Too many marketers not ready for European’s looming digital privacy law

The GDPR is on the top of marketers’ minds as more and more are realizing their data infrastructure and processing are not up to snuff.

  • GDPR, a monster European consumer privacy regulation designed to protect people's web data, is coming soon. And many big marketers aren't ready, say ad experts.
  • While some data-versed marketers are investing to make sure they are compliant with the law, others seem paralyzed or over confident.
  • The law's implications are often seen as a bigger challenge for ad tech firms or publishers.
  • When it comes to using data for digital marketing, "no one’s fine," said one high ranking ad executive.

GDPR is coming, and many big brands are treating it the same way college kids treat finals: I'll cram the night before.

Some are even acting as if the looming European consumer privacy law called General Data Protection Regulation (GDPR) doesn't even really apply to them. Regardless, GDPR goes into effect on May 25. And digital ad experts say that among marketers, the level of preparedness is all over the map.

Some are taking every precaution to make sure they've got all the permissions they need from consumers to use their data for marketing purposes, according to ad executives versed in GDPR's impact. And they're also taking measures to make sure it's easy for consumers to opt out of data collection.

But according to experts, a good number of marketers are either frozen like deers in headlights, putting off dealing with GDPR until the last minute, or simply feeling too confident, seeing the law somebody else's problem (think publishers or ad tech firms).

This seems particularly true among marketers who collect "first party data" from consumers, such as brands who sell items to consumers and gather basic information like people's shipping address to marketers who collect info from people whenever they mail someone a prize or a sample for participating in a survey or promotional sweepstakes.

"We meet with executive teams [at big marketing firms], and you get a range of responses," said Adrian Newby, chief technology officer at Crownpeak, which provides web management technology for brands such as HP and Unilever. 

"[They go] from, 'this doesn't really effect us,' to 'does that effect us?'"

That's because these brands, generally speaking, ask for, and get permission for, consumer data. When people voluntarily sign up for an offering from a big marketer – whether that's an email newsletter promoting sales, or a chance to win a trip by mailing

in a number of cereal box tops - that marketers often sees that consumer data as theirs. So many assume they are automatically GDPR compliant.

But it might not be so simple. 

GDPR is really complicated. So it's easy to put off dealing with it.

Let's review what's going on with GDPR. Basically, any company that does business with European citizens will have to get consent from people to use their data, and make it very clear and easy to opt out of data collection.

Since most big digital media and ad tech companies and brands operate globally, they need to think about GDPR.

As Newby explained, GDPR puts companies into two buckets: you're either a "controller" or a "processor." AdExchanger breaks this down in great detail here.

  • A controller is essentially the party that actually decides what data is collected and what is done with it.
  • A processor may use data for marketing purposes, but only within the limits of the controller’s instructions. An example might be a payroll processing company that works with a big brand, according to this detailed GDPR Medium explainer.

It seems as though ad agencies would prefer to consider themselves processors. It's safer to be a processor, because controllers are the ones with primary responsibility and likely to get hit with big fines.

"Processors may only act on the controller’s instructions," said Newby. "The penalties fall on the controller. But the processor has obligations too. Both parties need to put in contracts what does and doesn't fall on them. GDPR says there has to be consent or some other lawful basis for collecting personal data. A processor can land a controller in hot water if they go beyond their mandate and try and hide behind their status."

Here's where it can be challenging: sometime consumers have a relationship with a controller (like a website they visit), but their data is really in the hands of a processor (like a company delivering ads to that site that is using data to target that person). 

"There is a tension in that relationship," said Newby. "A processor can screw over a controller, especially if they are a large organization trying to stick to their own business model. So both sides are trying to hedge their risk."

Recent ad industry news may give some marketers a false sense of GDPR security. Or they just have expensive lawyers. 

Case in point: The ad tech company Drawbridge recently pulled its business out of Europe because of GDPR. That's how serious the law is for tech firms that rely on consumer data.

Yet contrast that with recent headlines such as Marketers don’t expect the sky to fall with GDPR and Brands that respect consumer data needn't be fazed by GDPR.

The truth is, "no one’s fine," said one high ranking ad executive.

If that's true, there's a lot of money at stake, as fines for potential GDPR violations are no joke: they start at 10 million euros and go up to 4% of profits.

Thus, the digital data-focused startup mParticle has been actively looking to get brands up to speed in recent months.

"Some brands are absolutely committed to staying ahead of this issue, and investing in the tech infrastructure," said mParticle CEO Michael Katz. "And some brands don’t have their customer data strategy in order, including the tech to execute that strategy, but are going policy heavy and legaling up."

Newby said he's seeing a similar pattern. Many brands are blissfully ignorant when it comes to GDPR. And many others have hired lots of lawyers to cover themselves. Or at least make them feel covered.

"There are a couple of camps we are seeing," he said. "Some brands are thinking, 'getting consent is impractical, so I'll make a legal case for how I already operate. What can I get away with and build a case that I'm doing something?'"

Still other brands are simply crossing their fingers. "I'll be happy if someone else gets hit first," said Newby.

To be sure, companies like mParticle and Crownpeak would seem to have a vested interest in saying that GDPR requires lots of attention, since they peddle services designed to help digital media players get prepped. 

The online ad industry has a long history of vendors - like say anti fraud tech firms - talking up just how big the problem is that only they can solve.

But given how complicated GDPR is (it has 99 articles), and the scrutiny in the marketing world over consumer data (see: Facebook) the law seems sure to have some impact.

Some brands seem to think they don't have to worry

As the high ranking ad executive explained, some brands are on top of this, because consumer data is so central to their business. Think airlines with frequent flier programs, and banks. "They are taking it very seriously," he said.

But then there are marketers who have collected lots of consumer information for pure marketing programs. "They think, 'Well, we’ve got 100 million records from corn flake packages or whatever, and we've got permission from those consumers.'"

Permission is fuzzy though.

"Regarding brands, once you have consent, it's not a free ride," said Newby. "Users can withdraw consent at any time."

Beyond fickle consumers, when marketers get information from consumers, sometimes they'll use that data in all sort of ways. But GDPR limits that. For example, "a bank may have your log in data," said Newby. "It doesn't mean they can use your credit card info and sell it to other companies."

What's a brand to do about GDPR?

Another big challenge for brands: large companies often have multiple divisions compiling consumer data at different times and in different ways. So even if the marketing group is thinking proactively about GDPR, that doesn't meant there's any centralized, coordinated effort in play.

Katz argues for companies to invest in tech to help pull all this together, and get out in front of the issue. "If your [organization's] policy doesn’t have the supporting tech, you can’t actually enforce anything....a lot still treat data reactively."

On the flip side, companies that get organized about consumer data may unlock new opportunities, Katz argued. 

Regardless, the time is now to do something. "It’s coming fast," Katz said. "A lot of people are going to be scrambling those last few days, and if that’s the situation you are finding yourself in, you’re going to have massive exposure."

Latest from mParticle

See all insights
Q4 product updates

Company

mParticle Q4 Product Innovations

What is a conversions API

Growth

What Is a Conversions API, and Why Marketers Need It Now

Buying a CDP Today

Growth

Part Eight: Buying a CDP Today