Home / Legal & Compliance

A GDPR revolution for location-based in-app advertising ‘to benefit consumers and the industry’

By / Rodric Bark / In Insight /

Some industry commentators have called time on the current ad tech ecosystem for in-app advertising, citing GDPR – the incoming data protection regulation – as its death knell. But Rodric Bark sees this as a GDPR revolution – an opportunity for the industry rather than a threat, delivering data protection and improving targeting. Here’s how:

GDPR is a response to widespread public concern that personal data are being indiscriminately and broadly disseminated, without any visibility as to who’s receiving the information or what they’re doing with it.

Mobile advertising is heavily impacted by the legislation. Location-based in-app advertising is firmly in the sights of the legislators as location co-ordinates are called out by GDPR (the new General Data Protection Regulation, effective May 25, 2018) as particularly sensitive.

If we make the right changes, people may be more willing to accept advertising, which will drive up revenues. Force-fitting existing business processes into GDPR will result in users’ refusal to provide the consent to share the data needed for targeting, and the marginalisation of companies that rely on that information.

The changes needed include moving the processing for profiling, targeting and attribution into the SDKs running on users’ phones, to stop the dissemination of location co-ordinates and other personal data, and so protect users’ privacy.

For an in-depth review of GDPR’s impact on mobile advertising view this white paper co-authored with Cordery, legal counsel specialised in GDPR.

But can’t we just claim ‘Legitimate Interest’?

While some defend continuing current practices by claiming a ‘legitimate interest’ to access personal data without the user’s consent, many legal counsel are highlighting the risks in doing that.

Look at the example domains listed in GDPR – preventing fraud, monitoring epidemics, managing humanitarian emergencies; it’s a stretch to see advertising as a justification to override the user’s right to privacy.

What’s needed to get user consent?

If we export personal data from users’ phones then users must consent to share that data with each company that processes the data for their own purposes. They must also be informed if that processing includes profiling and may result in direct marketing, and must be able to exercise their data rights with each company. See Pagefair’s article for an example of what will be needed if personal data is shared.

How can we get consent in volume?

How we do that depends on the type of data and there are two relevant types: location co-ordinates and advertising IDs (identifiers).

Almost everyone understands that location co-ordinates reveal where they go and so are reluctant to share them indiscriminately. Therefore, we need to minimise the number of companies that must receive location data.

The EU Commission confirmed in January that advertising IDs are also personal data. While most users are unaware of their existence, these identifiers tie together enrichment and profiling for all in-app advertising. The impacts of that decision are not yet clear, but a defensible position may be to export only the advertising ID, as alone that identifier reveals little about the user (in contrast to location co-ordinates), so the risk of compromising the user’s privacy is minimal.

What else is needed?

It’s necessary to have consent but not sufficient; companies that receive personal data also need to address data protection, retention and leakage, and to perform a Data Protection Impact Assessment (DPIA) – view this ICO documentation for more details.

Personal data must be protected using techniques and procedures such as data encryption, immutable change logs and separation of duties. Adding to that, the regulations prescribe that data should only be retained for the minimum duration. Lastly, the legislation renders companies collectively responsible for any infringements. Data leakage by a downstream company represents a major risk for those upstream, especially as those receiving the information may not be aware of any limitations in consent – publishers beware!

How do we address all this?

We start from the observations that anonymous data are exempt from the regulations, and that location-based targeting eventually transforms personal data into anonymous data. See this article from IAPP for more information on anonymisation.

Location co-ordinates are used in advertising essentially for three types of activity: to assign users to segments; to target them based on being in the vicinity of a location; and to determine attribution. The results of each of these activities can be formulated as anonymous data.

Where should anonymisation happen in the ad tech stack?

Right now, that transformation happens at the extremities of the dataflow, for instance in RTB (real time bidding), with bidding based on proximity to a location, in DSPs (demand-side platforms) that track frequently visited places and in cloud services for geo-fencing.

If the processing is done instead as an integral part of the SDK (software development kit) used by the host application and the exported results are anonymous, then there aren’t any downstream companies that need to receive personal data. Clearly, this solves the problems of opt-in for location data, with only the host application needing permission to access location co-ordinates.

This may seem like a radical change, but several companies now offer such products with growing market acceptance and deployment, including at least one that also can dispense with communicating advertising IDs.

