One day, you’re interviewing an adtech company about how the General Data Protection Regulation has affected its business. Another day, the same company, Quantcast, finds itself being investigated for falling foul of GDPR.
Such is the unpredictable nature of the European Union's GDPR that all aspects of the online ad industry are still grappling with it a year after it came into force.
In several interviews with Campaign from across the industry, two things have become clear:
People are expecting enforcement to get much tougher now that the law has been live for a year.
By forcing publishers and data handlers to be GDPR compliant, the regulation is creating business opportunities.
This is despite the effects of GDPR not being felt by consumers. A study by the7stars has revealed that one in five people think GDPR was an "anti-climax", while half think it has "made no real difference".
GDPR was created to enshrine Article 8 of the European Convention on Human Rights in terms of protecting personal data and now means it doesn't matter where the data was collected or processed – EU citizens must properly consent to how their data is collected and used by advertisers.
Google became the first major company to receive a fine after French regulator CNIL found it had improperly obtained consent from people using its (many) apps in January. Companies face a fine of up to 4% of their annual turnover.
This €50m (£43.5m) fine makes up nearly all of the total fines levied under GDPR in the first nine months, according to figures from the European Data Protection Board. There were 206,326 cases reported over this period – nearly half of which (95,000) have been complaints to data controllers, while 65,000 were initiated by data controllers themselves.
However, in the days preceding the first anniversary of GDPR on 25 May, news broke that Google is being investigated again over a GDPR breach by regulators in Ireland (its home country for data processing within the EU).
That came a day after Quantcast, an adtech company that specialises in artificial intelligence-driven real-time campaigns, found itself in the crosshairs of Ireland’s Data Protection Commission. The watchdog is investigating a complaint by Privacy International against seven major companies (Quantcast, Acxiom, Oracle, Criteo, Tapad, Equifax and Experian) over the way they work together to build profiles of internet users. The UK charity believes the way these companies aggregate personal data is a violation of GDPR’s consent standards.
So spare a thought for Ari Levenfeld, Quantcast’s chief privacy officer, who was interviewed in April by Campaign for this piece.
"I had my head down for a year," Levenfeld confided. "It was the hardest I’ve ever worked and I wasn’t sure what to expect."
Levenfeld only joined Quantcast in February but had held the same role at Sizmek for two years. Both are members of Internet Advertising Bureau Europe's Transparency and Consent Framework, but Quantcast is now in the firing line of Ireland’s regulator.
Konrad Feldman, Quantcast's chief executive, said in a statement: "We understand and appreciate the Irish DPC’s inquiry into how we’ve responded to GDPR and we are fully co-operating with them. We are confident that our products and business are compliant with GDPR and, as with most new regulations, the hard lines of GDPR will become clear as enforcement agencies provide their perspectives."
A 'bedding down' period
What happened last week seems to confirm what had been predicted in the run-up to GDPR’s first anniversary – namely that, save for Google and Facebook, regulators have not yet taken action against the world's major brands or smaller adtech companies.
Nicola Howell, senior compliance and EU privacy attorney at Dun & Bradstreet, said GDPR should be seen in the context of how most laws are introduced in the UK – ie there is a period of "bedding down".
She said: "Rather than move to prosecute immediately, they seek to educate first. I would see that for up to the first five years of GDPR, particularly with smaller businesses. Larger business may be expected to spend more on educating themselves.
"The sensible regulators like the UK's ICO [Information Commissioner's Office] were very keen to make clear that GDPR came in last May and they weren’t going to start a prosecution on 26 May, which the press would have us believe."
Creative agencies such as MullenLowe have also considered 2019 to be a transition year. Jeremy Hine, MullenLowe's chief executive, described the ICO as "preferring to use the carrot rather than the stick" in the first year, but predicts the "stick" will become more prominent.
"I thought there would be more fines from the outset," he said. "You tend to assume that, because we had a few years to get ready for this, that people would be more prepared – but it's still quite a thing to implement. The May deadline last year came around qucker than people expected."
According to Nick Chiarelli, head of trends at Unlimited Group, the data issue became "sensationalised" by the advent of GDPR, but has also been the tonic from which agencies are now benefitting.
"Just as we once feared the risks involved with online shopping or mobile-first banking, consumers fear the data exchange risks outweigh the positives," Chiarelli warned. "Today, the struggling high street is an example of how dramatically those attitudes toward online activity can shift if brands guide their customers successfully."
But for Richard Reeves, managing director at the UK Association of Online Publishers, the biggest change that GDPR has brought about for the magazine and newsbrand industries is that ignorance of risky online supply chains is no longer acceptable.
