Can programmatic advertising be legal in a post-GDPR world? Will a complaint that has been lodged mark the end of programmatic advertising as we know it?
Earlier this month, web browser start-up Brave, lodged complaints that Google and other behavioural advertising companies are in violation on the newly enforced General Data Privacy Regulation (GDPR),
According to reports, Brave – along with Jim Killock of the Open Rights Group and Michael Veale, a data protection and policy researcher at University College London – is demanding that authorities investigate Google and the wider targeted advertising sector for breach of the new data regulation.
The complaint alleges that there is "a massive and ongoing data breach that affects virtually every user on the web”, whereby online advertising systems are funneling behavioural and technical data to ad buyers with no safeguards to ensure the data is not misused or lost – putting them in violation of Article 5 of the GDPR.
The complaint specifically targets “programmatic advertising”, a model that sees websites sign up with ad exchanges and brokers such as Google to fill their spare ad inventory through auction systems commonly referred to as real-time bidding.
As part of the auction, user data (including browsing history and location) is transmitted to potentially hundreds of companies to establish who wants to bid on the ad space.
Whether this data is sufficiently anonymised, as the advertising contends, or goes "well beyond the purposes which a data subject can understand, or consent or object to" as Brave suggests, is where the argument lies.
The case could potentially run and run given its implications for the online advertising industry. So MyCustomer asked a panel of experts for their thoughts on how things could unfold.
Nigel Jones, is the former head of legal for Google and founder of The Privacy Compliance Hub.
In programmatic advertising there are a number of parties involved and it is important to know who is doing what. There is the individual browsing the web whose personal data the GDPR aims to protect. That individual uses a browser to display a web page that he or she is interested in. The publisher of the web page wants to make money out of the content it displays on the page, so it seeks to place advertising around the content. It may sell that advertising itself, but even if it does, it will have spare inventory which it engages a third party to sell. That third party could be an ad exchange. The ad exchange then asks advertisers and media buying companies whether they want to place adverts on the website either on their own behalf or on behalf of their clients.
In theory, this is all outside of the scope of the GDPR as long as no personal data is being processed. In reality, personal data is being processed. The online publishing and advertising industries need advertising to be targeted and relevant for it to be valuable. Such relevance and targeting can only be achieved if the publisher and those in the advertising processing chain know something about each user. This knowledge includes personal data, but the extent of such personal data can vary and is often argued about. There is much confusion as to when 'personal data' is anonymised and, therefore, outside the scope of the GDPR.
In a post-GDPR world, each company processing personal data must have a legal basis for processing it. They must be transparent with individuals as to what they do with personal data. They must tell individuals who they share their personal data with. They must have legal agreements in place with every company they share personal data with and make sure that those companies do not share it with any other company without such a legal agreement. They must ensure that the personal data is kept safe throughout the processing chain. And they must take special precautions if the personal data is leaving the EU (for example to a processor in the US). That is a lot for players in the programmatic advertising industry to comply with. Arguably, they are not doing it yet, although they are trying.
In theory, this is all outside of the scope of the GDPR as long as no personal data is being processed. In reality, personal data is being processed.
GDPR won't mark the end of programmatic, but it needs to change. We must not forget what the GDPR is there for - it is to protect individuals and their personal data, not to protect the value of the publishing and advertising industries. One of the basic principles of the GDPR is transparency. Unless an individual knows that when he or she visits a website certain pieces of personal data are shared with the website publisher, analytics companies, ad exchanges, media buyers and advertisers, then the GDPR will have been breached.
That said, the complaint filed by Brave, arguably misses the other side of the equation - not all current advertising is bad. First, programmatic advertising produces relevant ads. Relevant ads are much better for the individual than random ads that the individual has no interest in. I am interested in bikes. I have no interest in cars. I'm happy to see adverts for bikes. Second, I do not like paying for things. If targeted advertising is the price of losing a little privacy, it’s a price I'm willing to pay, as long as I understand exactly how much privacy I am losing, to who, what I can do to stop it and how I put a stop to it if I become uncomfortable.
