Mr Armageddon: carnage, fines will hit marketers, agencies over adtech, data from GDPR, ACCC
If you think GDPR has proven a soggy biscuit, influential privacy activist Dr Johnny Ryan might make you think twice. He's warning of a systemic upheaval to online advertising and user data collection from the EU’s General Data Protection Regulation (GDPR)...and the ACCC. It's not happened yet but it's coming. Like those who were ignored predicting the 2008 global financial crisis, think hard on this one.
"Brands are fully at risk. They don't realise this yet. They are data controllers. Article 5 [GDPR] says you basically can't broadcast personal data. You have to know where it's going to end up...you couldn't radio broadcast that personal data and a bid request when it's over an ad exchange is pretty much that."
You need to know this:
- EU privacy activists are aggressively lodging hundreds of complaints against online advertising practices; regulators are signalling more aggressive responses
- Brands and marketers are “fully at risk” of prosecution, not just adtech operatives and the tech duopoly
- The online ad industry has been lured into a false sense of security - it's taking a while but GDPR regulators will bite hard
- EU regulators will prosecute marketers as “data controllers” with full liability, even if their agency, data partners, or others, are doing the work
- Real Time Bidding (RTB) is under a huge cloud – it collects, trades and broadcasts personal data and is under intense regulatory scrutiny for GDPR breaches
- Targeting users in the “long tail” of cheaper websites with tracking data is in doubt
- Cross-device tracking unlikely to survive, threatening user data capture and frequency capping
- Personalised tracking and targeting fundamentally challenged; contextual programmatic targeting likely to return in force.
Saving privacy Ryan
Watch out for Dr Johnny Ryan, if you're anywhere near the digital media or data supply chain.
Sought out by journalists, and increasingly politicians and regulators for his ability to cut through the often bewildering complexity and opaqueness of digital marketing and advertising practices, Ryan is seen as a troublemaker by many in the online industry, adtech operatives, and big tech, particularly.
One week Ryan could be in Washington skewering the online ad business for its intrusive user tracking and data collection practices to a US Senate committee, the next he’s priming UK and Irish regulators on privacy complaints that he and others like University College London’s tech policy researcher Michael Veale have lodged to establish precedents on GDPR breaches. In the UK and Ireland, only individuals can make GDPR complaints while entities and organisations can in other EU countries.
Real Time Bidding "perverse"
Only a few weeks ago the UK Information Commissioner’s Office described real time bidding as a world of “perverse incentives” in which being “intrusive” is rewarded by better ad prices.
He cites a recent case at the European Court of Justice which puts liability on companies that feature Facebook's "Like" button on their websites to warn users that their personal data is being sent to the social media network.
"From that case, we have this understanding that if you're a marketer and you can cause data processing to happen, even if it's your agency who runs the campaign using some technology, then you're a data controller, a joint controller," says Ryan. "Under GDPR, I think it's Article 82, a data controller is fully liable in the case of damages that come out of infringement to this regulation.
"People are buying an increasing proportion of their ads that put marketers on the hook. It exposes brands to risk."
"The regulators are very, very cautious. They move very slowly and very carefully ... brands are fully at risk. They don't realise this yet. People are buying an increasing proportion of their ads that put marketers on the hook. It exposes brands to risk."
Real Time Bidding (RTB) is another area which Ryan says is in serious doubt under GDPR, and possibly Australia depending on how the Federal government acts on the recommendations from the ACCC's Digital Platforms Inquiry. Some like Brian O'Kelley, the founder of AppNexus, acquired recently by AT&T and rebadged Xandr, says you "can't stop targeting and keep doing RTB", in light of the pressure coming on the practice in Europe. Says Ryan: "If you want to use RTB for all its problems, and I'm thinking of fraud here in particular, you still can. You just have to make sure there's no personal data in the bid request. That's an easy fix."
Cross-device tracking dead
But, he says, "it will branch across to cross device tracking. That's gone unless you're doing some first-party thing with your own app. I think cross-device tracking is going to be the sacrifice that has to be made. You're going to see digital media selected like all of other media that actually works."
Ryan says that might sound terrible to someone who thinks digital is sexy. "But for anyone who's been worried about what's going on in digital, maybe digital works as well, or better, than the other media without the nonsense. It's a very good thing indeed.
"You have to remove the ability to identify the individual. The only limiting factor here is that GDPR in Article 4 says personal data or any data that could identify an individual and the data can do that on its own or in combination with other data is a breach. Provided that's not the case, well, it's ok."
Web tracking 'startling'
Ryan told a US Senate Committee as much a few months ago and it's this sort of articulation of what is happening in the online ad economy that is startling policymakers and regulators.
"When you visit a website today, pretty much any website, the following will happen," he told the Senators. "The website tells tens or hundreds of companies that you’ve never heard about, all about you so that their clients can decide whether to bid on the opportunity to show you an ad. Now, advertising is of course necessary and this makes sense but wait until you hear what information can be in those bid requests. It includes not only inferences on your sexual orientation, religion, what you’re reading, your location, sometimes right up to your GPS coordinates. But it also includes unique ID codes that are specific to you as is your social security number and this lets all these data be tied together over time by these companies you’ve never heard of and it puts them in a position to build into it profiles about you and what makes you tick and not just you but everyone you have ever known."
Ryan let that sink in. Then he continued and got a bunch of politicians engaged in the mechanics of digital advertising:
"This happens hundreds of billions of times a day today. It’s called real-time bidding. It’s a big industry. It needs investigation. The interesting thing here is if we were to switch to a safer and still good form of ad targeting like contextual, this would not happen. And actually, publishers would benefit. But those who would really benefit are the small businesses and big businesses who currently lose billions a year through ad fraud."
In the end, Ryan thinks it could be up to another two years by the time dozens of cases come through the system in Europe and establish precedents which will hit directly hit brand owners and online advertising operatives.
If GDPR has been seen by industry as an anticlimax in terms of enforcement, Ryan says hang around. There is definitely more to come.