Europe’s new privacy regime will disrupt the adtech Lumascape

In a year and a half new European rules on the use of personal information will disrupt advertising and media across the globe. Here are the three biggest impacts.

Since 1996 when cookies were first repurposed to track users around the Web there has been an assumption that gathering and trading users’ personal information is the essence of advertising online. This is about to change.
[prompt type=”left” title=”Access the GDPR/ePR repository” message=”A repository of GDPR and ePrivacy Regulation explainers, official docs, and current status.” button_text=”Access Now” href=”https://pagefair.com/datapolicydocs/”%5D
The General Data Protection Regulation (GDPR) is the most significant update to privacy regulation in two decades.[1] Companies across the globe will have to comply with the GDPR if they want to serve any of the EU’s 500 million people, or handle data for any European companies.[2] European regulators will have the power to fine up to 4% of a company’s global annual turnover.Among the many industries affected it will be media and advertising that will most directly affect peoples’ privacy.

The GDPR’s application sixteen months from now (25 May 2018) is likely to lower the valuations of adtech and martech companies, change user behavior, and prompt a consolidation in media and advertising that favors publishers who have trusted relationships with users.

This note describes the three biggest impacts that the online advertising and media industry should prepare for.

1. Bad news for third-party tracking.

The Regulation establishes a chain of responsibility for data and a new approach to consent that will disrupt the adtech complex, known in the industry as the “Lumascape”. Lumascapes are maps of the companies that form the bewilderingly complex digital media industry, regularly published by Luma Partners, a specialist investment banker.

Under the new rules it will be illegal for companies anywhere in the world to pass a European user’s personal information to another company, or to store these data, without agreeing a formal contract with the “data controller” (normally this is the company that requested the data from the user in the first place) that defines limits on how the data can be used.[3]

A company that uses personal information beyond these limits will have to obtain consent from users to do so, or in the specific case of direct marketing will have to inform users about what it does with the data, and of the fact that the user can object at any time to their data being used in this way.[4] Users must be informed “clearly and separately from any other information”.[5]

This will be difficult – perhaps impossible – for most Lumascape adtech and martech companies to comply with because they do not have direct relationships with users. While it is conceivable that regulators may regard this as a permissible reason not to inform users, we think it unlikely.[6]

Instead, the third parties’ lack of relationships with users will make the direct relationships that publishers enjoy with users enormously valuable. This may prompt mergers and acquisitions between the media and adtech industries. Facebook is already vertically integrated in this manner. It has both a direct relationship with its users and the infrastructure to target and deliver ads. It alone does not pass personal information to third parties in order to make money.

It is also likely that publishers and service providers will become extremely cautious about permitting tracking pixels and third party JavaScript on their webpages because they could be liable for infringements that result. This is also likely to end the current practise of introducing unexpected parties to the chain of data sharing. As a result the number of trackers on sites, cookie syncing, pixel dropping, finger printing, and so on is likely to decrease.

2. Lawsuits & fines.

By changing the rules governing who can use personal information, and how they can use it, the GDPR sets the stage for a wave of lawsuits against adtech, martech, and publishing companies.

Misbehavior will be discoverable – to an extent – because users will have the right to trace data back to its source. For example, a person who receives a marketing communication from a company is now entitled to find out where the sender’s data on them has been obtained from, and may then take legal action or complain to a regulator.[7]

Such cases may be significant because multiple companies “involved in the same processing” of a user’s personal data can each be held liable for the entire damages awarded in a case.[8] The Regulation allows non-profit privacy groups to take legal action on behalf of many users, which raises the prospect that many such cases will be taken.[9] According to TJ McIntyre of Digital Rights Ireland, “The fact that representative bodies can act on behalf of individuals will, practically speaking, be very important where actions require either specialist knowledge or deep pockets”.

The GDPR also gives regulators in each European country powers to impose severe sanctions, and each European country has the option to also impose additional claw backs on profits obtained through infringements of the Regulation.[10] Regulators will be under pressure to act decisively against companies that infringe the GDPR because the Regulation gives consumers the ability to take regulators to court for not properly responding to complaints.[11]

3. User behavior will change.

The average user is unaware of how parties across the Lumascape handle their personal information. This is likely to change as a result of two measures contained in the GDPR. First, the Regulation requires in most (perhaps all) cases[12] that an exhaustive level of detail be provided to users on how their personal information is used by every party that wants to use it, and envisages the establishment of iconography to concisely communicate data use, risks, and rights in plain language.[13] Second, the Regulation enshrines the right to access all personal information held by any company about a user.

The box below outlines the new details required in user notices, which goes far beyond current practice.

What a user must be informed about under GDPR:[14]

Who is collecting the data, and how to contact them or their European representative.
What the personal information are being used for, and the legal basis of the data processing.
The “legitimate interest” of the user of the data (This refers to a legal basis that may be used by direct marketing companies).
With whom the data will be shared.
Whether the controller intends to transfer data to a third country, and if so has the European Commission deemed this country’s protections adequate or what alternative safeguards or rules are in place.
The duration of storage, or the criteria used to determine duration.
That the user has the right to request rectification to mistakes in this personal information.
That the user has the right to withdraw consent.
How the user can lodge a complaint with the supervisory authority.
What the consequences of not giving consent might be.
In cases of automated decision-making, including profiling, what the logic of this process is, and what the significance of the outcomes may be.

