Data management platforms play an increasingly important role in helping digital marketers find high-value audiences, largely based on third-party data collection without much transparency. But with the General Data Protection Regulation being enforced in May, DMPs may face a tough battle to obtain third-party data.
“There is much more legal work ahead for DMPs, especially between them and their data providers,” said Maciej Zawadzinski, CEO of Poland-headquartered ad tech firm Clearcode. “Third-party data will become less accessible because of GDPR, which is likely to cause DMPs to focus more on first-party and second-party data. But it doesn’t mean that third-party data will become irrelevant, or DMPs will stop relying on it.”
Becky Burr, chief privacy officer for Neustar, believes that GDPR will have a significant impact on DMPs and ad tech companies in general. This is because ad tech companies are known to process data based on inferred consent through opt-out mechanisms, but GDPR makes reliance on individuals’ consent as the lawful basis for processing data, according to Burr. “In addition, enhanced data subject rights in the form of access, correction, erasure, and portability will require more robust consumer-facing portals and may create additional processing overhead [for DMPs] in some situations,” said Burr.
Douglas McPherson, chief legal officer for OpenX, thinks that whether — and how — the GDPR will affect DMP operations boils down to how a company defines its role under the regulation: Is it a “data controller” that “determines the purposes and means of the processing of personal data?” Is it a “data processor” that “processes personal data on behalf of the controller?” Or is it a “data subprocessor” that a data processor engages to conduct further processing in addition to what the data processor is doing? The role determines how and why a company collects personal data, said McPherson. For instance, the data processor can’t engage the subprocessor without informing the data controller.
McPherson believes that while DMPs typically act like data processors, they will also be viewed under the GDPR as data controllers in some cases, like when they collect data from credit card companies, look for users’ purchase patterns, create user profiles and then create data products to sell, for instance. And as data controllers, DMPs will have lots of legal responsibilities under the GDPR, like maintaining records of data-processing activities, as well as implementing an internal policy on handling data and data security.
“Some of those things are required by GDPR’s predecessor as well, but few companies took the regulation seriously because there were no significant financial penalties,” said McPherson. “But GDPR will change that. If there’s a data breach, for example, data controllers will get a fine of €20 million [$24 million] or 4 percent of their global revenue.”
In addition to the role of DMPs under the GDPR, the definition of user consent also determines the regulation’s impact on DMPs. “For now, it’s unclear what type of consent is adequate for GDPR purposes — we are told that there will be further guidance on consent over the upcoming months,” said McPherson. “If GDPR requires more robust consent than the existing laws, DMPs may need to ask brands and publishers they work with to obtain explicit consent from individuals, or DMPs can look for first-party data or other data sources.”
While Burr thinks that changes in the treatment of consent under the GDPR are “an important derogation” for DMPs that usually aggregate and analyze pseudonymised website data and log data on publisher, retailer, and advertiser websites. “Because IP address may be personal data under EU data protection law, Neustar stores them for 10 days or less, keeping only truncated or hashed IP addresses for our products and services,” said Burr.
Tiffany Morris, general counsel and vp of global privacy for Lotame that has a DMP business, also believes consent can work smoothly in a first-party relationship, but it is hard to track consent in a third-party relationship, where data may flow into different parties’ hands. “We are talking to our data providers to understand how they interpret GDPR, how they obtain consent and if they follow the IAB consent mechanism,” said Morris.
DMPs like Neustar and Lotame already started adding GDPR-specific language to vendor contracts with their data providers. But Morris thinks the real challenge for DMPs is how they interact with data providers technically. “In many cases, the DMP is acting solely as the processor who is processing first-party data at the direction of the controller or the client. In some instances, however, a DMP may act as a data controller,” said Morris. “GDPR makes it clear that both the data controller and the data processor are responsible for personal data. But we don’t have technical means to validate how [our data providers] obtain consent.”
Despite these challenges, ad tech executives and legal counsels interviewed for this story believe the GDPR creates opportunities for quality data and better data management. They also think the regulation will lead to consolidation in the ad tech space, as media buyers feel pressure to cut vendors that are not GDPR-compliant.
“There’s lots of negativity about GDPR in press, but it’s a positive thing to me,” said Nick McCarthy, svp of data solutions for agency Merkle’s operations in Europe, the Middle East and Africa. “There’s lots of work to do, but it pushes people to be responsible.”
Digiday+ Research: Instagram wins over Facebook for role in brands’ holiday marketing
Brands differ on how they use each marketing channel during the holidays -- even when it comes to sibling social media platforms Facebook and Instagram, Digiday+ Research found.
How — and why — Candy Crush is in the midst of a 10th anniversary brand refresh
In the years since Activision Blizzard acquired the Swedish game studio King in 2016, employees at the gaming giant have started to internally refer to their company as “ABK” — that is, Activision Blizzard King. But the corporation’s recent financial reports indicate that “KAB” might be a more accurate abbreviation.
Independent agency Goat invests in influencer strategy for clients as it expands in the U.S.
Everyone is after influencers to up their marketing game. But the secret to success, Goat contends, is in viewing influencers as performance media and using data to deliver clients guaranteed outcomes.
SponsoredHow brands are measuring incremental performance on CTV
Connected TV is unique among other advertising channels because it combines linear television’s storytelling capabilities with digital marketing’s targeting and measurement. As more marketers leverage CTV advertisements to reach relevant and engaged audiences, they also want to understand the real value they are generating with their investment. Incrementality reporting and measurement allow advertisers to measure […]
Marketers bring Web3 to the FIFA World Cup with augmented reality, NFTs and virtual worlds
The month-long tournament, which begins this weekend, will be the first World Cup since it took place in Russia in 2018 long before “Web3” entered the global lexicon. Now, official and non-official sponsors are hoping to harness the hype with a range of NFTs, virtual worlds, augmented reality tools and other trendy tech.
U-Haul diversifies its social strategy to tell people it’s more than moving trucks
In recent years, U-Haul's in-house agency has been working to "better leverage social media for brand loyalty."