GDPR: What You Need to Know Before May 25
We’re only two months away from the implementation of GDPR, and the changes in European regulation are going to have a significant impact on the online advertising ecosystem. It won’t just affect organizations and users inside the EU; it will impact any company that engages with users located in the EU.
To ensure that the internet remains open and vibrant, digital publishers, advertisers and their partners—including but not limited to advertising partners and advertising technology providers—need to adapt their business models to comply with GDPR.
Such major changes that impact the entire ecosystem need a collaborative and consistent solution, which is why AppNexus is working closely with IAB Europe, and others across the digital advertising ecosystem, including publishers and agencies, to find a common solution. And for good reason – simply put, our industry needs to adapt to GDPR in order to continue to thrive. Below, we’re going to explain why that is and tell you how to start getting ready.
Why is GDPR happening?
As we touched on when we expressed our support for the IAB’s Transparency and Consent Framework (more on that in a bit), an important social contract exists between publishers and consumers. Publishers agree to produce great content and provide it to consumers either for free or for a small subscription fee. In return, publishers have the right to sell advertising space to companies who want to engage those consumers. It makes perfect sense. Publishers need money to pay content creators and all the other people who make their work possible. Under the advertising model, they can get those funds, and consumers enjoy broad access to quality content, rather than having to pay for every bit they consume.
However, with the advent of more advanced, data-driven forms of digital advertising, the social contract between publishers and readers has become more complicated. We’ve come a long way from the days of classifieds in the morning paper. Advertising has gotten smarter since coming online, with powerful technology that allows brands to serve up personalized messaging based on such qualifications as a user’s location, demographic information, or purchase history.
These developments provided a net benefit, as they’ve allowed publishers to enhance the value of their ad inventory, given advertisers new ways to engage the audiences they want to reach, and delivered users a better browsing experience, with fewer, and more relevant ads.
Of course, all of this is enabled through the collection and use of personal data (which for third-party advertising companies is typically the collection and use of pseudonymous personal data through the use of cookie IDs and mobile advertising ID’s). It’s imperative that this is done in both a safe and transparent way, and in a way that puts the user firmly in control of their data. That’s what the EU is seeking to address with GDPR, and what the framework is seeking to enable.
What does GDPR say I have to do?
GDPR has many provisions, but the key requirements in the simplest possible terms are twofold:
- Any company (such as a publisher or advertiser) gathering user data has to tell users what data they’re gathering, who they’re passing it to (including which ad tech vendors they work with), and how it’s being used.
- Those companies also need to ensure they are relying on the appropriate legal basis for doing so, which in some cases may include the users’ consent (to whom that data is being passed and how it’s being used) and in other cases, providing an option for a user to object to whom that data is being passed and how it’s being used.
In other words, the law boils down to telling users what’s happening to their personal data and having a reason, and in some cases approval, to move forward.
For these reasons, AppNexus strongly supports the IAB's framework, which is essential to preserving the social contract that publishers have with end users. If that social contract breaks down, publishers will need to look for new ways to monetize, which could include gating their content and charging a premium for it.
But such a breakdown would ultimately benefit no one – except perhaps for walled gardens like Facebook and Google, who can more easily fold the consent-gathering process into their users’ login process and other direct experiences. More importantly though, this breakdown would end the open internet as we know it and cut off anyone who can’t pay up from quality content: news, commentary, music, film, and information. At AppNexus, we want to prevent this at all costs by helping publishers and advertisers ready themselves for GDPR.
How do I prepare for GDPR?
Publishers, advertisers, and ad tech providers on the open internet need a common language and method for providing users with transparency into how they collect personal data, how that data is used, and in some instances, how they seek their consent for those uses (or provide an option to object). Otherwise, none of the sides will be able to evaluate each other for compliance, and the entire supply chain could break down.
That’s why we strongly recommend that publishers, advertisers, agencies, and ad tech vendors adopt IAB Europe’s Transparency and Consent framework before GDPR comes into effect on May 25th.
Ad tech providers and companies that, as controllers, may have transparency and consent requirements, should join the global vendor list as soon as possible, while publishers and advertisers should start pushing their vendors to do so. Both sides should also use the IAB’s technical specifications to start building a solution to provide dynamic transparency into the vendors they are using and pass along approved vendors and user consent, where necessary, and figure out how they’ll incorporate it into their programmatic processes. Finally, we recommend you keep up with our blog for the latest best practices around GDPR.