This is despite, in Reeves' view, the ICO providing little guidance to publishers in the run-up to GDPR being implemented: "A lot of us are starting to inspect very closely our third-party arrangements. A lot of publisher and newspaper groups restrict the number of resellers they have and third parties they work with, so they can have better control over the management of that data."
Instead of using these agreements as "sticks to beat vendors with", Reeves insisted that "it just made sense to create a global vendor list, where those vendors are able to promote cookies they’re using in an open platform that publishers can look up."
'GDPR has been toughest for FMCG companies'
However, Ben Rickard, MediaCom's chief digital and data officer, pointed out that FMCG brands have found it toughest among advertisers to adapt to the GDPR world.
"Anyone who has lots of first-party data has effectively closed the doors and stopped being a little bit flamboyant with it. Anyone who didn’t have much data in the process, eg an FMCG client who collected data through different ways, eg promotion, data capture, stuff that isn’t traditional data capture through customer acquistion – they had to throw away a million data records in the UK. They couldn’t even go and ask they whether they could keep the record. Those guys are having to rethink and start again."
MediaCom has also had to adapt its data and tech strategies.
Rickard added: "Smart advertisers are starting to take their data and combine it with other data; they’re starting to find more useful patterns through machine learning with new audiences, understanding uncommon insight, which then gives you a new audience or new angle to create marketing and creative."
'We were surprised GDPR wouldn't lead to a one-stop shop for regulators'
Because GDPR is a regulation that can be interpreted differently by EU member states, transgressors could potentially be prosecuted by multiple authorities.
Howell said Google's GDPR fine in January was surprising because it showed "the one-stop shop principle" wasn't going to hold the way that businesses thought it would.
She explained: "It was hoped that GDPR and 'one-stop shop' would create a lead authority – the lead authority for us would be the UK."
Even though Ireland is where Google and other tech giants are registered as data processors in Europe, France was the regulator that took action in response to complaints from French parties.
"European regulators are under no obligation to communicate with you in English," Howell warned. "It also means you have to use local lawyers you might not have a relationship with."
Publishers becoming data-centric businesses
One of the unexpected benefits, according to Reeves, is that GDPR has created new opportunities around better understanding their readers and customers through data.
"It's made us recognise, by becoming data experts, there are some serious efficiencies that can bring extra business," he admitted. "It’s taught us we shouldn’t perhaps be chasing transient audience that are traffic and not audience; to understand how you can build a valuable and deep relationship with audience and also create environments where you don’t support advertising at all becase the value you give is mutually contracted terms of service that both parties have agreed to come to a place on."
The problem publishers have had in recent years is being limited in terms of the data they can collect outside of the walled gardens of Google and Facebook, while also struggling to understand the value of their own data.
"You have a situation where that premium advertising opportunity is being undermined by the ability to export that data and target that user in a less premium environment at lower costs," Reeves continued. "To a degree, publishers are in some way unable to assert themselves in that position. We’re always going to be the victim."
But now, Reeves explained: "GDPR has allowed us to say we know what we can do; what do you want to do on top of that, eg if you want to put in a behavioural cookie. That’s acceptable as long as it’s managed through a consent stream. Also publishers can apply premiums if cookies are going to lose audience."
What's next could be stricter
Instead of viewing GDPR as year-zero event in which the way brands and tech companies handle our data has changed forever, new regulations coming down the line show that it's more like an ever-shifting landscape.
In the US, where data protection laws are made at a state level, its biggest economy, California, is due to introduce the Consumer Privacy Act in January 2020. This will give Calfornians the right to know what personal data is being collected about them and what is being done with it.
Levenfeld said there could be similar laws soon enacted in Washington and Texas too. "We're seeing now meaningful discussions in Washinhton DC about a national privacy law that could be superseded by states' privacy law," he said. "I’m pleasantly surprised that companies that have invested time into trying to be GDPR compliant seem to be rewarded because, in part as new laws come out, there is much less work to do."
In Europe, data protection officers are expecting the ePrivacy directive to be enacted in the near future to complement GDPR. Whereas GDPR is designed to protect a person's data, ePrivacy will seek to protect someone's private life at every stage of every online interaction and include specific regulation around unsolicited marketing, cookies and confidentiality.
That said, Howell is not expecting the new regulation to be finalised and enacted until 2021.
"The problem with ePrivacy is it’s a directive, not a regulation," she explained. "The directive can be implemented however a member state sees fit and we may find 28 different ways of doing that. That makes doing business with Europe quite hard when you have those local nuances."
(This article first appeared on CampaignLive.co.uk)