Industry Update: Understanding GDPR in 3 Steps

Want an insider look at an Upfluence newsletter? Whether it’s new technology, key events, or regulations; we keep the team up to date on the industry by sending regular newsletters. Sometimes these letters could be useful to people outside Upfluence…We believe this one is one of them. The GDPR law will be a game changer for the whole advertising industry. Effective May 25th, 2018, there’s still time to become informed — Happy reading!

Part 1: Understanding 20 (messy) years of online targeting in 3 minutes

Historically companies have relied on two types of advertising: search and display. The first one is triggered by queries in a search engine whereas the latter is based on navigation history.  During the early 2000’s targeting based on navigation was handled by the search engines (Microsoft, Yahoo, Google to name a few.) They would classify and sell navigation history for advertising. It was globally inefficient: as people visited all kinds of websites, in the end everyone was triggering every website category (news, sport, gaming etc.) and thus every type of ad. Display campaigns back then were cheap (low CPMs) and promoted as a way to increase company’s notoriety (not to sell.) Since then this targeting issue has been solved in a couple of ways:

Google & Co. decided to use their user’s’ data.

Remember when Gmail was offering 1Gb free storage when competition was at 20Mb?! They figured out how to offer their user’s data to advertisers in order to target people on the Internet. Today you can target women, men, GOP voters, pet owners, divorced men etc. Here is what it looks like:

Household incomes ($k per year) for people who vote Democrat.

Companies outside of Google & Co. began to use third party data.

Not only are companies collecting data themselves to enrich their own in-house CRM and marketing, there is now an entire industry dedicated to the selling of data. Ad exchanges sell aggregated data to data re-sellers like Facebook and Co. which then use that data to sell targeted advertising to companies. In case you have a doubt, Facebook is currently buying data from Acxiom, Datalogix and Epsilon. You’ve likely never heard about these companies before but that might all change with this new law.

Part 2: What you need to know about Online Targeting in 2017

Up until now, it has been extremely easy to collect data. The only requirement was that the user “opted-in”, or agreed to share. When clicking “OK” (usually without really reading the T&Cs) individuals agree to the use of cookies – from that website and all of their networks (clients, providers, etc etc etc.) It’s like a virus, you spread the right to be targeted super easily and fast, without even really knowing it.

Which has contributed to the success of Ad blockers.

Thing is, the issue has become so obvious that Google itself (and Apple then) started offering ad blockers built into their own browsers. Yes, Google is offering to block ads previously sold by Google. It didn’t just happen like that. IAB had to excuse itself in 2015 after the US FTC threatened the whole industry – which might be another signal for GAFAS, but here we are.

People are pissed off

Why is everyone crazy about data and advertising? Because it has a tremendous POWER OF SELLING. Imagine that you are working for Mastercard: with the right set of data you can target Visa clients that live in Manhattan with a high payroll. As you can imagine, this data is powerful (and expensive) but clients are ready to pay for it in order to secure their ROIs. That’s why CPMs have only continued to rise since the early 2000’s.

To Summarize:

  1. Display advertising has become super efficient thanks to data (demographic, behavioral etc.)
  2. This data is sold by third parties and Google/MS/Facebook etc.
  3. Google/MS/Facebook etc. are purchasing this data, to sell it to companies buying advertising on their platforms
  4. Regular companies are buying advertising but also collecting data themselves from their own websites to enrich their proprietary databases (CRMs, DMPs etc.)

Part 3: The (European) GDPR law

Europe finally voted the General Data Protection Regulation law. In case you’re wondering how we legislate:

This law aims to regulate the exchange, ownership, storage, and utilization of data. These obligations will apply to any company (in and outside EU) that stores data about EU citizens. Companies with such data will have to disclose:

  1. Who is gathering data and who is responsible for it?
  2. Why is this data gathered?
  3. Why is it legitimate?
  4. Timing & security:
    1. Since how long have you been gathering data?
    2. How long will you be storing it?
    3. How are you preventing someone to access it? (security)
  5. With whom will you be sharing data?
  6. What are you doing with it? How do you process it if the process is automated?
  7. How can EU citizens can access, modify, export or delete it?

Article 4 §1 defines the “data” to which the law is applicable:

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location, data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

I highlighted the most important words of the article. We’re not just talking about history cookies either: it includes all geolocation and behavioral information. Here’s an idea of what future disclaimers might look like:

(courtesy of Page Fair.This is the new standard for explicit consent (article 6).

Immediate consequences for the advertising industry include (but are not limited to!):

  1. Explicit consent is widened to all gathered data and any data processed in the future that aims to identify someone in person, even indirectly. It requires all that you can see above.
  2. If a website visitor does not agree with the terms, you cannot exclude her/him from your content or services. => no blockers of ad blockers allowed! (we saw you coming Axel Springer!)
  3. Facebook, Google and other companies with a platform should be globally spared by this law. They require your consent once you’re signed in, and you give your consent when you sign up/in. That being said, there is a distinct possibility that they might end their partnerships with European data re-sellers.
  4. This will end the programmatic advertising operations in Europe as we know them. While it might not kill the industry (see case of Facebook, Google & Co. further), it will certainly restrain big actors like data sellers, ad exchanges, and top tier agencies specialized in display advertising (see point three.)

To take away: Programmatic advertising, or the way display advertising is bought and sold nowadays, is exactly the type of advertising targeted by the GDPR law. Companies that rely on data should become familiar with this law as fast as possible because the deadline is approaching.

Share this blog post

We have solutions for you

Start scaling your influencer marketing campaigns with Upfluence Software right away. We also have influencer & content marketing specialists ready to take on your next campaign! 

Related content