Increased distrust in technology and the tech industry can apparently be attributed to the growing awareness of misuse of personal data, per a worldwide poll of internet users by Dentsu Aegis Network and Oxford Economics. Sixty-four percent of respondents cited data misuse as the leading reason for distrust in tech; no other factor earned more than 26%. It seems inevitable that this distrust will continue to drive government regulations similar to GDPR.
As European programmatic ad companies struggled with plummeting revenues, and U.S. publishers pulled programmatic ads from European networks, GDPR’s effects on interactive advertising spread quickly. Many U.S. publishers either shut down European versions of their sites, or stripped them of programmatic ads. Meanwhile, advertisers expressed anger at Google—the company delayed alerting advertisers until May 24 that they could not guarantee their ad inventory would be GDPR-compliant by the May 25 rollout date, forcing advertisers to use Google’s AdX program as a default until compliance could be sorted out.
Amusingly, even with two years to prepare for the roll-out, the Association of National Advertisers (ANA) admitted their own website was not GDPR compliant. (Even the Direct Marketing Association [DMA], absorbed into the ANA in July 2018, had a compliant website.)
Data, Data, Data…
One year in, data privacy is becoming a best practice, not a response to GDPR, Amy Manus of Goodway Group told eMarketer. Following are some impacts of GDPR on business and tech operations.
- Companies are shifting from open exchanges to private market places.
- Less third-party data is available, forcing companies to streamline what data they need, and their strategies for handling and storing it.
- Consent management platforms or providers (CMPs) that collect and store customers’ consent data are gaining traction among ad-serving publishers in Europe and the UK, and 3-in-10 U.S. publishers now use CMPs. But most business websites have not yet invested in relatively new CMP products.
- Companies are hiring privacy/data protection directors.
At least on the face of it, companies are reacting as the GDPR intended. That said, consumers are not convinced GDPR has helped all that much. Marketing Weekcommissioned an Ipsos Mori study, and learned:
- Ninety-three percent of consumers had heard about GDPR, and 39% said they knew either a “fair amount” or a “great deal” about the law.
- Nearly half said they understood their rights regarding data privacy and permission-based data collection/tracking.
- 47% said they trust companies that give consumers control over how their personal data is used, and 37% say they spend more money with those brands. However…
- GDPR has made no difference at all, per 46% of respondents.
- While 25% said they “tended to agree” that overall experience with companies is better, 17% said it was actually worse than before GDPR; many noted a decline in message relevance, especially in emails.
- Forty percent of consumers don’t believe companies care about breaching data laws.
The truth is, they do care… about continuing to have access to data without falling afoul of privacy regulations. Even as more companies come into compliance, or act to anticipate regulation here in the U.S., the New York Times reports that most companies’ data privacy policies are an incomprehensible mess, requiring in most cases college-level reading skills or better. Some take a full 30 minutes to read (the average is around 18 minutes). Compared to some classic texts, Facebook’s “average” text was deemed less comprehensible than Stephen Hawking’s A Brief History of Time.
Privacy policies have evolved to become far less comprehensible; Google’s once easy-to-understand policy hovered in the need-a-PHD-in-legalese range for more than a decade before being rewritten last year to a much-improved, average-reader level. Thank the GDPR, which requires privacy policies to be written in a “concise, transparent and intelligible form, using clear and plain language.”
Albert Gidari, consulting director of privacy at the Stanford Center for Internet and Society, told the Times that data privacy policies are not written with the idea of making privacy issues more clear for users—they’re written to protect companies.
Contract Language and Liability Issues
Digital ad agencies should be alert for contractual clauses in client contracts that make the agency responsible for GDPR compliance… as well as any new U.S. data privacy regulations. The California Consumer Privacy Act, or CCPA, is due to be enacted in January 2020, and privacy legislation is in the works in the states of Washington, New Jersey and Colorado. Industry trade groups are pushing for a single, national regulation to avoid a patchwork of possibly conflicting rules. Meanwhile, concerns about GDPR have led to other more predictable behavior. Digital agencies reported that some clients shifted the burden of compliance to their interactive ad agencies.
Essentially, clients refuse to indemnify agencies from GDPR violations, even though the law is aimed at companies, not their contractors—a classic case of pushing the risk downstream. It’s not about compliance, it’s about escaping financial liability. If GDPR regulators sue a company for violating privacy protections, it is likely clients will sue their agencies. Even if the client fails to make their case, agencies could still have to pay legal fees, and suffer attendant damage to their reputations and brands.
This puts agencies in the position of dealing with compliance, or refusing work. The best strategies are to:
- Proactively discuss GDPR with clients;
- Make sure contractual language is very clear;
- Negotiate to get the best possible terms; and
- Establish a cap on indemnity.
You should not be liable for $1 million in a GDPR violation suit if the project you’re working on is valued at only $300,000.
Make sure clients also understand that including GDPR or new U.S. compliance requirements at the agency end drives up costs, extends project timelines and adds to the amount of necessary development work. Adding complexity adds cost.