Tuesday 21 May 2019

New EU data law could hurt marketers but help publishers

There are increased obligations for companies retaining data, restrictions on how it can be shared and stronger rights for European citizens
There are increased obligations for companies retaining data, restrictions on how it can be shared and stronger rights for European citizens
Steve Dempsey

Steve Dempsey

If you're in media and marketing you better mark May 25, 2018 in your diary. It's the day the EU makes your life a whole lot more difficult.

On that day Europe's new privacy regime kicks in. It's called the General Data Protection Regulation (GDPR). What does it entail? Well, there are increased obligations for companies retaining data, restrictions on how it can be shared and stronger rights for European citizens.

The upshot is that any organisation that retains customer data will need to audit and classify that information. They need to ensure regular risk assessments are completed to account for what would happen if data was lost, misappropriated or if they are hacked. Plus, they need to prepare a breach notification plan, so they have a ready-made course of action if something does go wrong.

But the GDPR spells particular trouble for anyone that profiles users or tracks their online behaviour. Once the GDPR comes into force, it will become illegal for the data controller (the entity that gathered the data in the first place) to share European citizens' details with another company without agreeing a formal contract. Data can only be passed onto third parties which offer guarantees of high standards of security.

This means a host of online advertising strategies will become problematic overnight - if not illegal. Under the GDPR, device IDs and cookies will be treated as personally identifiable information. Therefore, re-targeting ads and profiling based on this type of data will become illegal without users' consent.

Tracking pixels, javascript and a host of third party ad-tech will suddenly look a lot less appealing to media outlets. The commercial opportunities they offer will suddenly become open invitations to infringement.

Infringements mean penalties. Companies that are non-compliant with the GDPR - whether they're based in the EU or not - can be fined up to €20m or 4pc of total worldwide annual turnover, whichever is greater.

Of course, advertisers can use third-party data without an agreement with the data controller. But it won't be easy. They'll need to inform subjects directly that they're using their data and what they're up to with it. A difficult ask without the involvement of the data controller. And the users can ask them to stop at any time.

European citizens also have the right to approach any company that has data about them and demand to know how it's being processed, why, and who it's being shared with.

How will users respond to this ability to track how their data is being used? They could well panic, according to Dr Johnny Ryan, head of ecosystem at PageFair a company that helps media outlets with ad-blocking.

"The GDPR will confront users with the extent to which their behaviour across the web is tracked, how these data are used, and how often they are stolen," he says. "The result will be a wave of paranoia about personal information. One can anticipate that users will react particularly negatively to businesses that hold their data but have no direct relationship with them."

Ryan also points out that consumers will be bombarded with alerts about their data. "Consumers across the EU will start to see more notices about how their data is being used, and will have the opportunity to object, or be asked to give their consent," he says.

"One challenge that remains is how this is to be conveyed. The European Commission plans for a new system of iconography to convey the complicated details of how data are used in concise terms."

Late last year the European Newspaper Publishers' Association voiced concerns that the GDPR created legal uncertainty around direct-marketing practices related to keeping tabs on readers and subscribers. These are legitimate business practices, the ENPA claimed. Like everyone else, publishers are going to have to pull up their socks in relation to audience data. But there is a possible upside for publishers. The GDPR will make them gatekeepers of a valuable asset.

"Trust in publishers has always mattered to brands," Ryan says. "But under the new rules the more trusted a publisher is the more valuable it will be to the advertising system too. To use someone's data a company will have to have some form of contact with them - to inform them of how their data is used and so forth.

"The many companies that track people around the web, but have no direct relationship with the people they are tracking, will have to build this relationship from scratch, or work with publishers that already have such a relationship. In contrast, the trust that some publishers have earned from their users will become a precious asset."

Sunday Indo Business

Also in Business