It is the transparency that needs to be fixed. A solution will be found because the publishing and advertising world need it and individuals want it (even though perhaps they don't realise it yet). I'm sure that Brave is hoping that the solution is the browser it has come up with.
Robin Davies, managing director of operations, EMEA, at Conversant.
There is no doubt that programmatic is still legal in this post-GDPR world. This new data protection regulation introduces new requirements, but these are not incompatible with programmatic advertising.
Firstly, the ePrivacy Directive points to the GDPR for a definition of consent for accessing a user’s device. Accordingly, unambiguous consent is required. Secondly, online identifiers are now undoubtedly considered personal data, specifically pseudonymous personal data - and they can’t be processed without a legal basis. There are a number of legal bases, but most programmatic advertisers rely on either unambiguous consent or legitimate interest. Notice and choice are afforded to the end user via consent modals. The industry solution for managing notice and choice is the IAB Europe Transparency and Consent Framework, which allows a standardised format of communicating consent to members of the online advertising ecosystem that are involved in executing programmatic advertising.
I expect that programmatic advertising, now afforded greater transparency and legitimacy by GDPR, will actually continue in much the same way.
I think that many consumers don’t yet understand the new control the regulation gives them, but the mechanism is designed and broadly adopted by the industry. This is a good thing for the industry and a great thing for consumers who are just beginning to participate in the data economy.
I expect that programmatic advertising, now afforded greater transparency and legitimacy by GDPR, will actually continue in much the same way. If consumers were to stop consenting or start objecting to legitimate interests, then this would impact the scale of programmatic advertising, but we’re seeing consent rates of 90%+. Tackling new forms of fraud are a more likely threat than that posed by giving consumers choice. I believe that consumers will continue to choose a free internet supported by data-driven advertising, controlled by what are very solid principles of data protection.
Julian Ranger, founder of digi.me.
GDPR will end programmatic advertising as we know it, but no it is not the end of programmatic advertising.
The big issue with programmatic advertising is not that identified by Brave, but that the profiles used and distributed are largely based on personal data which has not been explicitly consented by the individual in question to be used by any advertiser. So whether the downstream use of this personal profile data is handled correctly is an issue, but the bigger issue is should it be used at all, to which the answer is no it shouldn’t, as the user has not given informed consent.
Of course the advertising industry could move to getting informed consent for profiles used for programmatic advertising – they are resisting this because the number that will give informed consent will be far less than the profiles they have today, but conversely those consented profiles should be richer and more accurate and hence more valuable.
The advertising industry is trying to avoid the issue in all manner of ways. This won’t last and Brave’s case is just one of many that will arise. Change is coming and the advertising world will adapt, but there is going to pain en route and some big losers, but big wins for those that adapt the fastest.
Mark Roy, founder and chairman of REaD Group.
“A firm favourite of tech giants such as Google and Facebook, programmatic has been an incredibly lucrative industry, transforming the face of digital advertising. Unfortunately for Mr Zuckerberg, one thing standing between him and the future of his programmatic revenue stream is GDPR. With the free flow and use of data that underpins programmatic threatened by the new regulation, times are certainly changing.
“While it would be wrong to suggest that GDPR will completely end programmatic, the wanton use of European citizen data and an inability to comply with erasure rules means its usage is likely to become restricted to CRM and loyalty programmes. Add to that the ICO’s recent claim that using search history actually amounts to personal data. This means that it requires the same level of processing rights as any other personal data, pretty much impossible to achieve in a programmatic environment.
“Transparency is a key principle of GDPR and with this comes a shift away from algorithms back to a more human-focused, honest approach to marketing.”
About Neil Davey
Neil Davey is the managing editor of MyCustomer. An experienced business journalist and editor, Neil has worked on a variety of newspapers, magazines and websites over the past 15 years, including Internet Works, CXO magazine and Business Management. He joined Sift Media in 2007.