It’s been four months since GDPR was rolled out, but the European consumer privacy law is still keeping marketers up at night.
GDPR, or the General Data Protection Regulation, went into effect in May and requires any company that does business with EU citizens to get consent from people to use their data, and make it very clear and easy to opt out of data collection.
“GDPR is my nightmare,” said Nicole Cosby, SVP of media tech standards and partnerships for Publicis Media Exchange at an Advertising Week Panel last week. “… Easily one of my biggest nightmares.”
While marketers were scrambling to ensure that they were compliant with the regulations in the weeks and months leading up to May 25, now they are anxiously waiting to see that they did indeed get things right, Cosby explained.
“As we evolve [from] the burden of trying to understand the compliance and regulation, and getting our ducks in a row contractually across it… now comes the worry and wait,” she said. “Who is going to be the first to violate, who is going to be the first to end up with that headline that there has been a violation.”
On the platform side of course, the first probe has already hit. Ireland’s data regulator has launched an investigation into Facebook over the recent data breach that allowed unauthorized access to 50 million accounts, with the company facing the possibility of up to $1.6 billion in fines.
But no advertiser wants to end up in a similar position. Advertisers that collect first-party data themselves realize that they often operate as the ‘controller’ (as defined by the GDPR rules), given they own the data that’s being utilized by their agencies or ad tech firms to target ads.
But they regularly rely on a roster of other players — directly or indirectly — who are processing that data on their behalf.
That leaves brands worried that they’ll be on the hook for violations made by these partners, even if it isn’t their fault. They are realizing that they can’t just pass all the risks of data management to their partners, and making the necessary moves to actively police their partners.
“GDPR just made us put extra focus and rigor on understanding each part of that ecosystem and really pushing and pulling,” said David Szahun, VP of global media at American Express. “We’ve always taken a perspective that unless someone knowingly understands that they’re offering up their data — if it’s a surprise and a shock in a bad way —that’s not something that we want to do.”
Given the uncertainty, and high stakes, all the big players —brands, agencies, publishers, ad tech companies — say they are actively trying to work together.
Publicis, for instance, is engaging with competing agencies on getting GDPR right, said Cosby.
“GDPR was a bit of a wakeup call, not just from the regulation standpoint, but [in that] it’s caused all actors in the chain really to take a deeper look at their transactions…. everybody [needed] to take an inward look because everybody is liable now, to an extent.”
Another thing that marketers, and more broadly the industry, now seem to have reached a consensus on is that consumers need a lot more education.
“There is a real value exchange [in using data to better serve customers], but until you’re clear, until you’re transparent… it’s a hurdle,” said Meredith Verdone, Bank of America’s chief marketing officer.
“We should turn it into an opportunity and part of the core strategy to help engage in a more meaningful way… but it’s going to require better communication and education.”
Even Facebook is echoing that talk, with its VP of global marketing solutions Carolyn Everson acknowledging that it had a long way to go at consumer education.
“Consumers don’t fully understand how online advertising works and that’s not their fault — that’s us and the entire industry,” she told Business Insider.
“When you have transparency and controls in place, the vast majority of people want relevant advertising.”
While data protections in the US are far less comprehensive than GDPR, the Cambridge Analytica scandal and Facebook’s most recent hack as well as California’s privacy law has reopened the conversation around privacy regulations.
Ultimately, this sharpened focus may lead to a far broader legislation, said Joshua Lowcock, the brand safety chief at UM.
“I was having a discussion with one of the UK regulators, and one of their comments to me was there’s still bad content on the internet… they want to apply pressure all the way down the chain,” he said.
“Somewhere the ecosystem failed and someone made a decision to put that [an ad] out there. The person that made the decision to allow ads running part of it has to be held accountable.”