What You Need to Start Doing Now to Be Ready for GDPR

Looming EU regulation may kill the digital marketing star

Upgrade your sales funnel with expert insight at Commerceweek, Feb. 28-29. Broaden your audience with improved data technology and a seamless purchase experience. Register now at 50% off.

eMarketer projects that U.S. programmatic ad spending will reach $32.56 billion by the end of 2017. By 2019, more than four in five U.S. digital display ad dollars, or $45.72 billion, will flow via automated means—accounting for 83.6 percent of U.S. digital display ad dollars. 

Despite those numbers, programmatic advertising has been under attack for the past couple of years: invalid traffic/bot fraud, ad-blockers and viewability issues are just some of the things we’ve faced, and I would say, somewhat conquered. We’ve built the right tech to measure and optimize away from these threats, while continuing to refine our targeting chops.

Raphael Rivilla

Very recently, we talked to a company that analyzes and can target up to 500 million social posts a day. Yes, they are privacy compliant, and as a marketer, we make sure all our tactics are. However, do consumers care that they are privacy compliant from a marketing sense? Or is the creepy factor finally too much? Enter GDPR.

Next May, GDPR, or the EU General Data Protection Regulation will be in effect, and as a programmatic marketer and someone who embraces the data-driven side of media targeting, it scares me.

The GDPR was created to address consumers’ concerns about their data and how it’s leveraged, including strict new rules around individual data, including customer consent and their right to erasure in the version of the GDPR adopted by the European Parliament. Article 17 provides that the data subject has the right to request erasure of personal data related to them on any one of a number of grounds.

Next May, GDPR, or the EU General Data Protection Regulation will be in effect, and as a programmatic marketer and someone who embraces the data-driven side of media targeting, it scares me.

By next May, everyone with customer data will need to be compliant, not just marketers in the EU, but to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations. GDPR will be unforgiving to those who fail to comply; organizations will face fines of 20 million euros ($24 million) or 4 percent of annual global turnover, whichever is greater.

You can see the risk GDPR poses to programmatic advertising, as it’s successful and highly reliant in large part due to its ability to target the right consumers at the right time and place. Whether it is declared data, such as data in Facebook, or probabilistic and modelled data such as data collected by third party, or location-based data, we’re targeting our ads very precisely to a set of consumers. The problem lies in that the majority of consumers don’t know if we are practicing above board privacy compliance or not. They just know that they are suddenly seeing very relevant ads.

Will GDRP cause consumers to opt-out of being targeted? Will it be a bigger risk than the 30 percent continued year-over-year growth of ad-blocker adoption? While we wait for May, there are steps that brands and agencies can take now, to ensure they’re compliant.

Where to start?

Under GDPR, ad targeting needs to be done with unambiguous consent from the consumer. It then becomes our challenge to address how we drive consumer consent and where this can occur, typically where the impression originates from and where it lands; namely, the publisher site and finally the brand site. We also need to have the systems in place to erase a consumer from our audience targeting, if and when they choose to tell us they want to be erased.

What’s needed to do this

To start, agencies and brands must have their own DMP, not just an ad-server. Having a DMP allows you to create and refresh audiences that you use in digital marketing. It’s also a good idea to include new language in your master service agreements with your DSP and data partners, and to ask about what processes they have in place to ensure GDPR compliance with the publishers and data sources they work with.

What can you do to drive consumer consent and erasure from targeting?

To start, create opportunities for opting-out and opting-in within both your digital creative and landing pages. Also, create audiences from this that you can use for Boolean-audience creation rules: + for opt-in and—for opt-out. Then, use the opt-out audience list alongside all second and third party databases used for audience targeting. Keeping the opt-out list up to date is key so also make sure to do regular CRM pushes to refresh the list.

In addition, I suggest continuing to build your opt-in consent list through paid media by driving audiences to landing pages that have consent devices/legal language/opt-out capabilities.

Finally, ask your DMP if they have the ability to attach one ID to one user across all devices, and if this one ID can be synced with second and third party databases. Also, aspire to connect your DMP data to your CRM and marketing automation platforms—this will give you one universal record for controlling audience targeting and suppression.

As May approaches, GDPR-talk will increase and as digital marketers, we may be facing the biggest threat we have yet. It’s important that everyone begins to prepare now to ensure compliancy.