For Adtech Companies, GDPR is a Tall Order

The deadline for compliance with the European Union’s General Data Protection Regulation (GDPR) – May 25, 2018, is quickly approaching. GDPR will affect every company that controls, collects or shares personal data of EU citizens, regardless of where such a company is located. It will affect almost all tech verticals, but adtech companies are especially sensitive as much of their business depends on using consumer data to target ads.

The main challenge that adtech companies face under the new laws is getting consumers’ consent when you need to deal with multiple vendors sharing the data, and complex data flows. Adtech companies can no longer continue to ask permission to do “digital advertising” in general; from now on these companies need to get consumers to specifically approve the vendors with whom they intend to share consumers’ data, at least according to some of the more strict experts.

It should be noted that GDPR allows companies that collect data for “Legitimate Interest” to avoid the need of securing consent, and many adtech companies are trying to use this exception and claim that their businesses comply with GDPR under this clause. However, this will probably not work as using “legitimate interest” as justification to collect information only works if it doesn’t infringe on the rights of the consumer.

Unfortunately, GDPR assumes that almost all adtech companies do infringe on such rights. Also, specific practices such as behavioral advertising were rejected by the regulator as falling into the scope of “legitimate Interest,” as opposed for example to direct marketing, which is advertising that does not involve a 3rd-party.

While the new rules require businesses to make significant changes to their work methodologies, many companies are still largely unprepared for the soon to be enforceable regulation.

What are these companies risking? Quite a bit.

The most obvious reason for getting GDPR compliant as quickly as possible: intimidating fines that may be imposed by regulators on companies that do not comply. Although the actual fines will probably be lower than the maximum amounts prescribed in the regulation—which can come up to 4% of the defaulting company’s annual turnover or 20M euros—they will probably be substantial.

In some cases, GDPR makes companies liable for any non-compliance by the business partners they share information with. This means that you will need to take action to make sure suppliers and other third parties comply. It also means that your partners will do the same, so you can expect to be asked to sign confirmations or even to demonstrate your compliance.

Adtech companies are already getting requests from their partners to sit down and “chat” about GDPR compliance, to amend existing agreements or to confirm they comply with the new legislation. For new or small players in the industry which already struggle to convince vendors to start working with them, this aspect of GDPR is a real challenge.

GDPR has become a strong incentive for big companies to cut loose small partners who are responsible for only a small fraction of their revenue and that potentially increase their exposure. Companies like Facebook and Google are already cutting out third-party vendors for example, and they are not alone.

GDPR is also an opportunity. For some time now end users are sending signals of discomfort regarding the way their information is used. They opt out of consensual data sharing and use ad blockers. This trend has been especially felt since news about the way in which data firm Cambridge Analytics used Facebook data to build voter profiles. Transparency and loss of control of privacy are the main concerns. GDPR compliance can be used to gain back that trust. GDPR can help to calm consumers’ concerns about their personal data and help the industry to create an open dialogue.

Partial compliance is better than no compliance. Although it is still a mystery to what extent GDPR will be enforced. Companies that can present evidence showing they earnestly attempt to get ready for GDPR will get more favorable treatment and maybe lower fines for non-compliance.

For executives trying to figure out whether they can do anything in the remaining 30 days if their company hasn’t done anything so far, the answer is a resounding yes.

Here are some of the things you should probably start doing today with your legal and technical advisors:

  1. Audit and map the data you collect, how you use it, store it or share it, and decide whether you need to make any changes (collect less information for example or hold it for a shorter period).
  2. Identify the risks associated with the collection and handling of such data.
  3. Determine whether you are a data processor or controller (or both) to understand your obligations and responsibilities under GDPR.
  4. Decide whether you need to appoint a Data Protection Officer.
  5. Make sure you have processes in place for allowing data subjects to exercise rights such as “the right to be forgotten.”
  6. Review and if necessary upgrade your existing privacy policy and existing agreements with your business partners and update your internal policies and working methods.
  7. Remember, GDPR is not only about paperwork. You probably need to change the way you work.

To try and meet the very strict requirements of GDPR concerning securing consumers’ consent, the Adtech industry has begun to develop among others technological solutions such as “Consent Management Tools” and other means, in some instances written in open source code and freely distributed. Some of these tools just help marketers get more informed and specific consent from their consumers while others try to solve the problem of getting expressed consent from a consumer that needs to refer to all of the parties involved in the data processing.

These solutions are in many cases are still a work in progress, and there is no way to know whether they will be recognized as being in full or partial compliance with GDPR. The developers of these solutions are, at least in some cases, not completely free from self-interest and might try to bundle their own platforms and solutions with the so-called freely distributed solution. Another consideration is the data you might be sharing with the developer of the solution or with other businesses that share the same technical solution with you.

The adtech industry will have to make substantial changes to its legal, business and technological models. The industry generated solutions of the type mentioned above are proof not only of the adtech industry becoming more mature and responsible but also of the level of uncertainty and fear that surrounds GDPR.