"Data-Driven Thinking" is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Andrew Gu, vice president of product at Thunder.
There’s six months left before GDPR kicks in, and judging by the number of articles popping up about GDPR compliance, everyone seems anxious. It’s well deserved, too. GDPR adds expansive new requirements that will make targeting users much harder, and the penalties for noncompliance are severe.
One of the biggest mistakes that ad tech companies are making is approaching GDPR as a law about collecting personally identifiable information. That’s an understandable assumption, because that’s where the line is usually drawn.
However, GDPR goes much further. It isn’t about what data you collect; it’s about how you use the data. Regardless of whether the information is personally identifiable, the moment that companies touch any data specific to users in order to target them with ads, they have to get explicit consent from those users.
This is a big deal. The old cookie notifications are no longer compliant. Companies must tell users that they’re using their data to track their browsing habits, and users have to opt in to let companies do it. Any person who doesn’t skip opt-in out of apathy will probably still skip opt-in because of privacy concerns.
That means companies won’t be able to target most users through data segments. There aren’t workarounds either, because GDPR governs looking at the users’ data for advertising purposes, regardless of how anonymized the data is.
Instead of focusing energy on workarounds, it’s time to embrace that we need to think about targeting differently.
Direct buying works around the issue of personal data entirely because marketers are buying ad placements on specific pages rather than based on user data. The nice part is that marketers know exactly where their ads will show up. If they buy from ESPN, they know it’ll show up on ESPN’s sites and that they’re reaching sports fans.
However, marketers won’t necessarily know which teams users care about or why they’re visiting the site. And since marketers are buying based on sections of the website, they often don’t have many levers to optimize for campaign performance.
Contextual targeting is about reading the content of the webpage to guess the user’s intent. Since marketers are examining the page and not the user, they can avoid looking at any of the user’s data or remembering anything about the user.
Contextual targeting is an already popular and well-understood media and creative strategy with a wealth of vendors and platforms, so it’s an easy way to shift budget to target users in the European Union. Contextual targeting might not be as specific as behavioral targeting or retargeting, but it avoids the user data issue while still giving marketers more specific levers to optimize their media plan.
The European Union spans many different languages and cultures. As a result, optimizing campaign performance means at least making sure that marketers are serving ads that their audiences can understand. More generally, demographic targeting is cross-referencing geographic information with census data to help decide which ad to show.
This falls into a potential gray area for the GDPR. The most common way to determine geography is through the IP address. IP addresses are strong enough unique identifiers that they might be considered personal data. However, IP addresses are commonly used for logging, fraud detection and many other essential functions where there’s no desire to analyze the user, so demographic targeting with low granularity may be possible without explicit consent.
Nevertheless, advertisers will need to pay careful attention to where the GDPR enforcement bodies draw the line on what requires user consent.
GDPR doesn’t necessarily mean the end of behavioral targeting, retargeting or other advertising approaches that rely on user data. The rest of the world has no such restrictions. However, over the next half-year, publishers will gradually implement consent notifications. Anyone who doesn’t have a transition plan will find their reach steadily degrading as the May deadline approaches.