A recent lawsuit filed in Germany by the Irish Council for Civil Liberties (ICCL) has ensnared the IAB, the New York-based standards body for the digital advertising industry.
The suit contends that real-time bidding (RTB) represents a major “data breach” under GDPR regulations because sensitive personal information is shared and traded openly as part of online ad auctions without proper security controls (or consumer knowledge). The suit should represent a major red flag to U.S. marketers, and a warning of things to come here in the States.
This is just the latest sign that GDPR has spurred robust enforcement actions. Large U.S.-based industry players such as Oracle and Google have taken GDPR hits and now, even governing bodies like the IAB are in the crosshairs.
The stakes are enormous. RTB is used by most major brands, agencies and virtually all major advertising networks and vendors, and the programmatic auction function is a major cornerstone of the digital advertising ecosystem. Put simply, RTB is some of the most core plumbing that drives the commercial internet.
What happens in the EU doesn’t stay in the EU
U.S. brands and marketing industry players should take notice on two legal fronts. While the GDPR is an EU-specific regulatory framework, its effects are now being felt well beyond its borders. And as enforcement continues to expand, it is reasonable to expect that more U.S. entities will be impacted. But brands shouldn’t look at this only within a GDPR vacuum.
Major U.S. state-by-state consumer privacy regulations—most of which are modeled after the EU legislation—are popping up like spring dandelions. Colorado (SB 190) now has its consumer privacy act, following similar laws in California (CCPA, CPRA) and Virginia (CDPA). Next up is New York, with a bill working through the legislative process that enables broader class action suits.
No fewer than a dozen additional states are already crafting their own slightly different versions of consumer privacy regulations. Similar enforcement actions will likely be hitting the U.S. market.
The united states of privacy
The momentum driving the U.S. consumer privacy movement is only ramping up. Consider the fact that normally divided statehouses are finding political alignment on privacy regulation as both parties wake up to broad consumer support.
Beyond the regulatory side, Apple is singlehandedly making consumer privacy its most important competitive differentiator, and in the process, is causing major parts of the consumer tracking and measurement picture to go dark overnight. Google is up next as it discontinues cookie-based ad targeting and tracking in Chrome next year.
With an expanding regulatory environment of major new enforcement appetites and large tech industry players shutting down consumer tracking and targeting, brands need to wake up now and think about their marketing futures. Marketing teams that currently rely on incredibly rich consumer targeting data, consumer and cross-device identity matching, and advertising measurement schemes that depend on tracking consumers across ads and devices face an uncertain future.
Doubling down on these practices now represents major new legal, financial and reputation-related risks. Moreover, marketers need to reflect on the fact that their insatiable demand for more personally identifiable information, cross-device identity data and consumer tracking has created this karmic loop of consumer backlash and industry regulation.
Where does the industry go from here? The answer starts with acknowledging the problem and taking concrete steps now to future-proof major elements of the marketing ecosystem by adopting comprehensive privacy reforms, reducing reliance on consumer tracking, and truly respecting consumers’ desire for privacy.
