B2B publishers do not tend to use any monetisation ad technology because they sell all their ad inventory on a tenancy basis. Successful B2B publishers often make good revenues from audience sizes that would be too small for consumer-focused publishers that sell on an impression basis. For most B2B publishers monetisation ad technology like AdX and AdSense does not deliver meaningful revenues and cheapens the look of their site/s. However, many B2B publishers in Europe now find themselves in a surreal situation where they are obliged to obtain consent for their ad server company. This adds unnecessary costs, legal risks and operational complexity. This article explains why this happening and what B2B publishers can do about it.
GDPR forces businesses using personal data to take the position of either a data controller or a data processor depending on why and how they process that data. The key issue is that data controllers decide the purpose for the processing of the personal data, in order to exploit the commercial value of the data. The biggest ad server business in Europe, Google, has chosen to take this position for DFP (and AdSense, DoubleClick Ad Exchange, etc see here )
Only Google knows the real purpose to which they are putting this personal data, because they have not told anyone, but one can only assume they are using this data in order to target people with advertising. From May 2018 DFP’s data harvesting business model has been under regulatory pressure since Google not only needs to position itself as a data controller but also gain consent from all their publisher client’s end-users. These changes are not trivial and puts pressure on the DFP data harvesting business model. In the long-run, it is probably unsustainable.
GDPR undermines the data harvesting business model
GDPR has forced all data harvesting companies (Google included) to formally adopt a data controller position with all the obligations that come with it. It removes any ambiguity about the data processing they are doing and provides a relatively straightforward way to prosecute for breaches of the law. As a result of this using DFP comes with a big headache for B2B publishers. Firstly, it means publishers need to obtain a consent to use DFP (even if they don’t use AdX or AdSense or any other monetisation tech). Secondly, if people do not consent then use of the ad server is illegal. Thirdly, it explicitly puts publishers in a joint enterprise with Google, so if Google gets hauled before the European Commission (as it very often does) in relation to a breach of GDPR, the publisher may also be in the firing (fining) line, and fourthly, they have new compliance obligations to Google (for using DFP).
B2B publishers “consent migraine”
Asking for consent on behalf of third-parties is tough, but the problems are magnified for B2B audiences. Consider for one moment whether it is appropriate (or legal) that professionals browsing a B2B site as part of their work are having their personal data harvested by Google (or other data harvesting company). Surely their employer would have cause to complain and demand an immediate stop. Consider also, if consent is refused and the use of the ad server is illegal. Do B2B publishers really want to put themselves at such risk?
Gaining a consent for someone else’s business model
In any case, it seems grossly unfair to B2B publishers that they are being asked to obtain consent to use DFP (with all the cost and risk that comes with it) to enable Google’s data business model. Post-GDPR publishers have the burden of asking their loyal audiences to give consent for Google to:
- Drop cookies on their devices
- Track their devices around the Internet
- Allow their data to be used in behavioural profiling
- Allowing their data to be shared with third-parties
- Agree to be targeted with advertising (on other sites)
In addition, Google is asking B2B publishers that they must:
- Provide the technology to obtain and manage consents for the ad server company
- Keep a full and verifiable audit trail of those consents for the ad server company
- Provide the technology for people to withdraw their consent to the ad server company
If the publisher does not do all of these things and continue to use DFP the publisher may be subject to complaints from their audience, sanctions from the ICO, be immediately denied access to their ad server, and be sued by Google for breach of contract.
Joint enterprise with ad tech
If a B2B publisher allows any third-party ad technology vendor on its site in order to sell advertising then it is in joint profit-making enterprise with that ad-tech vendor. If this ad-tech vendor breaches GDPR (or any other relevant data or consumer protection law) then both the publisher and ad tech vendor may be equally liable. For the avoidance of doubt, the publisher is in a joint enterprise with the ad-tech vendor, regardless of whether the publisher is an independent data controller or co-controller. This may come as news to many B2B publishers.
Publishers are data controllers
If B2B publishers use any kind of personal data, including via their ad server, they cannot help but be data controllers. Any confusion or doubt about whether a publisher using DFP is a data controller or not has been put to bed in the recent European Court of Justice ruling about the legal status of anyone acting as administrator of a Facebook fan page ( see here ). If a publisher is a data controller, it really needs to minimise risk. The best way to do this is to reduce what personal data is used to the barest minimum. The obligations of a data controller are nicely summed up in GDPR Recital 78 below:
In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features.
Unfortunately, most ad server companies prioritise their data profiling business models ahead of providing an ad serving to B2B publishers. Instead of minimising the use of data to reduce risk, all that has happened is that they have pushed risk and liability to publishers.
What does this all mean and what can be done about it?
As data controllers B2B publishers need to make sure data processing is “relevant and limited to what is necessary in relation to the purposes for which they are processed” (GDPR Article 5). This essentially means that if B2B publishers do not need to process personal data it is illegal for them (or their ad server) to do so. Any unnecessary processing of personal data increases the B2B publishers legal risk, compliance costs and operational complexity with no commensurate gain in revenue. If a B2B publisher sells ad media on a tenancy basis, it is very unlikely they need to process personal data to do this, hence they can put themselves outside the scope of GDPR and do not have to obtain consent – at least as far as advertising is concerned.
To minimise risk and maxmise operational flexibility any B2B publisher currently using DFP should be looking to switch to an ad server that is not harvesting their audiences data. European publishers probably have a six-month window to make alternative arrangements before enforcement actions create a very hostile environment for such unnecessary data processing. Data minimised ad serving solutions are available, including from AdUnity.