Consent and security: GDPR in the adtech ecosystem

GDPR will come into effect on 25 May 2018, representing the biggest change to data protection across the EU in a decade.

Talking to a lot of advertisers, you could be forgiven for thinking that the sky is falling. But there’s a light at the end of the tunnel, and the change does represent significant opportunities for companies smart enough to take them.

Tiffany Morris is General Counsel & Vice President of Global Privacy at Lotame, and has been having 3 – 5 GDPR-related calls a week with her clients over the last few months. Lotame has two parts to its business, both of which are going to be heavily affected by the incoming regulations.

On one hand the company operates a data management platform with a heavy client base in Europe. On the other is the Lotame Data Exchange, one of the larger third party data exchanges for licensing third party data.

So, Morris is definitely a good person to speak to about GDPR.

“We can’t escape it, it really is at the core of what we are doing in both areas,” she says.

Setting a standard

For Morris, one clear effect of the approaching implementation date is an increased desire for cooperation among the company’s clients, especially with regards to some key areas where there is still a huge amount of uncertainty.

“One of the areas that we are really focused on with clients is how to handle consent,” she says. “How do we handle lawful means of processing in a world where we are placing third party tags? We are investigating universal consent management solutions.” Consent is going to be one of the biggest issues for many companies, but the guidance available so far hasn’t been clear. The IAB released its standards for consent in November 2017 which while useful, left many companies undecided on how they are going to implement them.

“GDPR is also a nice opportunity to explain to clients in a lot of detail about how some of the functionality works and what role we have vis-à-vis the data versus how they are controlling their own data,” says Morris. “So, one positive of GDPR is being able to get down in the weeds with clients and really show the value that we bring to the table.”

The data exchange side of the business adds a further layer of complication to the process. The recently released EU Article 29 Working Party consent guidelines lacked any specificity around the responsibilities of third parties in the ecosystem. “So, we are faced with this challenge moving forward of having a lot of data aggregators that are getting data from a lot of sources,” continues Morris. “We like the scale but we know that we need quality data, we need to know the provenance of that data, we need to be able to establish that there was a lawful means of collecting and processing it.”

Another clear effect of entering the final straight before the implementation date is the division of clients into those that have a good idea of what they need to do and are working hard to get a handle on the many grey areas. Others, however, are still struggling.

“There are ones that know what they need to do, are trying to figure it out and have the capital to hire advisors if they need them,” Morris says. “You also have those clients that are publishers and already have challenging business models and when you layer GDPR on top of that they can struggle to get their heads around the economic challenges that media businesses may be facing. It’s a pretty broad spectrum.”

The issue of consent

There are a whole host of potential obstacles for companies to stumble over in their quest for compliance. The huge diversity of data management and processing systems, as well as the wide range of data sources could all combine with faulty governance to create a serious headache for companies.

For Ari Levenfeld, Chief Privacy Officer at the world’s largest independent buy-side ad platform Sizmek, the numbers of non-complying companies could be high: “GDPR is a potentially major risk for companies that don't take steps to comply. A recent Forrester study predicted that as many as 80% of all companies will not comply with the GDPR by the May 25 deadline - half of which will choose not to comply. Conversely, companies that have decided to invest significant time and resources into GDPR compliance are positioned not just to protect themselves from regulatory scrutiny and massive fines, but also protect the interests of their customers.”

Morris thinks the biggest challenge, especially in the adtech ecosystem, is going to be establishing what the lawful means for processing data, and passing it on through the ecosystem. Every partner involved in a particular ecosystem will have to prove that they have gained consent and that they have the right means to process the data in question.

“That’s the most challenging because if you look at how a transaction is processed and how many partners data flows through before an ad is actually served, and how many of those transactions are processed through the use of third party tags. It’s very difficult envision how you get that chain if you are relying on consent for example,” she says.

“How do you pass that chain of consent along in real time to what may be 30 different partners before the ad is served? That is specific to our industry, and we have to figure it out as an industry because I don’t think we are going to see that guidance coming from regulators.”

The problem this creates is significant. Consent needs to start with the consumer, but they can’t be involved in providing consent at every step in the ecosystem chain, especially when they don’t have enough fingers to count the number of companies involved in using the data generated by the initial transaction.

