Surviving the GDPR/CCPA Squeeze: Sourcepoint’s Ben Barokas on CMPs and Regulatory Compliance

Such is the publisher’s lot—as soon as you start feeling confident you’ve covered your bases on GDPR, you’re trying to prepare for whatever the California Consumer Privacy Act (CCPA) will look like (it’s still being revised). But are your bases really covered on GDPR—considering that the European Data Protection Authorities (DPAs) are starting to dole out fines, like this €50 million shiner to Google?

Obviously, we’ll discuss this question in depth at next week’s Publisher Forum in Miami—which includes a session focused on consent management platforms (CMPs) and compliance—but we hit up Ben Barokas, veteran AdMonster as well as Founder and CEO of Sourcepoint, about recent GDPR developments, the looming CCPA, and the value of third-party CMPs versus homegrown efforts.

GAVIN DUNAWAY: While a €50 million fine is pretty big, it still seems a pittance for Google, which brings in tens of billions in revenue every quarter. Do you think the size of the fine was tied to the “seriousness” of the offense?

BEN BAROKAS: It’s certainly in the regulators’ interests to make businesses understand the importance of complying with the GDPR – and these huge fines are an effective way of sending a warning message to businesses across the board. The Commission Nationale de l’Informatique et des Libertés (CNIL) received a complaint, evaluated it on the merits of the claim, its severity, and made a ruling based on the full picture. The CNIL could have set a lower fine, but stated that the fine of €50 million reflects the seriousness of Google’s failing, given its dominance in the market.

GD: The main charge against Google is that “user consent is not sufficiently informed”— is there anything other companies can take away from what’s laid out against Google?Ben Barokas

BB: The purpose of data protection regulation is to give the consumer greater information and choice about how their data is used. It’s not just a tick-box exercise.

Businesses need to put themselves in the shoes of the consumer and carefully consider whether they are providing enough of the right information to allow the consumer to make an informed choice, and then enable them to make that choice—easily, and without negatively impacting the user experience. Consent processes should be carefully planned and reviewed, with the appropriate guidance, and should form part of the user experience as a whole, giving the consumer full control.

GD: It seems like a lot of GDPR complaints are being filed these days—are there any trends among these that should make advertisers, publishers, and intermediaries nervous?

BB: GDPR is a complicated piece of legislation, with many nuances that need to be understood and incorporated into consent strategies if publishers are to be compliant. But businesses change over time, along with consumer needs, so to stay ahead of the game, they need to ensure they review and update their consent procedures on a regular basis. Any new ruling can result in a new interpretation of the numerous GDPR points, so businesses must have flexibility built in to keep their processes compliant.

GD: So only the French DPA seems to be tossing out fines. Is that a sign that the French DPA is especially rigid, or do you think other DPAs are just warming up their engines?

BB: CNIL has been the most active in issuing fines to date, but we anticipate other regulators will begin to pick up the pace. The UK’s Information Commissioner’s Office (ICO) has been active behind the scenes to ensure businesses have a solid understanding of best practices.

So far, its reprimands have come in the form of warnings in press statements – for example the warning issued to the Washington Post that its subscription options were deemed non-compliant with the GDPR. But we expect that over time the ICO and other regulators will take a firmer hand, with more regulatory investigations to come.

GD: What about the California Consumer Data Privacy Act—is there anything in it harsher than GDPR? 

BB: While the California Consumer Privacy Act (CCPA) is not harsher per se, there are a number of similarities between the CCPA and the GDPR – such as the definition of data controllers and data processors. Companies must ensure they have clear documentation in place to define and formalize these relationships.

Publishers that have prepared well for GDPR will be in a stronger position when the CCPA comes into force and will have a head start in prioritizing consumer choice. As the regulatory landscape continues to evolve, businesses need to understand that consent lies at the heart of data protection, so building trust with consumers must be at the top of the agenda.

GD: What factors make a third-party CMP really necessary versus a homegrown effort?

BB: Consent is a complex space to operate in—and that’s becoming more evident over time. For some publishers, a homegrown consent management solution may work well, but it will need a significant level of upkeep. What might have seemed like the best solution on day one of compliance can quickly become outdated if it can’t adapt with business needs and an alternative solution is then required.

We’ve seen many changes in the consent landscape and interpretation of regulation—and we can expect to see more in the future, as the macro-climate continues to be in flux. Utilizing third-party CMPs, with the technology to support the consent process and the flexibility to scale in line with business growth, allows companies to focus on core strategies, with the reassurance that consent signals are being captured in a compliant way.

GD: In a recent playbook, AdMonsters suggested that companies use GDPR compliance as a blueprint and fully embrace opt-in consent. Do you agree?

BB: We believe there should be a transparent value exchange between publishers and consumers and have been advocates of consumer choice since 2015. The GDPR is helping to bring companies in line with this, encouraging businesses to hand control to consumers over how their data is collected and processed.

However, outside the regulatory sphere, publishers should look to engage with their audience about compensation consent, because it makes business sense. Ensuring users are aware of how they are paying for content—whether it’s via advertising and personal data, or otherwise—builds trust, leads to long-term relationships and increased insight, ultimately increasing monetization.