Europe has become a “hostile” environment for digital ad tracking – but, even so, ad-tech companies must comply with the European Commission’s new General Data Protection Regulation (GDPR), according to one ad-tech firm which says it is “struggling” to cope with the new legislation.
“About six months ago, I would say that perhaps the industry had not really had a moment of reckoning yet,” says Acxiom chief data ethics officer Sheila Colclasure in this video interview with Beet.TV. “I think that moment’s come.”
GDPR came in to effect back in 2016, updating prior consumer data protection rules in a significant way. Now any global company which deals with EU citizens’ data must comply with a new and more stringent set of demands, chiefly tighter consent conditions for citizens’ data to be collected. Breaching the new rules risks incurring a fine of up to 4% of global annual turnover, up to a maximum of €20 million.
“I don’t think our industry has ever had this level of accountability codified into law,” Colclasure adds. “We are all going to have to think about … our data governance practices, quite specifically in standing up programs to govern all that data.”
The GDPR gives consumers new powers including to request decisioning by automated processes be stopped and handled by a human instead – something which could pose a big theoretical challenge to advertising technology operators.
“For our industry, for digital ad-tech, the consent mechanism was somewhat favorable or we thought it was until the guidance came out. Now it is so specified that it’s a challenge for us,” Colclasure says.
So how does her Acxiom intend to comply with the new law?
“It’s hard to do, especially on the small screen mobile,” she concedes. “It’s hard, but the consent mechanism is quite specified – it has to be validated, you have to have some sort of logging mechanism upon inspection (so that) you can demonstrate that you’ve achieved affirmative consent.”
But the changes are broader than that, and they will have a more profound impact than simply requiring paperwork.
“Now we have to think about privacy by design,”Colclasure adds. “The data protection has to be built in at the engineering layer. This is very different. We all have to stand up data governance programs in the design layer with an eye to the impact to the data subject or the individual consumer.
“There’s many other parts to the law, of course. There’s ninety-nine different articles in GDPR. We all have to at least evaluate our businesses against each of the articles and determine which ones apply and then how they apply and how we’re going to accommodate them.”