“So much of the law is driven around the idea that consumers should understand how their data is being collected and used and that they should really have a lot of authority in deciding how it is used,” Morris explains. “That works well in a 1-2-1 relationship.

“But what is more complicated is that a hypothetical retailer is relying on a multitude of partners to use and process that data in different ways. And, particularly in adtech, so many of those partners would never have a direct relationship with the consumer, and most consumers, not because they are uneducated but because they haven’t been exposed, doesn’t understand how this ecosystem works.”

Providing the kind of robust disclosure that this theoretically require, where a company lists the 10 or so ways they are planning to use and sell on a customer’s data, could mean going into so much detail that the disclosure becomes essentially indigestible for the consumer. “I think that is a really, really big challenge,” agrees Morris.

The issue of security

The focus of GDPR is principally about the privacy of consumers, about giving European citizens more control over the online data that is generated as they interact with companies. This creates responsibilities for companies not just around gaining consent to use data, but also handling it in a way that ensures it remains safe.

Security in this context means more than just making sure that the data isn’t stolen or compromised, it means guaranteeing that it is not subject to unauthorized or unlawful processing. For Levenfeld, this has created concerns among many brands that they might be lacking the technical and organisational measures needed to comply with the new requirements.

“The GDPR has numerous, specific compliance requirements around data governance and policy,” he says.

“For example, privacy by design is no longer an easy checkbox that companies may say they have considered when developing their products. Instead, considering privacy by design under the GDPR requires real effort and proof.”

At the very least companies are going to need to complete Data Protection Impact Assessments for each product or service they sell that utilises personal data. “Companies also need to explicitly define and publish their data retention periods,” Levenfeld says. “Companies should build data governance mechanisms to govern how data is collected and processed, to help ensure that they are only processing when they have a lawful basis to do so.”

With regards to the security in the adtech world in particular, the emphasis for companies will be making sure that they know exactly who has access to the private data transactions with consumers generate, both internally and externally.

“Measuring the effectiveness of your security systems with penetration testing by security specialists, regular updates and patching of software, and the creation of a Technical Organizational Measures (TOM) document are important ways to keep up to date and document your efforts,” continues Levenfeld.

“Security also includes putting a plan in place to respond to breaches and mitigate damage should one occur. At Sizmek, we recommend that companies complete table-top exercises to run through their breach response plan so key team members have experience practicing how to follow a breach response process before it actually happens.”

Focusing on quality

Another important consideration for international companies that do a large proportion of their business in Europe is whether they carry these changes over to the other parts of their operations. “I think, if you look at a few years ago, and I was guilty of it too, you would have different discussions with US clients then you would have with European or global ones around privacy,” says Morris.

In this sense, GDPR could really set a global standard for the way that businesses are expected to deal with security. “It doesn’t make sense from a cost perspective to handle privacy differently in the US and India and so on then you do in Europe. I think what you’ll see companies doing is adopting the European standard for everything, and it will become the bar.”

So, while the regulations are set to leave lasting changes across the adtech landscape, it is not an entirely negative picture. The majority of press coverage, especially in the UK, around GDPR has painted a picture of a doomsday scenario where no one is ready on the implementation date. What has been largely absent so far is any talk of opportunities that the new laws present to companies smart enough to exploit them.

“It is an opportunity for companies to really dig in cross functionality and understand how their various business units are using and processing data,” agrees Morris. “That is helpful and is a valid exercise for any company, and maybe prior to this law people weren’t doing enough in this area.

“We really see this as an opportunity to focus on data quality, because the costs of compliance are higher under GDPR, it doesn’t make a lot of sense to be throwing around large quantities of data without really understanding where it has come from and whether it brings a ROI to data buyers.”

At the heart of GDPR is the necessity to change the focus of data collection and processing from quantity to quality. It is no longer going to be a reasonable strategy for companies to just hoover up as much data as they can and then try to decide what to do with it after the fact. Companies are going to be required to have clear aims and clear strategies for what they are going to do with the data they collect, and be able to articulate them in a way that doesn’t turn off consumers.