Processing personal data on the phone also has other major benefits: it reduces the need for data protection by SSPs (supply-side platforms) and DSPs, ad servers and ad networks; it minimises data retention; and it eliminates major compliance risks for publishers.

In summary: embrace the GDPR revolution

Ad tech needs to embrace GDPR and demonstrably protect users’ personal data, rather than continue trying to force-fit current business practices into the legislation.

‘Legitimate Interest’ seems neither justifiable, nor would using it protect users’ privacy. Keeping the current architecture would require users to consent to share data with a long list of companies they’ve never heard of, which is not viable at volume especially for location data.

We need to change where we process personal data. We can deliver data protection and improve targeting by moving that processing onto the user’s own phone, as a part of the SDKs used to export inventory and provision advertising content.

In doing that we will also deliver what GDPR was designed to achieve – protection of users’ personal data.

Have an opinion on this article? Please join in the discussion: the GMA is a community of data driven marketers and YOUR opinion counts.

This topic and much more will be under discussion at our MINT Data Driven Marketing Summit on Wednesday April 18 in central London. GMA readers can get £100 off the ticket price. Book NOW to hear top-level speakers share their knowledge about GDPR, innovation and the new data economy.

Username

Basic Information

First Name *

Last Name *

Company *

Job Title *

Country *

Account Information

Password

Confirm Password

E-mail Address

Confirm E-mail

Biographical Info

Share a little biographical information to fill out your profile. This may be shown publicly.

Terms and Conditions

Terms and conditions – website usage

Welcome to the Global Marketing Alliance (GMA). The GMA website is a product of the Global Marketing Alliance Ltd. If you continue to browse and use this website, you are agreeing to comply with the following terms and conditions of use, which together with our privacy policy, govern GMA’s dealings with you in relation to this website. If you disagree with any part of these terms and conditions, please do not use our website.

GMA may amend these Terms and Conditions at any time by posting the amended Terms and Conditions on the GMA site.

The term GMA or ‘us’ or ‘we’ refers to the owner of the website whose registered office is at 7a Queen Street, Godalming, Surrey, GU7 1BA, UK. The term ‘you’ refers to the user or viewer of our website or to those who become members of GMA.

The use of this website is subject to the following terms of use:

The content of the pages of this website is for your general information and use only. It is subject to change without notice.
The information provided and the opinions expressed in this website represent the views of the authors and contributors.
Neither we nor any third parties provide any warranty or guarantee as to the accuracy, timeliness, performance, completeness or suitability of the information and materials found or offered on this website for any particular purpose. We are not liable for any inaccuracies or errors.
Your use of any information or materials on this website is entirely at your own risk, it is your responsibility to check that the information available meets your requirements.
This website contains material which is owned by or licensed to us. This material includes, but is not limited to, the design, layout, look, appearance and graphics. Reproduction is prohibited other than in accordance with the copyright notice, which forms part of these terms and conditions.
Information on this site may be contributed by our members or other contributors (including in blogs). We do not control the information they provide and are not responsible for the views expressed
If you believe that your intellectual property rights have been infringed on this site please notify us. We accept no liability for infringements as a result of user generated content but we will take reasonable action to remove such content where possible.
Unauthorised use of this website may give rise to a claim for damages and/or be a criminal offence.
Every effort is made to keep the website up and running smoothly. However, we take no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.
We reserve the right to refuse, suspend or cancel your access to the site at any time and without notice.
If you are acting as an employee, you warrant that you are authorised to enter into legally binding contracts on behalf of your employer. You further warrant that your employer agrees to be bound by these Terms and Conditions.
Purchases of training products or delegate places at events advertised on this site are subject to the terms and conditions of the providers.
Your use of this website and any dispute arising out of such use of the website is subject to the laws of England, Northern Ireland, Scotland and Wales.

Copyright notice

Any redistribution or reproduction of part or all of the contents in any form is prohibited other than the following:

you may print extracts for your personal and non-commercial use only
you may refer to and quote from the content for review or reference purposes within the limits of “fair dealing”, but only if you acknowledge the website as the source of the material
You may not, except with our express written permission, distribute or commercially exploit the content. Nor may you transmit it or store it in any other website or other form of electronic retrieval system.

I agree to the Terms and Conditions

Full Name LEAVE THIS BLANK