Home Privacy Data Onboarders Have A Tough Road Under GDPR

Data Onboarders Have A Tough Road Under GDPR

SHARE:

Data matching and cookie syncing aren’t verboten under the General Data Protection Regulation (GDPR) but getting the consent to do it is another story altogether, since consumers need to know exactly what they’re signing up for when they provide unambiguous and specific consent.

Like most vendors in the ad tech ecosystem, companies that onboard data and perform cookie syncs, like LiveRamp, Adobe, Neustar and others, have generally relied on opt-out mechanisms in the past. Users are tracked by default, and if they don’t want to be, they’ve got to actively say “no mas.”

“The requesting of vague or blanket consent will not suffice,” said Robin Caller, CEO of lead-gen and data company Overmore Group. “And the need to be more granular will be a challenge for onboarders.”

Agree (to disagree?)

It’s hard to imagine how any third-party data processor has a snowball’s chance of clearly and concisely spelling out the specifics and value of what they do to the average consumer. That’s why IAB Europe and the IAB Tech Lab are attempting to help vendors enlist their publisher partners in the quest for consent.

But data onboarding vendors are controllers, at least when they’re dropping their own cookies and operating an identity graph with data coming in from multiple sources. And controllers are either responsible for getting consent themselves, when consent is the legal basis being used for processing, or their first-party partners need to mention them by name in their own consent requests.

Now figure out a way to explain to consumers that their offline data is being collected, hashed and cleverly matched with online cookies to target them with personalized advertising and that a company they’re probably not familiar with is also maintaining an identity graph that aggregates their data and stitches it together across hundreds of different platforms, data providers, publishers and brands.

“The whole benefit of onboarding is to take the friction away from moving data around and the nature of a graph is that the data is from many sources – but marketers may not have explicit consent to push data to a given controller,” said Ari Paparo, CEO of Beeswax. “It seems to me that they’d need to rebuild their graph with consent from each input and that’s, like, impossible.”

Sheila Colclasure, global chief data ethics officer and public policy executive for Acxiom and its subsidiary, LiveRamp – the biggest data onboarding vendor on the block – recognizes the challenge that third parties face in their reliance on first parties to gain consent.

LiveRamp uses consent as its legal basis for dropping cookies. But Colclasure claims the company is in a good position to obtain consent through its large ecosystem of third-party partners that work directly with companies that themselves have first-party relationships.

“Consent is a challenge, no question, but it will not have an impact on our ability to operate,” said Colclasure, who declined to comment on rumors that Acxiom is looking to sell LiveRamp, a potential move some have theorized could be connected to the burden of GDPR compliance.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

Prove it, hash it

But compliance is not just about obtaining the consent. Controllers are required to perform “rigorous checks” that their contracted partners are compliant.

Even if controllers get consent, they must document the process and, if asked, provide evidence of consent to all of the parties with whom personal data is being shared. For onboarders, that means needing to be able to explain and name all of the firms they partner with, Caller said.

“There will certainly be a greater administrative burden on onboarders, because they will be responsible not just for contracting the suppliers to ensure that cookies are dropped legally, but they will also be responsible for ensuring that these suppliers remain compliant,” Caller said.

According to Colclasure, LiveRamp has invested a great deal of time and effort educating its network of third-party partners and also checking to make sure they’re “maintaining the pseudonymity of the data.”

Because proper pseudonymization, also known as hashing, is crucial for GDPR compliance.

As a privacy precaution, onboarders hash the data they ingest from their clients as a matter of course. Hashing is encouraged under GDPR, but hashing alone isn’t enough to satisfy European regulators.

Hashing cookies and then matching them using the hash is pointless, and if it’s possible to re-identify pseudonymized data with reasonable effort, that data is considered personal under GDPR, and the compliance stakes rise.

Network of networks

Onboarders face some of the same problems as cross-device providers, which have been pivoting away from media in the lead-up to GDPR.

A company like Drawbridge, for example, is similar to a company like LiveRamp, in that they both onboard data across channels and use encrypted personal information to link a network of publishers, brands and cookies across channels. And therein lies the rub, said Paul Cimino, head of global data strategy at Prohaska Consulting.

“Even as large as LiveRamp is, it’s still not the entire internet and it’s nowhere near as large as Facebook or Google, and so it’s a network of networks,” Cimino said. “And that is the real thing under pressure here – the opacity of networks – whether we’re talking about an ad network or an identity network. We’re going to see this clear up over the next couple of years.”

Must Read

play button with many coins isolated on blue background. The concept of monetization of the video. Making money on video content. minimal style. 3d rendering

Exclusive: Connatix And JW Player Merge To Create A One-Stop Shop For Video Monetization

On Wednesday, video monetization platforms Connatix and JW Player announced plans to merge into a new entity called JWP Connatix. The deal was first rumored in July.

HUMAN Raises $50 Million

HUMAN plans to build a deterministic ID from its tracking of more than 20 trillion digital signals per week across 3 billion devices, which will aid attribution for ecommerce.

Buyers Can Now Target High-Attention Inventory In The Trade Desk

By applying Adelaide’s Attention Unit scoring, buyers can target low-, medium- and high-attention inventory via TTD’s self-serve platform.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

How Should Advertisers Navigate A TikTok Ban Or Google Breakup? Just Ask Brian Wieser

The online advertising industry is staring down the barrel of not one but two potential shutdowns that could radically change where brands put their ad dollars in 2025, according to Madison and Wall’s Brian Weiser and Olivia Morley.

Intent IQ Has Patents For Ad Tech’s Most Basic Functions – And It’s Not Afraid To Use Them

An unusual dilemma has programmatic vendors and ad tech platforms worried about a flurry of potential patent infringement suits.

TikTok Video For Open Web Publishers? Outbrain Built It.

Outbrain is trying to shed its chumbox rep by bringing social media-style vertical video to mobile publishers on the open web.