Because under GDPR a business does need to tell consumers what they are planning on doing with the data, not just what data they are using. “That is what is hard for the initial party that has the direct relationship with the consumer because they may be using that data in so many different ways and working with so many different partners all doing different things, and under the law, in theory, they need to disclose every use of how they are collecting and processing the data and obtain consent or establish a lawful means of processing for each use,” explains Morris.

A retailer, for example, could find themselves having to tell their consumers that they collect their personal information so that they can make sure that the shipping and delivery get a purchased product to the right place. The consumer is likely to give consent for this. But, the retailer will also have to say that they also sell the data to a third party so that they profit from their consumer data, and then go through the 15 – 20 other ways that they are going to use the data. The retailer is theoretically required to gain consent for each of these individual uses.

“A consumer could theoretically say that they are fine with the use of data to ship them products, but are not ok with it being sent to third parties,” says Morris.

Costs of compliance

Perhaps one of the most frequent questions that Morris is asked is whether the incoming regulations will lead to a heavier cost of compliance for companies. The answer will really depend on what type of data a company is dealing with. Many US companies could see a rise in the cost of compliance due to the wider classification of what constitutes personal data.

US companies have historically viewed personal data as being things like names, street addresses and government IDS. Data that is capable of immediately identifying an individual. European law, and especially GDPR, widens this definition of personal data to include things like cookies IDs and device identifiers.

“For companies like us, who only have cookie and device identifiers, it’s a big change to treat that in the same way we would if we were collecting social security numbers,” says Morris.

This could affect the cost of compliance because if you are trading data, names and government IDs are always going to have more value than mobile advertising IDs. “So, now you take a company that has been trading only in these device identifiers, the perception is that those have lower economic value,” says Morris. “You earn less money from processing those types of data, but they are now held to the same compliance standard as a company like a bank that’s processing financial information like names and account numbers. That seems a little incongruent.”

In the end, perhaps the biggest question is what the result of GDPR will be for consumers. Will implementation actually result in a more personalized ad landscape for consumers? Is there going to be any noticeable benefit for consumers at all?  For Morris, it really comes down to what consumers actually want:

“I think what they want more than anything is access to free content. That’s the world in which we have been operating, where I get access to lots of free content on the internet because I put up with the word of online advertising. I really think that is what consumers want. I think that what regulators don’t realize is, if you take away that online advertising component, which this law along with the proposed ePrivacy regulation makes a potential outcome. This means that consumers lose free content as companies put up paywalls as they need to recoup the revenue they lost from decreased advertising.”

This leads to a worry that what might appear to be a good development for consumers in the short term may end up having detrimental effects in the years to come.

“I worry that it’s going to be ‘hey, we thought we wanted more flexibility around how companies use our data and what types of ads we see, but now I’m paying for Facebook and I didn’t ever really want to do that.’”

- by Colm Hebblethwaite

4 Popular SEO Beliefs That Are Undeniably Wrong

People read a lot of bad information about SEO – but they don’t know it’s bad information.

As a result, people believe in things that make no sense at all.

That’s why, in our industry, there’s no shortage of posts about SEO myths.

However, these lists of myths often fail to mention some of the biggest myths that real SEO professionals refuse to let go of – but should.

Here are four beliefs that truly are very popular in the SEO community – and are also provably and undeniably wrong.

Also, “number four will shock you.”

This should be fun!

SEO Belief 1: Correlation Studies Tell Us How the Algorithm Works

A lot of major SEO blogs publish lists of “ranking factors”:

There’s just one problem.

These aren’t lists of ranking factors.

We don’t know every Google ranking factor.

The only ranking signals we know for sure that Google uses are the ones Google has told us.

Google does not, for the most part, tell us what information they use in order to rank sites.

Most of the things that we suspect as ranking factors are based on inference and speculation, as well as personal experience.

These lists of “ranking factors” are actually lists of how much certain things we can measure based on publicly available data are correlated with rankings.

Correlation is the mathematical way of saying “these two things happen together more often than we would expect based on pure chance.”

Correlation does not mean that the thing we are measuring is a thing that the search engine is using to rank websites at all. It has never and will never mean that.

Google does not rank websites based on “Domain Authority,” even if “Domain Authority” is a metric Moz uses.

