Winter is coming – for companies that aren’t taking the new EU privacy regime seriously.
Ad tech players are particularly vulnerable, said Todd Ruback, chief privacy officer at digital governance company Evidon, which sold its consumer-facing privacy extension, Ghostery, in February in order to dedicate itself to enterprise compliance.
“The ad tech industry is the weak link in the digital supply chain,” Ruback said. “The digital marketing industry writ large hasn’t fully grasped that GDPR [the General Data Protection Regulation] specifically applies to them.”
On Tuesday, Evidon rolled out a platform to help companies comply with the consent requirements of GDPR, which go into effect next May 25, and with the proposed ePrivacy regulations (also known as the Cookie Law), which would require sites and apps to obtain consent and disclose which technologies they use.
Noncompliance will come with a hefty price tag: 4% of global annual revenue or up to 20 million euros.
“A fine like that would be annoying for most large publishers,” said Evidon CEO Scott Meyer. “But it would be lights-out for most ad tech companies.”
Starting in May, entities will need to either get the consumer’s opt-in consent or have a legal basis for collecting the personal data they use to build customer profiles, like an ecommerce site, for example, which needs to know someone’s address in order to deliver a package.
Ad tech companies don’t have access to or use personally identifiable information, such as name or physical address, pointed out Andy Dale, DataXu’s senior counsel and data protection officer who consulted on product development for Evidon’s consent platform.
But the new laws expand the definition of what is considered personal data to include any form of third-party cookies. Without access to cookies, the ad tech ecosystem would begin to crumble, and anonymizing the cookie data isn’t necessarily enough.
“You still need consent,” Meyer said.
But obtaining that consent can be quite tricky for companies operating in the digital marketing ecosystem that don’t have direct publisher relationships. Publishers that sell programmatically on the open exchange are also exposed.
“We’ve had ad tech companies come to us and say, ‘How do we get consent if we don’t even know which websites we’re on?’ and publishers that come to us and say, ‘How do we get consent if we don’t even know who’s on our website?’” Meyer said. “And, of course, there’s the question of how you get consent without destroying the user experience.”
Few people actually read the cookie banners that now commonly pop up at the bottom of European websites. Even if they did, those banners wouldn’t be enough to comply with the regs because they don’t allow consumers to take action or exercise their personal data rights, including the right to be forgotten.
Evidon’s platform allows companies to deploy a tag that enables consumers to opt in to data collection, see what data is being collected and modify what’s being tracked. The site gets visibility into its digital supply chain. Under GDPR, consumers that opt out cannot be denied access to the site even if they decide not to give up their data in exchange.
Website owners, publishers and brands pay Evidon an annual fee for the tag that varies based on the number of domains and how much customization is involved. Ad tech companies can integrate the tags for free.
“GDPR applies to any company engaged in website monitoring, which means that if you’re involved in digital marketing, you need a comprehensive understanding of all the ad tech and mar tech on your site,” Ruback said. “You have to monitor and make sure that each one is processing data on the right level basis, and if there isn’t consent, you need to get it.”
For that reason, ad tech companies should expect agencies and publishers to start reaching out, if they haven’t already, and demand contract renegotiations to indemnify themselves against any potential violation caused by the unlawful processing of data.
The stakes are high, yet a lot of ad tech companies still aren’t giving GDPR and the Cookie Law their due consideration.
“If I had to handicap it, I’d say about 10% have seen the GDPR privacy light,” Ruback said. “For the rest, the light hasn’t been turned on above their heads yet.”
There’s still time to get organized – it’s only about 10:30 p.m. on the GDPR Doomsday Clock, Meyer estimated – but May 25 is coming quick.
“After this summer is over, you’re going to see the buy and sell side turn the screws big-time on the ad tech ecosystem to get this figured out,” Meyer said. “It’s not one minute to midnight by any means, but it also ain’t morning.”
