This month will see the enforcement of a sweeping new set of regulations that could change the face of digital marketing: the European Union’s General Data Protection Regulation, or GDPR. To protect consumers’ privacy and give them greater control over how their data is collected and used, GDPR requires marketers to secure explicit permission for data-use activities within the EU. With new and substantial constraints on what had been largely unregulated data-collection practices, marketers will have to find ways to target digital ads, depending less (or not at all) on hoovering up quantities of behavioural data.
GDPR will force marketers to relinquish much of their dependence on behavioural data collection. Most critically, it will directly implicate several business practices that are core to current digital ad targeting. The stipulation that will perhaps cause most angst is the new formulation for collecting an individual’s consent to data gathering and processing; GDPR requires that consent be active (as opposed to passive) and represent a genuine and meaningful choice. Digital marketers know that users of Internet-based services like Snapchat, Facebook, and Google technically provide consent by agreeing to these companies’ terms of service when they sign up. But does this constitute an active and genuine choice? Does it indicate that the user is willing to have her personal data harvested across the digital and physical worlds, on- and off-platform, and have that data used to create a behavioural profile for digital marketing purposes? Almost certifiably not.
Other components of GDPR that will make life more difficult and increase operational uncertainty for digital marketers include the ban on automated decision-making (e.g., applying algorithms to personal data to drive inferences and target ads) in the absence of the individual’s meaningful consent; the new rights afforded to individuals to access, rectify, and erase data about them held by corporations; the prohibition on processing of data pertaining to special protected categories as identified in the regulations; and the stipulation that data collectors must demonstrate compliance with the regulations as a general matter.
Atop all of these measures is the additional requirement that service providers like Facebook and Google make the data they hold on individuals portable. This will immediately further dis-incentivize personal data collection and implicate ad-targeting based on behavioural data; if a firm makes this data available for an individual who can then bring it to a competing service, then – barring the construction of some loophole around this measure – the incentive to collect the data in the first place weakens.
What, then, will take the place of behavioural data collection to power ad-targeting? How will digital marketers from Dior to the NBA to political campaigns channel the right marketing messages to the right eyeballs at the right times?
For many, the answer will lie in contextual advertising. Its power lies in displaying ads based not on a consumer’s profile, but on the content that he or she is looking at in real time – e.g., a news article, website, news feed, mobile app screen or video game. For instance, if a New York Times reader is looking at a digital article about “Game of Thrones,” he might see a contextual ad placed by HBO reminding him when the new season will air. Similarly, when he’s scrolling down his news feed and pauses on a friend’s post about a new pair of basketball shoes, Facebook might alert marketers in real time and sell ad space alongside the post to the highest bidder – an ad position of high interest to companies like Nike or Reebok.
While contextual ad placement might appear difficult to execute, many advertisers already use it and we can expect the digital sector to move quickly to further support it. Leading weather forecasting firm AccuWeather, for example, makes expansive use of contextual advertising through various programs in partnership with internet platform companies among others. And though some internet companies currently lack contextual targeting options, many, like Quora, already make such options available to advertisers. We can expect such programs and practices to expand and proliferate as GDPR comes into effect. Sophisticated ad exchanges and other intermediaries are adept at rapidly understanding novel regulatory environments and developing compliant ad market infrastructures. These markets and the underlying routing of digital advertisements will likely become increasingly quick, automated, and seamless.
All this said, behavioral data collection – through the web and email cookies, location beacons, internet-use monitoring, cross-device tracking and all the rest – isn’t going to disappear entirely, of course. These practices are largely allowed outside of Europe, and sophisticated actors – including internet companies like Facebook and Google as well as advertisers like Ford and LVMH – will doubtless seek ways to work
around many of the constraints that will be imposed by GDPR within Europe. In addition, even within Europe such data collection will still be possible, but most likely with aggressively enforced transparency and consumer oversight.
The GDPR’s effectiveness won’t be known for some time after it goes into effect May 25. In theory, the result will be a more equitable digital advertising space for all players – including, perhaps most importantly, end consumers. If marketers and consumers mutually benefit from the improved transparency and trust as is expected, other jurisdictions outside the EU may well follow suit, which could spell even bigger changes for the digital ecosystem in the years to come.