If you think GDPR has proven a soggy biscuit, influential privacy activist Dr Johnny Ryan might make you think twice. He’s warning of a systemic upheaval to online advertising and user data collection from the EU’s General Data Protection Regulation (GDPR)…and the ACCC. It’s not happened yet but it’s coming. Like those who were ignored predicting the 2008 global financial crisis, think hard on this one.
“Brands are fully at risk. They don’t realise this yet. They are data controllers. Article 5 [GDPR] says you basically can’t broadcast personal data. You have to know where it’s going to end up…you couldn’t radio broadcast that personal data and a bid request when it’s over an ad exchange is pretty much that.”
– Dr Johnny Ryan, Chief Policy Officer, Brave Software
You need to know this:
- EU privacy activists are aggressively lodging hundreds of complaints against online advertising practices; regulators are signalling more aggressive responses
- Brands and marketers are “fully at risk” of prosecution, not just adtech operatives and the tech duopoly
- The online ad industry has been lured into a false sense of security – it’s taking a while but GDPR regulators will bite hard
- EU regulators will prosecute marketers as “data controllers” with full liability, even if their agency, data partners, or others, are doing the work
- Real Time Bidding (RTB) is under a huge cloud – it collects, trades and broadcasts personal data and is under intense regulatory scrutiny for GDPR breaches
- Targeting users in the “long tail” of cheaper websites with tracking data is in doubt
- Cross-device tracking unlikely to survive, threatening user data capture and frequency capping
- Personalised tracking and targeting fundamentally challenged; contextual programmatic targeting likely to return in force.
Saving privacy Ryan
Watch out for Dr Johnny Ryan, if you’re anywhere near the digital media or data supply chain.
Sought out by journalists, and increasingly politicians and regulators for his ability to cut through the often bewildering complexity and opaqueness of digital marketing and advertising practices, Ryan is seen as a troublemaker by many in the online industry, adtech operatives, and big tech, particularly.
One week Ryan could be in Washington skewering the online ad business for its intrusive user tracking and data collection practices to a US Senate committee, the next he’s priming UK and Irish regulators on privacy complaints that he and others like University College London’s tech policy researcher Michael Veale have lodged to establish precedents on GDPR breaches. In the UK and Ireland, only individuals can make GDPR complaints while entities and organisations can in other EU countries.
Real Time Bidding “perverse”
Only a few weeks ago the UK Information Commissioner’s Office described real time bidding as a world of “perverse incentives” in which being “intrusive” is rewarded by better ad prices.
Ryan, who is chief policy officer for the privacy-skewing web browser, Brave, created by the inventor of Javascript, Brendan Eich, says the market is buying an increasing proportion of online media that “puts the marketer on the hook”.
He cites a recent case at the European Court of Justice which puts liability on companies that feature Facebook’s “Like” button on their websites to warn users that their personal data is being sent to the social media network.
“From that case, we have this understanding that if you’re a marketer and you can cause data processing to happen, even if it’s your agency who runs the campaign using some technology, then you’re a data controller, a joint controller,” says Ryan. “Under GDPR, I think it’s Article 82, a data controller is fully liable in the case of damages that come out of infringement to this regulation.
“People are buying an increasing proportion of their ads that put marketers on the hook. It exposes brands to risk.”
– Dr Johnny Ryan
“The regulators are very, very cautious. They move very slowly and very carefully … brands are fully at risk. They don’t realise this yet. People are buying an increasing proportion of their ads that put marketers on the hook. It exposes brands to risk.”
Real Time Bidding (RTB) is another area which Ryan says is in serious doubt under GDPR, and possibly Australia depending on how the Federal government acts on the recommendations from the ACCC’s Digital Platforms Inquiry. Some like Brian O’Kelley, the founder of AppNexus, acquired recently by AT&T and rebadged Xandr, says you “can’t stop targeting and keep doing RTB”, in light of the pressure coming on the practice in Europe. Says Ryan: “If you want to use RTB for all its problems, and I’m thinking of fraud here in particular, you still can. You just have to make sure there’s no personal data in the bid request. That’s an easy fix.”