Data privacy and legal compliance experts agree: GDPR is too big to ignore. As an ad/revenue operations (ops), you should already know the E.U.’s General Data Protection Regulation (GDPR) comes into effect in May, 2018. What’s actually new in this story? Valid point. Despite months—possibly years—of preparation, publishers still have questions about GDPR’s implications, some of them pretty basic: Will this apply to our business? What do we need to do to become compliant? What kind of enforcement is expected? Can we just cross our fingers and ignore it?
The answers to these questions lie in every digital publisher’s ecosystem. GDPR affects any entity worldwide that digitally targets or monitors people in the E.U. This means knowing what’s happening in your digital environment, from vendors executing to data tracking. If knowing your digital partners doesn’t appeal as a basic business practice, then maybe the fines for violating GDPR will (maxing out at 20 million euro or 4% of the company’s global revenue, whichever is higher).
What Is Ops to Do?
Ops teams are at the front line of revenue for publishers, which gives them a unique perspective on data collection. But ops teams might not always know how to share that knowledge, or understand how it might be levied to benefit the overall business. Everyone touching user data should understand who in their company is responsible for developing GDPR strategy, and also know what GDPR violations occur via digital properties.
To get a sense of where the industry stands on GDPR preparedness, AdMonsters spoke to experts—including public policy consultant Nick Stringer, who led a recent AdMonsters webinar on navigating the regulatory changes—and surveyed publishers on what they are doing to get ready. Unsurprisingly, the publisher responses were not uniform. But there are some interesting learnings.
Questions Everyone Wants Answered
Does GDPR apply to people in E.U. countries, or simply people who are E.U. citizens?
GDPR supports the data privacy rights of any E.U.-based individual accessing the internet or apps while physically within the geographic boundary of E.U. countries. It doesn’t matter whether they’re E.U. citizens or not, and it does not affect E.U. citizens when they’re physically outside the E.U.’s geographic borders.
Our audience is mostly in the U.S. Do we need to comply with GDPR?
If your audience is not in the E.U. at all, and you don’t target or otherwise collect data on people in the E.U., you don’t have to worry. But having a mostly U.S. audience doesn’t mean you can sit idle. If, in the future, you want to do any business in the E.U., you need to comply. Regardless, it’s a good idea to use GDPR preparation as an excuse to document your digital ecosystem and see where data leakage occurs.
Does GDPR replace the existing E.U. cookie law?
Compared to the older E.U. data regulations, what is different?
The main goal is to provide consumers with greater control over their data. There are six main changes that strengthen individual rights and also put more obligations on industry:
- All personal identifiers that can directly or indirectly identify a user (geolocation data, device IDs, IP addresses and cookie IDs) are now considered private information.
- Personal data can’t be shared without the user’s explicit, unambiguous consent. There are some exemptions, which we’ll explain in a bit.
- Without user consent, predictive analysis of personal data is limited.
- Extraterritorial nature means companies anywhere in the world could be fined for violating the regulation.
- Data processors and data owners alike are liable (i.e., publishers and vendor partners are equally liable).
- Data owners must report any breaches to authorities within 72 hours.
If I need the user’s consent to handle their personal data, how do I get it?
GDPR mentions “consent” and “explicit consent,” and it’s unclear how the two will differ in practice. The GDPR states that “consent” must be freely given, be specific (to each data processing activity), be unambiguous, and involve a user’s affirmative action. In other words, you need consumers to opt in to process their data—neglecting to opt out and providing pre-ticked consent boxes won’t cut it. And the user must be told at the point of consent that they have the right to withdraw consent at any time. “Explicit consent” is required to process sensitive personal data (e.g. political affiliations, biometric data, etc.), and the data collecting entity collecting needs to provide a clear and specific statement regarding data collection processes. Furthermore, newly released guidance from the Article 29 Working Party tells us to consider “tracking walls” (as used with behavioral targeting) prohibited without user consent.
Can I just stop collecting data on IPs in the E.U.?
That’s a blunt response to a complicated issue. Under GDPR, the way you use the data can become problematic. For example, IP data might only become “personal” when combined with other data. Look at how and why you collect and/or process IP data, then decide whether you should stop or continue that practice.
Are there any exceptions that can allow us to keep monetizing our E.U. audience through advertising?
You will need consent to do this.
How will GDPR be enforced?
Each E.U. member state has a Data Protection Authority, where users can file their complaints on their home turf, and presumably without a language barrier. What is uncertain is how companies in digital will be monitored. Looking for a precedent, we can consider how, in enforcing the older E.U. cookie law, U.K. and French regulators conducted cookie sweeps and produced reports on their findings. More importantly, taking stock of the current stepped-up enforcement environment paints a grim picture for the digital industry.
A GDPR Status Update for Publishers
All of this uncertainty has resulted in publishers taking different GDPR compliance approaches, some more cautious than others. Earlier this year, AdMonsters spoke with one publisher with an international audience who cited new hires and a legal/educational push on their UK teams to prepare while others report doing nothing in particular just yet.
AdMonsters conducted two surveys about GDPR prep during the fall of 2017. Combined, respondents included publishers, agencies/brands, and tech vendors, mostly based in the U.S., but with showings from around the English-speaking world. Asked whether their business had a GDPR compliance effort, 60% said they did, 17% said they didn’t—and 23% said they weren’t sure.
AdMonsters has written about ops teams’ responsibility to forge communication channels with executive management and regularly provide insights into the handling of data. A slight majority (54%) of ops teams confirmed their involvement in their business’ GDPR efforts, while 29% weren’t sure. However, only 50% claim regular communication with executive management and 21% did not.
In fact, entire publisher business models are at risk should users choose to withhold the very data that drives ad prices (and inventory availability). On the flip side, a dearth of data could make existing inventory more valuable, but only for those publishers that have the data. Could GDPR provide the leverage publishers need to balance the advertiser-publisher relationship? Indeed, he who has the gold makes the rules.
Moving Down the GDPR To-Do List
As May 2018 approaches—and as any clarifications about GDPR enforcement emerge—publishers need to firm up their strategies. It’s too risky to assume your E.U. audience is too small to count, or hope enforcement will be impossible. Here’s a checklist of GDPR-related tasks you can complete to demonstrate attempts at compliance.
- Identify your company’s data protection officer (DPO), or at least a GDPR point person (or persons) to oversee compliance efforts and stay abreast of developments. If you’re not sure whether you need a DPO, a report from an E.U. working party, revised in April 2017, provides clarity: Public authorities and “large-scale” processors of personal data must designate a DPO. What constitutes a “public authority” will likely be determined on a nation-by-nation basis. “Large-scale,” while ambiguous in GDPR language, will likely include insurance companies, public transportation systems, banks, and telecoms.
- Connect with all of your tech vendors and partners and communicate your data policy, i.e., expectations for data handling, allowed or not. Review current data sharing arrangements and revise contracts with partners in light of GDPR.
- Strip any personal data (as defined by GDPR) before you process it or share it with other entities.
- Create an unambiguous privacy notice the user may opt into. Look to GDPR Articles 7 and 9 for guidance on where to post consent notices.
- Determine how you will inform, collect and manage user consent.
- Document all steps taken to manage the collection, use, storage and sharing of data
- Regularly audit the digital environment for compliance and report to the DPO
Hopefully, some or all of the uncertainty about GDPR’s quickly-approaching reality will be cleared up in coming months. One thing regulators have made clear: Uncertainty isn’t a free pass to do nothing about GDPR.