Guilt by association for many marketers
If you\’re not toiling in adtech, there\’s still no reason to breathe easy. As noted in my analysis of Google\’s €50 million fine, when a DPA points out a non-compliant practice, it means anyone deploying that practice has been put on notice and is de facto in violation of the GDPR, whether or not they are ever actively investigated. In the case of the adtech report, the nine \”systemic\” issues with RTB include several that are in widespread use on websites and apps of all kinds, including:- Putting the lie into L.I. — Legitimate interest (LI) has long been the siren song for marketing\’s Odysseus, an alternative to consent that seems to avoid those messy interactions with fickle consumers. The ICO first notes that RTB players often unlawfully use legitimate interest when placing cookies, whereas that requires consent. They then add: \”Even if an argument could be made for reliance on legitimate interests, participants within the ecosystem are unable to demonstrate that they have properly carried out the legitimate interests tests and implemented appropriate safeguards.\” The tests in question are three fold: 1) the \”purpose test\” consist of identifying a genuinely legitimate business interest (rather than an end you simply desire to pursue); 2) the \”necessity test\” involves demonstrating that the proposed data processing is necessary to achieve the purpose; 3) the \”balance test\” requires you to show that your legitimate interest \”outweighs\” the interests, rights, and freedoms of the data subjects (e.g., consumers). In addition, you are required to clearly inform consumers that you are using LI, and to present a prominent opt-out option.
- Forcing cookies before consent — Common practice with the ubiquitous (and CX-destroying) \”cookie consent notices\” is to place site cookies when the visitor arrives at the page, then to delete any collected data if consent is not granted. The ICO stresses that only those cookies that are \”strictly necessary\” for the provision of a service may be placed before acquiring consent — and that what is strictly necessary must be evaluated \”from the point of view of the user, not the service provider.\” The report states unequivocally that \”cookies used for advertising purposes [of any kind, not only RTB] are not \’strictly necessary\’.\” That brief sentence blows away the argument that ad-supported sites can justify tracking cookies as \”essential.\” In short, your choice of a business model does not lessen your data protection obligations.
- Building and augmenting customer profiles — Building and nurturing the richest possible consumer profiles is at the heart of the current era of customer-centric and personalized CX. The ICO report casts this essential practice into doubt. \”The creation of these very detailed profiles, which are repeatedly augmented with information about actions that individuals take on the web, is disproportionate, intrusive and unfair in the context of the processing of personal data for the purposes of delivering targeted advertising\” (emphasis added). The implication is that detailed profiles are inherently problematic under the GDPR — or at least that the DPAs will subject them to extreme scrutiny. This is all the more reason for marketers to concentrate on demonstrating trustworthiness and building mutually beneficial relationships with genuinely engaged audiences.
What\’s next for RTB? (Or, the Lumascape is burning)
On any fair-minded reading of the report, it is obvious that the practitioners of today\’s RTB have no chance of \”winning\” the battle with the GDPR and the data authorities. A system that involves thousands of organizations engaging in millisecond exchanges of billions of bid requests containing personal data (including \”sensitive categories\” of data such as race, religion, and sexual orientation) can hardly meet the GDPR requirements for transparency, informed consent, data minimization, and data protection by design. It\’s no wonder that Johnny Ryan and others declare that RTB is a \”massive and systemic data breach.\” In short, the ICO (which stresses that it is working in concert with other EU DPAs) has neutralized the industry\’s \”deny\” tactics and substantially undermined any future effort to \”defend.\” They have also prescribed a hard stop on \”delay\” — namely, the six months between the publication of the report and \”a further industry review.\” While the ICO will use the time for \”targeted engagement with key stakeholders,\” it is not intended for ongoing debate and negotiations. \”We expect to see change,\” says Elizabeth Denham in the commissioner\’s forward to the report. \”The rules that protect peoples\’ personal data must be followed\” (emphasis added). The problem, of course, is that so much of the adtech ecosystem is inherently, essentially incapable of following the rules of the GDPR and similar regulations. It is built for data maximization, not minimization. It is based on principles of privacy violation by design. It is engineered to produce and consume very detailed profiles that the DPAs will deem disproportionate and intrusive. As I noted two years ago in an appeal to venture capitalists and other investors: \”Take Scott Brinker’s 2017 MarTech supergraphic, comprised of 5,381 solutions. Without radical restructuring of the solution and/or the business model, the GDPR will make it impossible for hundreds if not thousands of those solutions to be deployed vis a vis EU residents after 25 May 2018.\” TLDR? Just take a look at the last line of the Wikipedia plot summary for Robert Altman\’s \”Come Back to the Five and Dime, Jimmy Dean, Jimmy Dean\”:The film ends with shots of the decaying, abandoned five-and-dime store, while the song fades and the wind blows.