Data matching and cookie syncing aren’t verboten under the General Data Protection Regulation (GDPR) but getting the consent to do it is another story altogether, since consumers need to know exactly what they’re signing up for when they provide unambiguous and specific consent.
Like most vendors in the ad tech ecosystem, companies that onboard data and perform cookie syncs, like LiveRamp, Adobe, Neustar and others, have generally relied on opt-out mechanisms in the past. Users are tracked by default, and if they don’t want to be, they’ve got to actively say “no mas.”
“The requesting of vague or blanket consent will not suffice,” said Robin Caller, CEO of lead-gen and data company Overmore Group. “And the need to be more granular will be a challenge for onboarders.”
Agree (to disagree?)
It’s hard to imagine how any third-party data processor has a snowball’s chance of clearly and concisely spelling out the specifics and value of what they do to the average consumer. That’s why IAB Europe and the IAB Tech Lab are attempting to help vendors enlist their publisher partners in the quest for consent.
But data onboarding vendors are controllers, at least when they’re dropping their own cookies and operating an identity graph with data coming in from multiple sources. And controllers are either responsible for getting consent themselves, when consent is the legal basis being used for processing, or their first-party partners need to mention them by name in their own consent requests.
Now figure out a way to explain to consumers that their offline data is being collected, hashed and cleverly matched with online cookies to target them with personalized advertising and that a company they’re probably not familiar with is also maintaining an identity graph that aggregates their data and stitches it together across hundreds of different platforms, data providers, publishers and brands.
“The whole benefit of onboarding is to take the friction away from moving data around and the nature of a graph is that the data is from many sources – but marketers may not have explicit consent to push data to a given controller,” said Ari Paparo, CEO of Beeswax. “It seems to me that they’d need to rebuild their graph with consent from each input and that’s, like, impossible.”
Sheila Colclasure, global chief data ethics officer and public policy executive for Acxiom and its subsidiary, LiveRamp – the biggest data onboarding vendor on the block – recognizes the challenge that third parties face in their reliance on first parties to gain consent.
LiveRamp uses consent as its legal basis for dropping cookies. But Colclasure claims the company is in a good position to obtain consent through its large ecosystem of third-party partners that work directly with companies that themselves have first-party relationships.
“Consent is a challenge, no question, but it will not have an impact on our ability to operate,” said Colclasure, who declined to comment on rumors that Acxiom is looking to sell LiveRamp, a potential move some have theorized could be connected to the burden of GDPR compliance.
Prove it, hash it
But compliance is not just about obtaining the consent. Controllers are required to perform “rigorous checks” that their contracted partners are compliant.
Even if controllers get consent, they must document the process and, if asked, provide evidence of consent to all of the parties with whom personal data is being shared. For onboarders, that means needing to be able to explain and name all of the firms they partner with, Caller said.
“There will certainly be a greater administrative burden on onboarders, because they will be responsible not just for contracting the suppliers to ensure that cookies are dropped legally, but they will also be responsible for ensuring that these suppliers remain compliant,” Caller said.
According to Colclasure, LiveRamp has invested a great deal of time and effort educating its network of third-party partners and also checking to make sure they’re “maintaining the pseudonymity of the data.”
Because proper pseudonymization, also known as hashing, is crucial for GDPR compliance.
As a privacy precaution, onboarders hash the data they ingest from their clients as a matter of course. Hashing is encouraged under GDPR, but hashing alone isn’t enough to satisfy European regulators.
Hashing cookies and then matching them using the hash is pointless, and if it’s possible to re-identify pseudonymized data with reasonable effort, that data is considered personal under GDPR, and the compliance stakes rise.
Network of networks
A company like Drawbridge, for example, is similar to a company like LiveRamp, in that they both onboard data across channels and use encrypted personal information to link a network of publishers, brands and cookies across channels. And therein lies the rub, said Paul Cimino, head of global data strategy at Prohaska Consulting.
“Even as large as LiveRamp is, it’s still not the entire internet and it’s nowhere near as large as Facebook or Google, and so it’s a network of networks,” Cimino said. “And that is the real thing under pressure here – the opacity of networks – whether we’re talking about an ad network or an identity network. We’re going to see this clear up over the next couple of years.”