This is a series of three blog posts. In each blog post, I will explain one of three important details (and their implications) media owners must understand to fully exploit the opportunity that GDPR has gifted them.
In the GDPR text, Article 29 Working Party guidance and the recent ePrivacy Regulation proposal, marketing and direct marketing is mentioned numerous times. One can read these documents and be convinced that the desire of European legislators is for programmatic advertising to be considered a form of direct marketing and hence be regulated in the same way, i.e. informed opt-in, very restricted data sharing, right to object/complain, not to mention stiff fines! This is true, but it is also a one-dimensional analysis.
In traditional direct marketing, there are only two principals: the brand and the customer. Hence there is a single category of relationship that is regulated under GDPR, i.e. the brand/customer relationship. In programmatic advertising, there are three principals (under GDPR): the brand, the publisher and the end user. Hence there are three relationships that are regulated under GDPR. So far there have been a lot of discourse about the relationships brands may have with their customers and the relationships brands may have with publishers. These relationships fit neatly under the direct marketing umbrella, where “consent” is the only practical legal basis for the large majority of cases. The legislation and guidance have focused less explicitly on the relationship between the end user and publisher. It is this relationship that is the subject of this blog post series.
Detail 1: Media owners ARE service providers, even if advertising is bundled with the service.
The key point to understand is that publishers provide a consumer or commercial service to end users. By definition, such services are knowingly and willingly consumed by end users. In addition the service is delivered in accordance with a contract. Hence if the media owner is a data controller, then the legal basis for processing personal information must be “performance of contract”. Why the confusion and concern with this?
Part of the confusion and worry is that publishers have allowed third parties to engage in industrial scale harvesting of personal data from their sites. They have done this in order to sell advertising. These third-parties DO NOT provide a service to end users (actually they represent a cost) and under GDPR they have no longer have a role in the value chain. The current way digital media is bought ultimately relies on buy-side cookie matching. This is practically unworkable under GDPR for various reasons, not least because data sharing (i.e. cookie matching) without a consistent legal basis and purpose is illegal. This begs the question: if publishers are not permitted to work with third parties that harvest, share and process the data of their audience how will their ad inventory be sold?
The simple answer is that publishers, as data controllers, are now responsible to sell their own media. Media owners are no longer obliged to work with ad tech or agencies that arbitrage their media. Finally, media owners hold the aces. It is time for publishers to step-up the game. This is the challenge and opportunity of GDPR for publishers.
In fact, media owners that rely on advertising have no choice other than to adopt this approach. The Article 29 Working party guidance on profiling spelt this out by unambiguously saying that “consent” is NOT an appropriate legal basis for profiling if access to the service is dependent on profiling. This means if media owners want to restrict access to those users that agree to profiling then “contract performance” is the only viable legal basis, and what is more… the use of third parties to do this is illegal! It could not be clearer.
There are four additional points to clarify here before I get inundated with comments complaining about this conclusion being incomplete. Firstly, third parties are different to data processors. There is nothing stopping a media owner data controller working with an ad tech data processor… in fact, this is expected. The difference with the current situation is that the ad tech company can no longer arbitrage as they must truly be working for the publisher.
Secondly, “consent” may be still required to drop a cookie, as per the current proposal for the new ePrivacy proposal (and existing directive). This being the case, then a cookie consent, similar to the existing one, will be required. Nothing much changes from a media owners perspective. However, the situation is transformed for marketers looking to buy media as they have the huge complication of legal basis and purpose alignment to get access to the cookie dropped by the publisher.
Thirdly, profiling is now defined so broadly that any delivery of display advertising will be considered as profiling. Essentially If you target on any basis it will be considered profiling. However, there is no reason to be concerned about this if your legal basis is, “performance of contract”.
Fourthly, publishers are at liberty to use “consent” as a legal basis if they give free access to their site even if “consent” is not granted to them by the data subject, i.e. giving costless access to an ad-free version of the site. I expect some media owners will do this, but I sincerely doubt this will be the norm. After all, advertising is more often seen as a cost to end users, not a benefit. I fully expect most publishers that sell ad inventory to make access conditional upon the agreement of a contract and a “consent” to drop a cookie.
See the next blog post for more…
ADUNITY is an ethical ad technology company based in the UK with offices in both London and Bucharest. We deliver trust, transparency and advanced technology in the programmatic ecosystem. AdUnity provides GDPR ready Consent Based Advertising solutions and transparent trading platforms for publishers (no black boxes) and does not operate an arbitrage model; just a flat revenue share. We comply with the latest programmatic standards (OpenRTB 2.4) and format standards (HTML5, VAST 2.0, VPAID 2.0, MRAID 1.0, Native Ads API 1.1).