Correlation studies are valuable because they tell us some properties of URLs that Google is ranking well. This can be a useful jumping off point for your own experiments.

A correlation study should never act as a substitute for your own experimentation and personal experience.

The best way to identify what improves rankings is to identify specific strategies, put them to use, and measure the results. If that strategy consistently causes your rankings to increase, it is a strategy you should continue using.

It’s that simple, and that complicated.

20 Things Your Website Should Do and 5 Things It Shouldn’t

Is your small business website effectively pulling in visitors, keeping them around and converting them to customers? If your website is a little more than an online placeholder, it’s time to start putting it to work so you can grow your business and take advantage of the huge potential consumer base for the online market.

Today’s consumers are accessing your website from their desktops and laptops, and also from their smartphones and tablets. This checklist will help you make sure that your site is doing what it should for your small business – increasing your profits.

Your Website Should. . .

Look Professional

Sloppy, plain or homemade-looking websites are a visitor turnoff.

Have a Private Domain Name

Even if you’re using a WordPress.com, investing the few dollars a month in a web host and domain name tells visitors you’re serious about your company—and makes you more trustworthy.

Be Secure

If you accept online credit card payments for products or services, your site must comply with the requirements of the Payment Card Industry Security Standards Council (PCI DSS).

Have a Memorable Domain Name

Make your private domain name something easy to remember. Preferably the name of your business.

Contain Your Business Name in Text

Search engines can’t index words from your logo image. Make sure your company is findable.

Contain Your Business Address in Text

Once again—no text, no search indexing. Local search results are more important than ever, so your address should be prominent.

Have Your Company Phone Number in Click-to-Call Format

With so many people looking up businesses on smartphones, offering a one-touch way to contact you will bring you more customers.

Make Contact Info Easy to Find

Search engines aren’t the only ones that need easy access to your contact information. Make sure visitors can get in touch with you quickly and conveniently.

Tell Visitors What You Do at a Glance

Through images, succinct descriptions or both, visitors to your site should be able to figure out right away what your company does.

Highlight Your USP

Your unique selling point (USP) lets visitors know why they should stick around and do business with you, instead of click back to the search results. What makes you stand out from the competition?

Show Off Customer Testimonials

The best way to tell people how great your company is is through someone else’s words.

Invite Visitor Feedback

You can learn more about what’s working and what isn’t on your website—and get more testimonials—by having a feedback form for visitors.

Speak to Your Visitors—Not Your Ego

Your website content should focus on how you can benefit your customers, instead of how awesome you are.

Offer Fresh Content

Keeping your site updated makes both visitors and search engines happy. An integrated small business blog is a great way to do this.

Contain Keywords

Natural SEO (search engine optimization) strategies are essential in getting new visitors to your website.

Make it Personal

You don’t have to share your favorite colors or foods, but including the names and bios of business owners and staff on your website gives things a personal touch.

Link to Other Websites

Outbound links can help improve search engine results and make you look like a valuable resource.

Have Other Websites Link to Yours

Inbound links carry even more search engine juice.

Make Checkout Easy

The more steps customers have to go through to buy something from your website, the more often they’ll abandon their carts. Don’t make them jump through hoops for an online purchase.

Connect with Social Media

Place social sharing buttons prominently on your website for increased reach.

Your Website Should Not. . .

Have a Lot of Bells and Whistles

Like every widget and form you can find stuffed onto your home page. Clean and to the point works much better.

Use Flash Animation, Moving Text, Fancy Cursors or Music

These things are unnecessary, annoying to most visitors and slow down your loading time.

Post Images Without ALT Tags or Text Captions

Because search engines can’t read images and descriptive text helps to increase your rankings.

Have Dead Links

Ones that lead nowhere or to an error page. Check your links frequently to make sure they still work.

List All Your Products and Services

Don’t do this in one long, continuous scroll. Break things up naturally and use smart navigation to help visitors find what they need.

Have A Question?
Ready For Answers?
Call Us 1-949-954-7769
eMail us at: wantmore@teamdebello.com

Have A Question?
Ready For Answers?
Call Us 1-949-954-7769
eMail us at: wantmore@teamdebello.com