GDPR: Breaking the Third-party Data Habit

Reading Time: 6 minutes

Ah, GDPR. Like the guy (or girl) you matched with on Tinder six months ago who got less interesting the more you got to know them, it just won’t go away. It keeps sliding into your DMs with teasing headlines like, “Data Protection Authority of Baden-Württemberg Issues First German Fine Under the GDPR” or “Washington Post offers invalid cookie consent under EU rules“. And there you were thinking you were done with it back in May, when you sent all your users that “Please respond to this email to stay on our mailing list” email and threw that giant banner about cookies up on your website.

What was merely theoretical on May 25th 2018 is now becoming all too real for certain organizations. Since GDPR came into force, complaints to the data protection watchdogs in the UK and Ireland have more than doubled, with some of the complaints being pretty wide-ranging, such as that brought by Privacy International against a handful of key players in the adtech/data industry, including Acxiom, Oracle and Criteo.

The existence of GDPR and other laws like the forthcoming Californian Communications Privacy Act (CCPA) continue to make marketers, publishers and adtech/martech firms nervous, with good reason: The law allows a maximum penalty of 4% of an organization’s global revenues for non-compliance (though most of the judgments thus far have come with fines well below this level). The question on many marketers’ lips is still, have we done enough? And if GDPR continues to tighten the screws, how can we react to protect our marketing campaign effectiveness?

Legitimate Interest, Consent, Oh My

At its heart, GDPR is all about balancing the rights and expectations of individuals with the desires of organizations that would like to gather and process their personal data. A core aspect of the law that creates this balance is a set of rules that say that organizations can process user data if they have a good reason to (that they can explain); otherwise they need to gain the individual’s explicit consent.

One of these ‘good reasons’ is called ‘legitimate interest’, which is a somewhat squishy term that means that the organization is arguing that the data processing is necessary for some aspect of their core business, and that doing so doesn’t infringe on the rights and freedoms of individuals.

The nice thing about legitimate interest is that it gives the organization some more freedom to be proactive in using data for things like digital marketing – for example, the DMA says (PDF) that an organization can automatically include customers in an email list with a ‘soft opt-in’ under GDPR, so long as it includes an opt-out, and does not share the data with third-parties.

But legitimate interest is far from a panacea – it must be balanced with the rights of the individual and their reasonable expectations. For example, it’s not ok to grab a bunch of web behavior data about an individual and pass that on to various ad networks without their consent, because the individual wouldn’t expect that to happen in the context of their relationship with the website.

So for most advertising and other ‘upper-funnel’ kinds of marketing, it’s necessary to get up-front consent from users to stay compliant with GDPR. That’s why, as users, we all have to put up with endless banners and pop-ups telling us about cookies. This is also why the IAB has invested considerable energy into defining its Transparency and Consent Framework, which allows consent to be captured in a consistent way by publishers and adtech platforms and communicated to third parties who may want to process that data for ad targeting.

Unfortunately, in a blow to the IAB’s efforts, the French Data Protection agency recently ruled that user consent cannot be automatically passed to third-party data processors such as DSPs as part of a contract. This approach is foundational to the way that the adtech industry has aimed to achieve compliance with GDPR, so it casts the whole way the industry is set up into question.

Even without the French DPA’s ruling, managing consent for personal data in the incredibly complex third-party advertising ecosystem puts publishers and advertisers at risk of violating one of the other tenets of GDPR: That consent must be captured in a way that is simple and clear enough for the user to understand. Though the average number of third-party cookies on websites has declined by around 22% in the last year, the number still stands at around 60 – raising serious questions about whether users can be expected to understand what they’re opting into or out of when they navigate the consent management interfaces on the websites they use.

All this means that advertisers and marketers need to think hard about alternative strategies for driving campaign effectiveness that do not depend so heavily upon easy access to third-party user data.

Alternative Approaches to Third-party Data

Broadly, there are two alternative paths that advertisers and marketers can take to reduce their dependency on third-party user data: Build their own first-party sources of this data, or adopt targeting strategies that do not depend on user data at all.

Gathering first-party data. Organisations that can establish a direct, digital relationship with their customers (such as online retailers, or financial services firms) can use this relationship to build a set of profile information about customers that can be used to drive effective targeted marketing. GDPR makes it clear that organizations can’t gather data for one purpose (for example, to process a transaction) and use it for another (marketing) without gathering consent and offering opt-out capabilities, but those requirements can be addressed with the right notifications and management tools.

Of course, gathering more user data is easier said than done, which is why many organizations have relied on the easier option of buying third-party data; and for some businesses that don’t have a direct customer relationship it is very hard. Organizations will have to think creatively about ways they can deliver real user value in return for gathering user data, to balance their needs with the rights of their audience.

Partnerships. Various kinds of partnership marketing, such as affiliate, sponsorship, or content marketing, have been part of the marketing landscape for years, if slightly unfashionable as the frictionless marketplace-driven world of programmatic marketing has taken off. But these kinds of approaches may have value in the future as they can unlock a publisher’s audience for an advertiser in a way that is simple to explain to users, and that they can control.

Larger brands could seek to build bilateral partnerships around data with key publishers directly, rather than going through ad exchanges or data brokers; these bilateral relationships are reasonably clear for users to understand and can be managed effectively through a Consent Management Platform. In fact, users may welcome the opportunity to review the specific brands that a publisher site is working with, rather than a long list of anonymous adtech vendors.

Contextual targeting. GDPR has provided something of a shot in the arm for contextual targeting, which is targeting based on the context in which an ad appears, such as the content it appears alongside, but also other contextual signals such as time of day and affinity with other content on the publisher’s site. Because the signals being used to drive the targeting are not user-specific, using this data is not subject to the same restrictions under GDPR. Companies like Grapeshot (recently acquired by Oracle) and Yieldbot are just two of the growing list of specialists in this field.

Creative optimization. Improvements to campaign performance can be generated by the effective use of creative optimization, without requiring any user data, by treating campaigns as a continuous test/learn/refine environment, where successive iterations of creative are created and tested against each other, with the winner(s) going on to the next round of ‘challengers’.

This is an extension of the approach that many existing Dynamic Creative Optimization vendors take, which tend to use user attributes to target many creative variants and then pick the variants that work best with a particular set of audience attributes. The advantage of an experimentation-based approach is that it can rely less on user data (though contextual data such as location, time of day and client info can still be useful) and more on the creativity of marketers to continue to drive improvements in ad performance. Companies like Revjet are championing this approach.

Inferential audience targeting. This approach uses response data from campaigns as a way of building an inferential view of audience preferences, and using this data to drive campaign planning in the future, either at an individual user level, or (even better, from a GDPR perspective) on an aggregated basis against non-user-level attributes.

As a really simple example, response data from a series of email campaigns might show that clickthrough is highest for one product category during lunchtime, while another product category drives maximum response during the evening. This could lead to a simple predictive model that optimizes send-time based on product category. Over time, a progressively expanded dataset that included campaign and offer attributes could generate quite a lot of predictive power for new campaigns.

Any model data that is at the user level is still personal data under GDPR and must be managed accordingly (and users offered the chance to opt out), but organisations that do not have another good way of gathering user data may use this technique to improve marketing relevance.

What’s next

As the global spread of GDPR-like laws continues, marketers and advertisers will need to continue to adjust to the new reality of a much more even balance of power between them and the individuals they want to communicate with. In the coming months we can expect to see the outcome of some of the high-profile complaints that have been brought against key players in the advertising industry, which will provide valuable insights into how the EU and other jurisdictions will enforce these laws into the future. If you were thinking that you were done with GDPR, think again.