Rome is burning: How GDPR put programmatic at risk
As the dust settles on GDPR, it's only now that the digital marketing industry is truly understanding what it all means for programmatic, writes Myer's Bernard Wilson.
An emperor at risk
Legend has it that while a fire destroyed the city of Rome, the emperor Nero played his violin. Whilst there may be an argument as to whether making music is trivial or not, it is certainty a disregard for the midst of a state of emergency.
Is the advertising industry playing the fiddle whilst the GDPR and associated data regulation settles over the digital landscape?
There is no doubt of the timely (or untimely) convergence between the fastest growth area of data driven digital advertising and the move of lawmakers to clamp down on the way that customer data can be collected and used. Can both co-exist?
Perhaps the best illustration of a runaway train at risk of derailing is programmatic media, the fastest growing of all digital advertising: in 2017, the global programmatic market was up 59% to US$57.5bn. Zenith’s latest Programmatic Marketing Forecasts estimates that two-thirds of digital display ads will be sold programmatically by 2019.
In Australia where almost a quarter of display advertising – or $1bn – was traded programmatically in 2017, it is expected this will rise to more than 55% in 2019.
Programmatic advertising doesn’t necessarily require customer data: in its purest form, programmatic is just a form of advertising that involves the purchase and sale of advertising space conducted in real time.
However, much of the growth of the market is founded on the ability to introduce customer data into the process to allow advertisers to better target and deliver conversions from specific customers. Personalised targeting is the core idea of programmatic media buying; but serving the most relevant ads at the right time requires use of personalised information.
When that advertisement for Tim Tams appears in your news feed at 3pm, is it coincidence? No, the advertiser (or its agency) can leverage any number of data points about you – across demographics, geolocation (down to GPS location), interests, recent purchases and much more — to ensure that it reaches you right on snack o’clock.
But wait – GDPR seeks to regulate personal data, which is virtually anything that can be used to personally identify an individual. What does this mean for snack o’clock?
The GDPR specifies that in most instances “personal data” can only be used with the express consent of the consumer.
The problem with express consent
How much personal data currently being used in programmatic buying has been collected with express consent?
Let’s flip the question: when was the last time you gave consent to someone dropping a cookie, or logging or curating your IP address, device IDs, location data, or browsing trails?
Historically it was acceptable for your consent to be implied (even if inadvertent): no more, it must be obtained in an intelligible and easily accessible form.
Under GDPR, all of the above data points are considered “personal data” when used to identify an individual — as is often the case in programmatic advertising, and certainly at snack o’clock.
There is a world where the GDPR spells the end of programmatic advertising using personal data. Programmatic would remain an invaluable form of advertising, and the market could shift to targeting segments (or groups) that would avoid using data that could personally identify an individual.
It is impossible to tell how much of programmatic advertising today uses personal data (or, how little uses non-personal data); but I suspect this outcome is unlikely, as it would put an end to common practices like retargeting and frequency capping of individuals.
So on what basis can personalised programmatic continue?
Who will be impacted by the changes?
I think this is best answered by considering who in the programmatic value chain will be most impacted.
In a way, DSPs, SSPs, tag management systems, content management systems and other ad tech participants are immune. They operate as enablers rather than orchestrators.
In one sense, they will want the problem to be solved, because the growth of the market in which they operate is influenced by the ability to leverage data to generate a better ROI.
On the other hand, even without personal data they facilitate real time and measurable advertising, which is likely to grow and extend across global display markets even if personalised programmatic falls.
What will be interesting will be how seriously those companies take their obligations. Every website has dozens if not hundreds of these participants collecting data or depositing cookies, which are collected and historically passed around.
My scouring suggests the collection continues (download Google’s Tag Explorer to see for yourself): it’s over to the regulators to examine use.
I believe the onus will fall largely on consumer facing customers, as it should. Publishers, websites and our beloved global technology companies are likely to assume much of the responsibility.
Haves and have-nots
There are some entities (the have-nots) for whom consent is not going to work; post GDPR, they need to reconsider their buying and either forego programmatically targeted ads or access audiences through one of the haves. They need to be careful in pursuing the latter, because everyone involved in a GDPR breach is liable.
This leaves the haves: those with a unique combination of scaled customer interactions and customer trust, who can possibly secure the necessary consents to enable personalised programmatic advertising. One suspects the number of haves will be few – common sense suggests that most customers will decline to allow either the tracking of personal information and behaviour, or the use of targeted ads. The haves will have a strong customer relationship, and a track-record of a data driven customer experience.
So, to the original question: on what basis can personalised programmatic continue?
There should be a reduction in the scale of personal data used in programmatic advertising. However, there should also be a related increase in the quality of the data brought to bear in buying decisions. Where they are careful, the haves are sitting on a gold mine, and logically all participants will experience an increase in CPMs as competition intensifies.
Bernard Wilson is general manager loyalty, data and Myer Media at Myer.
Just explain for me once more how GDPR will affect programmatic buying of television? Or maybe Out-of-Home?
Or did you really mean that GDPR would affect the programmatic buying of the internet (aka digital but things like TV are already 100% digital, and OOH is around 25% digital)?
Shouldn’t the lede be more accurate and truthful?
User ID not verified.
The EC’s GDPR Directive had been kicking round and being vaguely complied for some years in the EU by the time legislation was enacted May 2018. Accordingly most marketers in Europe understand the stricter consent requirements, steps needed for compliance and how they relate to their sector.
The great levelling effect of digital means that large corporates with exposure to the EU may have re-engineer their digital marketing strategies or sysytems; already Google and Facebook appear to have not fully complied.
Further, email marketing will be challenged by being restricted to organic collection of email addresses versus buying. Meanwhile the Australian MyHealth system would be problematic with dual EU citizens not being offered the option of ‘opting in’ in the first place versus automatic inclusion then ‘opting out’.
After the European summer there maybe some GDPR test cases brought by EU citizens challenging non-compliance (as opposed to Oz where regulatory compliance by many corporates, business and state agencies is flexible).
User ID not verified.