In addition, the Regulation introduces a new focus on security that will further contribute to user fears. All parties that handle data are now required to protect personal information from misuse and leakage.[15] In addition, data controllers have to tell users when their personal data have been stolen in a data breach.[16] The practice of covering up data breaches will end, and users will learn how often their data are exposed.

Thus far most users have tended to favor convenience over privacy. This may change. The GDPR will confront users with the extent to which their behavior across the web is tracked, how these data are used, and how often they are stolen. The result will be a wave of paranoia about personal information. One can anticipate that users will react particularly negatively to businesses that hold their data but have no direct relationship with them.

If such a backlash does occur it will prompt users to exploit the new opportunities to opt out of tracking and other data disclosure that are also created by the Regulation. A suite of user rights are enshrined within GDPR that include access to personal information concerning them, rectification of those data, erasure or restriction of processing of those data, portability of those data from one to another service, and the right to object to automated decision making.[17] In addition, the Regulation requires that it must be as easy for a data subject to withdraw consent as it was to give it at any time.[18] The user will be able to significantly disrupt behavioral advertising as a result.

What this means

A year and a half from now the General Data Protection Regulation will be applied across the EU, the world’s largest market. It will challenge the assumptions that drove the last twenty years of behavioral advertising. The trust that publishers earn from their users will become a precious asset.

Lumascape companies will suffer unless they adapt or integrate with publishers and platforms that have built trusted relationships with users.

Global CMOs will find it easier to apply common global standards that conform to the high bar set by Europe rather than carve data concerning the world’s biggest market from all other territories. This is not the first time that global players have had to bow to European regulators.

Personal privacy is about to receive a long overdue upgrade.

Timeline: what happens next?

In December 2015 – nearly twenty years after the adoption of the Data Protection Directive – the European Commission, Parliament, and Council (of Ministers of Member State Governments) agreed its replacement: the General Data Protection Regulation.
The GDPR was ratified by the Parliament and Council in April 2016.
The Article 29 Working Party of data protection authorities, soon to become the European Data Protection Board, is to issue guidance on specifics to the industry.[19] By the end of 2016 it will issue guidance on the role of the Data Protection Officer, the new right of data portability and how to identify an organisation’s main establishment and lead supervisory authority. By February 2017 it will issue guidance on the concept of risk and how to carry out a data protection impact assessment.

Update (16 December 2016): The Article 29 Working Party has released three guidance documents concerning GDPR
Guidelines for identifying a controller or processor’s lead supervisory authority
Guidelines on the right to data portability
Guidelines on Data Protection Officers (‘DPOs’)
The Regulation will be transposed into national laws in every European Member State to have direct applicability on 25 May 2018.
The Data Protection Directive will be repealed.
Data processing already underway at that point will have to be brought into conformity with the new Regulation within two years. Consent given under the e-Privacy Directive will be acceptable under the GDPR provided that that consent was given in line with the conditions of the new Regulation.[20]
The e-Privacy Directive will be refreshed.

Your email address

NOTES

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1.

[2] ibid., Recitals 22, 23, 24, and 101-116, and Articles 3 and 27, paras. 1 and 3.

The Regulation requires that controllers or processors outside the EU who monitor or offer services to users in the EU must establish a representative in one EU member state who shall be addressed by supervisory authorities in relation to the Regulation.

[3] ibid., Article 28, paras. 2, 3 and 4, and Article 29.

Here is how this will operate. Current European rules require contracts between data controller and processor that guarantee that the processor handles the personal data only in the manner dictated by the controller. (see Data Protection Directive (95/46/EC) 1995 Article 17, para. 3. (URL: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:31995L0046)) However, this is now backed up by new sanctions, and the GDPR will require that these contracts define the nature and duration of processing (Regulation (EU) 2016/679, Article 28, para. 3). Similar agreements must also be in place when one processor engages another (ibid., Article 28, para. 4), and a processor can only do so with express permission from the controller (ibid., Article 28, para. 2).

[4] See ibid., Article 6 (f) and Recital 47, regarding the particular focus on direct marketing. See Article 21 paras. 1 and 2 regarding the right to object at any time.

[5] ibid., Article 13 para. 1.

[6] Perhaps with reference to ibid., Article 15, para. 5, b.

[7] ibid., Article 15, para. 1 (g).

[8] ibid., Article 82, paras. 1, 3 – 4, Recital 146.

After judgement the processors or controllers who have paid full compensation can claim back part of the compensation from processors or controllers also responsible (ibid., Article 82, para. 5).

[9] ibid., Article 80, para. 1. Indeed, individual EU countries may also allow bodies to do this even without the involvement of individuals, according to ibid., Article 80, para. 2.

[10] ibid., Recital 149

[11] ibid., Article 78, para. 1 and 2, and Recital 143.

[12] There is a caveat. The European Data Protection Board may decide to issue guidance that interprets Article 15, para. 5, (b) this as unnecessary for certain categories of marketing companies.

[13] ibid., Article 12, para. 7, and Article 70, para. 1, (r).

[14] ibid., Recitals 39, 58, 60-63, and Article 13 paras. 1-2, and Article 13 and Article 14.

[15] ibid., Article 32.

[16] ibid., Article 33 and Article 34.

[17] ibid., Article 15 to Article 21.

[18] ibid., Article 7, para. 3, and Article 21, paras. 1 and 2.

[19] ibid., Article 70.

[20] ibid., Recital 171.