Our latest Data Briefing featured a Q&A with Barry McNulty, Head of Data at Hyde Housing Group. He reveals the impact of data and technology on the housing industry: the good, the bad and the difficult. We also cover Simon Blanchard's talk on safeguarding new data solutions and Robert Bond's analysis of privacy in a world of fast-evolving technology.
GDPR is a response to widespread public concern that personal data are being indiscriminately and broadly disseminated, without any visibility as to who’s receiving the information or what they’re doing with it.
Mobile advertising is heavily impacted by the legislation. Location-based in-app advertising is firmly in the sights of the legislators as location co-ordinates are called out by GDPR (the new General Data Protection Regulation, effective May 25, 2018) as particularly sensitive.
If we make the right changes, people may be more willing to accept advertising, which will drive up revenues. Force-fitting existing business processes into GDPR will result in users’ refusal to provide the consent to share the data needed for targeting, and the marginalisation of companies that rely on that information.
The changes needed include moving the processing for profiling, targeting and attribution into the SDKs running on users’ phones, to stop the dissemination of location co-ordinates and other personal data, and so protect users’ privacy.
But can’t we just claim ‘Legitimate Interest’?
While some defend continuing current practices by claiming a ‘legitimate interest’ to access personal data without the user’s consent, many legal counsel are highlighting the risks in doing that.
Look at the example domains listed in GDPR – preventing fraud, monitoring epidemics, managing humanitarian emergencies; it’s a stretch to see advertising as a justification to override the user’s right to privacy.
What’s needed to get user consent?
If we export personal data from users’ phones then users must consent to share that data with each company that processes the data for their own purposes. They must also be informed if that processing includes profiling and may result in direct marketing, and must be able to exercise their data rights with each company. See Pagefair’s article for an example of what will be needed if personal data is shared.
How can we get consent in volume?
How we do that depends on the type of data and there are two relevant types: location co-ordinates and advertising IDs (identifiers).
Almost everyone understands that location co-ordinates reveal where they go and so are reluctant to share them indiscriminately. Therefore, we need to minimise the number of companies that must receive location data.
The EU Commission confirmed in January that advertising IDs are also personal data. While most users are unaware of their existence, these identifiers tie together enrichment and profiling for all in-app advertising. The impacts of that decision are not yet clear, but a defensible position may be to export only the advertising ID, as alone that identifier reveals little about the user (in contrast to location co-ordinates), so the risk of compromising the user’s privacy is minimal.
What else is needed?
It’s necessary to have consent but not sufficient; companies that receive personal data also need to address data protection, retention and leakage, and to perform a Data Protection Impact Assessment (DPIA) – view this ICO documentation for more details.
Personal data must be protected using techniques and procedures such as data encryption, immutable change logs and separation of duties. Adding to that, the regulations prescribe that data should only be retained for the minimum duration. Lastly, the legislation renders companies collectively responsible for any infringements. Data leakage by a downstream company represents a major risk for those upstream, especially as those receiving the information may not be aware of any limitations in consent – publishers beware!
How do we address all this?
We start from the observations that anonymous data are exempt from the regulations, and that location-based targeting eventually transforms personal data into anonymous data. See this article from IAPP for more information on anonymisation.
Location co-ordinates are used in advertising essentially for three types of activity: to assign users to segments; to target them based on being in the vicinity of a location; and to determine attribution. The results of each of these activities can be formulated as anonymous data.
Where should anonymisation happen in the ad tech stack?
Right now, that transformation happens at the extremities of the dataflow, for instance in RTB (real time bidding), with bidding based on proximity to a location, in DSPs (demand-side platforms) that track frequently visited places and in cloud services for geo-fencing.
If the processing is done instead as an integral part of the SDK (software development kit) used by the host application and the exported results are anonymous, then there aren’t any downstream companies that need to receive personal data. Clearly, this solves the problems of opt-in for location data, with only the host application needing permission to access location co-ordinates.
This may seem like a radical change, but several companies now offer such products with growing market acceptance and deployment, including at least one that also can dispense with communicating advertising IDs.
Processing personal data on the phone also has other major benefits: it reduces the need for data protection by SSPs (supply-side platforms) and DSPs, ad servers and ad networks; it minimises data retention; and it eliminates major compliance risks for publishers.
In summary: embrace the GDPR revolution
Ad tech needs to embrace GDPR and demonstrably protect users’ personal data, rather than continue trying to force-fit current business practices into the legislation.
‘Legitimate Interest’ seems neither justifiable, nor would using it protect users’ privacy. Keeping the current architecture would require users to consent to share data with a long list of companies they’ve never heard of, which is not viable at volume especially for location data.
We need to change where we process personal data. We can deliver data protection and improve targeting by moving that processing onto the user’s own phone, as a part of the SDKs used to export inventory and provision advertising content.
In doing that we will also deliver what GDPR was designed to achieve – protection of users’ personal data.
Have an opinion on this article? Please join in the discussion: the GMA is a community of data driven marketers and YOUR opinion counts.
This topic and much more will be under discussion at our MINT Data Driven Marketing Summit on Wednesday April 18 in central London. GMA readers can get £100 off the ticket price. Book NOW to hear top-level speakers share their knowledge about GDPR, innovation and the new data economy.
Please register below to unlock this article.
An email will be sent to you with your membership details.