Privacy, marketer risk, and the reform of adtech

The current state of adtech is putting brands at risk by placing ads next to questionable content, while marketers are at risk of not meeting the standards set by the EU’s General Data Protection Regulations. Dr Johnny Ryan, Chief Policy & Industry Relations Officer at Brave, implores marketers to demand reform of adtech.

Lawmakers across the globe appear to be embracing higher privacy standards. At the same time, CMOs are rightly uncomfortable with the digital advertising services industry. Tighter privacy law is an opportunity to clean up the industry.

Countries accounting for 51% of the global GDP appear likely to enact higher privacy standards, led by the example of the European Union, which introduced the General Data Protection Regulations (GDPR) in May 2018. The United States may also enact new standards at federal level. This global privacy trend is both a challenge and an opportunity for marketers.

For all its promise, the digital advertising services industry, often referred to as “adtech”, is a Wild West with which few CMOs are entirely comfortable. Marketers face legal hazard, opaque fees, unreliable metrics, and an acute ad fraud challenge that appears to be immune to measurement.

If the direction of travel is more regulation, then marketers should use this momentum to demand reform of adtech and help clean up an ailing industry.

Marketers face legal risk

Every time a person visits a website that uses the “real-time bidding” (RTB) adtech, intimate personal data about them and what they are viewing is broadcast in a “bid request” to tens or hundreds of companies, to solicit bids from potential advertisers’ for the opportunity to show an ad to this specific visitor. The Economist recently described this as a “data protection free zone”, because there is no control over what happens to the data about what every person is watching, listening to, and reading online.

This widespread broadcast by RTB adtech infringes Article 5(1)(f) of the GDPR, which requires that such data are tightly controlled “against unauthorised or unlawful processing and against accidental loss.” Privacy authorities in Ireland, the UK, and Poland are currently investigating, following complaints from I and others. Marketers must investigate the issues too: in June 2018, the European Union’s highest court ruled that marketers are responsible for how data is used in marketing campaigns - even if they never directly touch the data.

The European Court of Justice ruled that a marketer’s use of Facebook for advertising “gives Facebook the opportunity to place cookies on the computer or other device of a person visiting its fan page, whether or not that person has a Facebook account.” In addition, the Court observed that the marketer “can ask for — and thereby request the processing of — demographic data relating to its target audience” such as age, sex, relationships, occupation, lifestyles, areas of interest, purchases and online purchasing habits, and geographical data”. According to the Court, a marketer is therefore “a controller responsible for that processing”.

This applies to RTB: marketers are liable as “controllers” of the processing undertaken by the various adtech businesses involved in the RTB system on their behalf. RTB broadcasts personal data without security in hundreds of billions of bid requests every day. It is the most massive data breach ever recorded. Marketers now find themselves liable for it because of the adtech companies they or their agencies work with.

Data protection impact assessments

Most marketers are not aware of the risk that RTB companies expose them to. Otherwise, they would already have conducted data protection impact assessments (DPIAs), as required by Article 35 of the GDPR.

DPIAs are required when AdTech is profiling and using intimate personal data (referred to as “special category personal data” in article 9) on a large scale to target people in the European market. The inescapable conclusion of any such assessment is that RTB is a “data protection free zone”, as The Economist indicated. This conclusion triggers Article 36 of the GDPR, requiring a marketer to alert a data protection regulator in an EU Member State about the risks it has uncovered.

Reform of adtech through consensual engagement

Clearly, this approach to the use of personal data is unsustainable. RTB needs reform.

Fortunately, there is a solution. A small edit of two rulebooks for what data can be included in a bid request would solve the problem. Removing or truncating 4% of the fields in the IAB OpenRTB bid request specification and Google’s Authorized Buyer specification, would put bid requests beyond the scope of the GDPR, and enable marketers to safely engage with ad auctions.

Such a revision would enable marketers to enjoy sophisticated targeting, and more of their money would go to the right place: ad fraud bots would be unable to masquerade as expensive targets, and the adtech companies that today expose marketers to risk would become unable to consume so great a share of the marketer’s budget at the expense of working media.

The one sacrifice would be cross-device tracking via RTB, but brands could attempt to remedy this problem through consensual engagement with consumers and direct integrations with publisher partners.

After the Equifax breach, the Facebook/Cambridge Analytica scandal, and a succession of similar controversies, privacy and data protection standards are on the rise. Marketers should use this momentum to reform adtech and fix online advertising. It will require hard work, bravery and a more ethical approach to how we use consumer data.