google simplified and consolidated 60 privacy policies into one, so once you’re signed in you’re treated as one user across all their products. Along with the likes of Amazon, the web giants will each continue to offer advertisers tens of millions of registered, consenting users to target.
Further down the food chain, online publishers and media owners should be involved in a race against time – but some must be sleepwalking into GDPR. A report by Thoerem released in May stated that the most sought-after publisher data requested by agencies and advertisers is first party registered data, yet at the time only 17% of premium publisher audience segments contained this valuable data. Moreover, across the wider SME sector, according to YouGov, a mere 29% of SMEs have started preparing for GDPR; 38% of decision makers are unaware of the new rules, and 71% don’t know about the fines.
Ouch! That’ll be €20m (£18.4m) or 4% of global turnover, whichever is the larger. I wonder whether the Information Commisioner’s Office will hit the ground running with those next summer.
Broken ad tech business models
With the reclassification of the browsing cookie and device IDs as personal data, the companies likely to suffer the hardest blow from the new privacy regulations are those ad tech businesses built on large amounts of, mainly, third party data – currently powering programmatic targeted advertising. How can these ad tracker companies possibly hope to gain specific, opt-in consent at any kind of scale from consumers when they have no first-party relationship, let alone brand awareness or desired product benefit? Perhaps this is where the free flights to New York consent pop-up comes in.
Sleeping giants waiting in the wings
The question remains: what type of company is well placed to build data bases of registered users at proper scale to service clients and agencies and remain compliant with GDPR? Look at the Telcos – their core revenue streams are under severe pressure, not least by the EU now that roaming charges have been banned. But what they do have between them are billions of registered users and an opportunity to maximise the value of their data assets while remaining GDPR compliant. Verizon – now the proud owner of AOL, Yahoo, Millennial and selling display for Microsoft – has obviously spotted this one. Expect more to follow, particularly in Europe.
Good for advertisers, good for consumers
While GDPR will undoubtedly be a big challenge for many European SMEs, and will no doubt cull scores of ad tech companies for whom the "right to be forgotten" will be their ironic fate, the rules bode well for consumers, and, I would say, for advertisers, too.
As we see with our own clients at iCrossing, the best results invariably come from insights and campaigns driven by first-party data from the advertiser’s own customers. Third-party data is often the last port of call – there’s no guarantee of its quality or provenance, so ultimately we have to judge the data on performance. GDPR increases the quality and transparency of data and that will have a knock-on positive effect on relevance, results and – I hope – creative standards.
Consumers will say a collective "hallelujah" to that and finally be rid of that apocryphal pair of retargeted trainers that follows them around the web. They’ll also have the right to withdraw their consent from any company at any time; something all operators must be ready for.
As for free flights to New York, cash incentives, gifts and discounts as a value exchange for specific consent; looking at the MEF consumer study again, the top requirement is ‘having my personal data returned to me or deleted at a time of my choosing’.
Perhaps we’re not all consent promotion tarts after all. Personally, I’d settle for 200Mb free broadband for life.
Guy Phillipson is the chairman of iCrossing UK and the former chief executive of the Internet Advertising Bureau UK