How GDPR will impact Facebook, Google and online advertising
GDPR will not just have an impact on how marketers can collect data but how they use it to create personalised and targeted online advertising.
Brands could see the price of personalised online advertising skyrocket from the end of this month, as the EU’s General Data Protection Regulation (GDPR) comes into force. The supply of ad impressions that can be targeted using personal data is likely to suffer a significant drop, as it becomes clear how many publishers (or how few) have successfully obtained consent from consumers to use that information.
Some believe online targeting will eventually shift away from the use of personal data almost entirely as a result.
The world’s two biggest advertising companies, Google and Facebook, have both informed businesses using services such as DoubleClick and Custom Audiences that they must certify the data they utilise to serve ads satisfies GDPR. This places a huge onus on brands and publishers to ensure they get the required consent themselves.
While many uncertainties remain, the Internet Advertising Bureau (IAB) concedes there is a view that the supply of personalised inventory will drop in favour of more contextual targeting options that don’t require personal data. “This would also have the possible effect that the price of personalised inventory would increase, underpinned by a more transparent relationship between advertisers and consumers.”
Johnny Ryan, head of ecosystem at ad tech comapny PageFair, sees removing personal data from the online advertising process as the only viable approach in order to continue serving targeted ads that comply with the law. In fact, he goes as far as to say the current model of programmatic personalised advertising “cannot be legal” under GDPR, because when publishers request bids there is an inherent risk of personal data being inappropriately shared within the supply chain.
“In between [publishers and advertisers] are innumerable unknown and unknowable parties, who are doing many backroom deals with each other and massively misusing personal data. What that means is you cannot release personal data in the middle,” he argues.
“There is a question about how on-the-hook brands are, not only for their own stuff but for everyone else’s as well; and not only because they pay for it all to exist and to operate the way it does – and to insist that it operate the way it does in some cases – but also because they may be feeding data that they hold into this beast.”
While Google has already announced it will be offering publishers an option for showing non-personalised targeted ads, many publishers will, of course, make every effort to secure the consent needed from consumers to use personal data. The IAB has issued guidelines to the industry on how to go about seeking it.
But according to Ryan, research shows success rates from such efforts will be “low, low, low”. Furthermore, brands and publishers must be satisfied they have given sufficient information about the purposes for which data will be processed. Within each link of the supply chain there are “countless purposes”, he points out, adding that simply stating as a brand or publisher that you will process personal data to serve personalised advertising is unlikely to satisfy GDPR.
Speaking at a roundtable organised by the DMA last month, Jonathan Carter, managing principal at data and software company Acxiom, likewise noted: “No one is running due diligence on whether or not every publisher that is showing a display ad has a cookie notice that is going to cover the whole advertising ecosystem, when it should do.”
He expects to see preference centres emerge to explain these aspects and give consumers control, but is also concerned that the language of these will need to be standardised and cover all aspects of advertising.
At the same event Richard Merrygold, group privacy director at home emergency repair brand HomeServe, suggested it is necessary despite the complexity to offer consumers more choice. He said that until recently “if you wanted to use [free digital] services, you had to give up your right to privacy”, but pressure on companies such as Facebook has prompted them to be more transparent and allow consumers control over how ads use their data.
“People want to continue to be advertised to but they want to see the things that they care about, not stuff that they just happened to Google and which now is being flashed up on every single page,” said Merrygold.
The regulation comes at a time when Facebook in particular has endured heavy criticism for its past data practices, which saw app developers harvest the data not only of users but also of their friends. Millions of people’s data was acquired by the consultancy Cambridge Analytica as a result.
Both Facebook and Google state that they will be GDPR compliant by the deadline on 25 May. Facebook has also announced further measures such as a tool allowing users to opt out of having their browsing history collected when they visit sites running its plugins. PageFair’s Ryan believes Facebook will eventually follow Google’s lead and offer a non-personalised option for ad targeting, but that its platform will need to change to make this valuable.
Even if personal data becomes a rarer commodity in online advertising, personalised advertising won’t disappear completely. Instead, Ryan argues it should become “a hyper-premium, small corner of the market; and it really is important that it exists, especially for publishers who are able to get consent to do interesting things with that end of the market”.
This could lead to a more direct interface between brands and publishers returning, he suggests, where consumers give consent for publishers to place them into pre-defined segments, which are then used instead of personal identifiers to attract advertisers’ bids for impressions. But it probably won’t happen straight away.
“European publishers might be worried that, if one of them stops putting personal data out in bid requests, they will suffer at the expense of their competitors. That applies until such time as there is an external negative shock.”
Examples of such a shock could include a court case brought by privacy campaigners, direct intervention by GDPR regulators, or a country enacting recital 149 of the law, which would allow it to claw back any profits made in contravention of the law. This, he says, would be “catastrophic” for any company caught out, and given the nature of these risks, he believes it would be “absolutely crazy for companies not to take a safe approach under GDPR”.
He concludes: “This regulatory change might be an opportunity for you as a CMO to walk back from the edge of the cliff that your head of digital have walked you towards.”