The digital media supply chain is about to get a whole lot smaller thanks to Europe’s General Data Protection Regulation (GDPR).
The privacy legislation, which takes effect in May, dictates that data controllers could be held responsible for data privacy missteps made by their third-party partners.
Marketers and publishers are therefore highly incentivized to run a tighter ship and cut down on the number of tech vendors they work with. Fines for infractions are steep: 20 million euros or up to 4% of global annual turnover.
The days of testing out multiple new retargeting providers just for the heck of it are soon to be a thing of the past, said Jakob Bak, CTO at Danish ad tech company Adform.
“An advertiser working with 25 partners today would have to do 25 digital process compliance checks and audits a year – and beyond being a legal issue, that gets quite expensive,” Bak said.
GDPR is “a clear signal” to advertisers that they should “move away from the Lumascape and be more careful about who they choose to work with,” he said.
If they aren’t careful, advertisers and publishers open themselves up to data leakage, unauthorized data collection and a world of potential pain under GDPR, because everyone in the supply chain is on the hook for violations.
“Publishers don’t have an easy way to close the door on all data leakage,” said Johnny Ryan, head of ecosystem at PageFair. “Even if a publisher has the user’s consent to share personal data with partners, the publisher probably doesn’t know who all of those prospective partners are.”
And without perfect knowledge, publishers “can’t be certain that each partner they do know about isn’t inviting others in as part of the daisy chain,” Ryan said.
Ads on a publisher’s page could contain JavaScript that acts like a trap door to other third parties the publisher doesn’t know about, and there’s no easy way to vet the code before an ad is rendered on the page.
“Brands should be worried, because the data they’re getting could be contaminated or they may be leaking data themselves simply in the course of serving ads,” Ryan said. “That’s why brands need certainty that everyone in the chain is tight and legitimate – and today, you can’t really get certainty on that.”
AdExchanger Daily
Get our editors’ roundup delivered to your inbox every weekday.
Daily Roundup
But publishers and agencies are certainly trying to reduce the number of partners they work with and renegotiating their contracts with the companies that remain to protect themselves against possible violations that result from prohibited forms of data processing under GDPR.
“The ad tech industry is the weak link in the digital supply chain,” said Todd Ruback, chief privacy officer at Evidon. “Top-tier players in the market are getting phone calls from their publisher partners saying things like, ‘You have to agree to indemnify us if we get fined.’”
Global brands are also slimming down their partner lists, which was true even before GDPR became a looming reality. When Adform won T-Mobile as a client around four years ago, for example, it took a good year and a half to complete the onboarding process that included a rigorous check of Adform’s data security practices.
Companies that operate in highly regulated industries have a history of doing all of the things that will soon be required under GDPR, said Jochen Schlosser, chief strategy officer at Adform. GDPR will push companies in other categories to apply the same level of rigor to their ad tech and mar tech partners, he said, and smaller companies will likely find it more difficult to get tests going with the bigger guys.
“Banks and telcos, for example, purposely work with fewer systems because they have to undergo an audit every year,” Schlosser said. “The marketing department can’t just try out things and get new pixels on websites tomorrow. That will now start to happen with the rest of companies out there.”
But brands and publishers working to better manage their vendor and third-party data processor relationships is not a bad thing, said Dan de Sybel, CTO at indie programmatic agency Infectious Media.
“GDPR forces the industry to tidy itself up a bit,” de Sybel said. “There’s going to be a lot of pain along the way – and some smaller players will have to throw in the towel – but GDPR will ultimately help clear up fraud and start to get rid of the players that aren’t contributing much to the supply chain.”
