The FOUR segments of GDPR interpretation for programmatic

… another GDPR article, I know, but I wanted to share my thinking on how companies are interpreting GDPR ahead of May 25th, specifically in the field of programmatic marketing.

Firstly, it’s key to note that I’m writing about interpretation and not compliance. Many companies have been in consultation with law firms and advisory services for some time and have come up with how they wish to interpret the regulatory framework. Some companies are going to be incredibly stringent and others will be continuing ‘as is’.

Having said the above, it’s incredible to me that the same use cases are being interpreted in very different ways – hence the spectrum image in the header of this post. A practical example of this is with retargeting; we are seeing companies use ‘legitimate interest’ as the approach they are taking whilst others are going down the ‘explicit consent’ route.

To help understand how companies are interpreting the regulation, I have created four ‘GDPR interpretation segments for programmatic’ and given some explanation below.

1. Risk Averse – choosing to eliminate risk by not sharing data
2. Disciplined – acting in the spirit of GDPR and working with the ecosystem to get consent
3. Shared responsibility – sharing the responsibility for their own gain
4. Daring – risk taking out of necessity

1 – Risk Averse

This is a scenario which will be adopted by circa. 5% of companies. This scenario means that the company will only use the data collected for themselves and their own services, only when the user has explicitly given consent for it to be used. The company will not share this data with any other company.

This type of company is known as a controller and this will be any consumer facing brand – so essentially publishers or advertisers.

The outlier here is Doubleclick who are trying to piggy back off consumer facing brands and control how the data is collected from those brands consumers to enhance their own products (for things such as fraud detection, ad revenue forecasting and in general their own capabilities).

Types of companies that are likely to take a risk-averse approach include; large category sensitive brands, low income businesses (where the fine could be crippling) and those who don’t have any legal support or have a very strict legal team.

2 – Disciplined

This is a scenario which will be adopted by circa. 50% of companies. This approach is where the consumer facing company will be the controller and they will allow other companies to use their data (processors) when the user allows for it. These companies will have paper trails in place with the processors so that if a ‘subject access request’ was triggered they would know exactly who has had access to the data and the purpose it was being used for.

Types of companies that are likely to take a disciplined approach include; the majority of advertisers and publishers who will enable a consent mechanism.

3 – Sharing Responsibility

This is a scenario which will be adopted by 5% of companies. This is where the company is enforcing another company to comply so that they can use their data.

An example of this was the recent Group M saga where they were trying to pass all the responsibility on to the publisher and allegedly attempted to avoid any liability. Note – I have not seen the Data Protection Agreement (DPA) that was sent so it’s tough to comment, and they have since changed tact but we will see a few of these types of interpretations pop up.

4 – Daring

This is a scenario which will be adopted by 40% of companies where they’ll be relying on legitimate interest, which is the part of GDPR which could be interpreted in the widest of fashions. For example, if I sign up to a mobile phone service, I should expect to get messages from them regarding my usage of that service or things I might be interested in related to that service. The problem with legitimate interest is that in some cases the companies aren’t thinking about the spirit of GDPR, which is to ensure that personal data (this includes cookies) is used for genuine consumer benefit – this is a particularly grey area for advertising. Should the consumer expect to see targeted advertising just because they visited a brands homepage?

The general attitude I hear with regards to legitimate interest is along the lines of ‘we will wait to see a high profile case arise a few months post GDPR and in the mean time we’ll carry on as is – it’s likely we’ll make more money in that time than the fine itself’. Companies are also assuming that the different enforcing bodies don’t have time to fine every non-compliant company

In some cases, these companies have no choice but to be daring because:

1. Their whole business model is built on using consumer data in ways which the consumer does not know and the revenue loss would be too great
2. These companies don’t have the consumer facing relationship so can’t get explicit opt-in
3. These companies might be new and are struggling to be added into consent mechanisms as processors

Types of companies taking this approach are; programmatic managed services, some third party data providers and some independent analytics companies. This daring approach is also being undertaken by lots of brands who are simply sending email notices of updates to terms and conditions for how they advertise as opposed to getting explicit opt-in.

In a nutshell, every company is taking their own approach to GDPR. My advice to any company is to ensure that you are comfortable with the approach your partners (in whichever guise) are taking and that they align with the GDPR interpretation segment you consider yourself to be within.

As soon as I came to the realisation it was all down to interpretation at an individual company level I suddenly found some form of GDPR peace of mind... hopefully you will too.