What can advertisers posit from the early market indicators in the wake of the May 25, 2018 enforcement of the European Union’s General Data Protection Regulation (GDPR)?
There are three takeaways that would seem to portend the near-term challenges for the ad industry:
- Consumers aren’t that interested in allowing companies to use their personally identifiable information to target them, contact them, monitor their online behavior or to profit from the sale of that information.
- The advertising industry as a whole was not prepared for the onset of the GDPR.
- Limitations on access to consumer data could greatly impair the efficacy of programmatic media.
The results of poll recently announced by TopLineComms found that 41% of those surveyed were “planning to opt out of current email subscriptions” with 82% indicating that they were “concerned about how companies use their data.” Many believe that the news surrounding the recent Cambridge Analytica scandal has helped to fuel consumer concerns about data privacy protection. Either way, consumers increasingly want their privacy protected and both marketers and publishers are going to have to find ways to deal with that concern and the growth in global regulatory actions in this area.
Adopted in April of 2016, the advertising industry had a two-year transition period too ready for the May 25, 2018 date, when the GDPR regulations would become enforceable. Unfortunately, too many companies proved to be lax in their preparations. According to a global study conducted by SAP Hybris, “49% of companies either have no plan for compliance or have not yet implemented one.” Readiness was made more complex because of different regulatory compliance burdens for data controllers and data processors and the role of third-party data processors. Gaining clarity among stakeholders as to who was responsible for what and how they were progressing on their compliance readiness proved challenging at best.
While early in the process, since GDPR went into effect, ad exchanges have seen dramatic drops in ad demand, with exchange volumes dropping up to 40%. According to digiday.com, “some U.S. publishers have halted all programmatic ads on their European sites.” In turn, this has led to a drop in publisher inventory in Europe. Of note, many within the industry are blaming Google for its lack of preparation and the company’s inability to vouch for whether or not its third-party exchange partners were compliant or not heading into May 25th. Unfortunately, Google did not notify advertisers of this issue until May 24th leaving them little “time to change media-buying tactics or inform clients.”
In addition, Google, Facebook and a couple of other internet portals have been hit with complaints and potential legal action by independent consumer advocacy groups over “forced consent,” claiming those entities threatened service cutoffs or restricted access if consumers did not consent to Google and Facebook’s privacy and data usage terms.
Near-term, organizations will have to focus on complying with GDPR. Looking ahead marketers, publishers and ad tech providers will need too ready for the likely expansion of privacy protection regulations to other countries and municipalities (e.g. California Consumer Privacy Act). After all, these new regulations are coming at a time when the importance of data and the value that it plays in an organization’s corporate strategy and marketing efforts has never been more critical.
Perhaps most importantly, organizations will have to focus on developing sensible solutions to placate consumers that have legitimate concerns about how their personally identifiable information will be used. This is a necessary step if using first-party data to inform audience segmentation decisions, personalize consumer communications and monitor behavior is deemed a critical element in their marketing and content strategies.
Achieving these goals will require ongoing remediation efforts and will involve personnel from many disciplines within an organization. It is for this reason that many firms may turn to appointing a Data Protection “Tsar” to lead their efforts to embellish their consumer privacy protection policies, processes and compliance efforts. Not a bad move for companies that have the means to formalize this function.
In spite of the inauspicious start by many to comply with the GDPR regulations it is never too late to heed the old adage; “Proper preparation prevents poor performance.”