Here’s a sobering reality: Consumers don’t care about SSPs, DSPs, DMPs, or any other link in the digital ad ecosystem. If consumers’ personal data is lost or compromised, the brunt of their scorn will fall on the web publisher, even if the breach is clearly traceable to a negligent third-party player.
In an RSA survey of 7,500 consumers from France, Germany, Italy, the U.K., and the U.S., 69 percent said they have or would “boycott a company that showed a lack of regard for protecting customer data.” Also, 62 percent of these consumers would blame the company above anyone else, including hackers and third-party contractors.
The General Data Protection Regulation, or GDPR, has only heightened the risk for publishers, putting the onus on companies to ensure that any third-party data processor they use is compliant with GDPR requirements for collecting, using, and protecting personal data. GDPR enforces restrictions on sharing collected data with third parties, whether for your own purposes or for the third party’s benefit.
If you’re still in the camp who thinks that GDPR doesn’t affect you because you’re not located in the European Union (EU), think again. GDPR applies to any company in the world that collects personal information from residents in the EU. Are you willing to exclude approximately 513 million people who live in the EU from visiting your website?
Getting Consumer Consent
The GDPR defines data processors and data controllers as follows: A third-party data processor is an entity that processes personally identifiable information on behalf of a controller. These are the companies delivering the tools used to collect data. A data controller is an entity that determines how that data will be processed and for what purpose. This is any company that controls, reviews, and aggregates data about its customers. A controller is equally liable as a processor under GDPR.
GDPR requires that third-party data collection tools obtain explicit consent from consumers regarding how their personal data will be used. Consumers have to give permission for their information to be sold to data brokers; this will allow other companies to send them unsolicited offers and track their online movements. Without a requirement to give permission regarding the sale of their information in order to access a business’s product or service, many consumers just don't want to give their consent.
The regulation has no grandfathering provisions. Third-party data collected without GDPR-level consent before the regulation was enacted in May 2018 is, in effect, gone.
Additionally, fines for GDPR non-compliance can sting, reaching up to 4 percent of a company’s global revenue or 20 million euros, whichever is greater. That’s about $22 million.
What Does It Mean for First-Party Data?
GDPR is a boon to consumers’ data privacy and greater transparency for users. To many people in the industry, GDPR serves to underscore the benefits of first-party data, like ”cookies,” which doesn’t have the same regulatory or legal challenges.
To others, GDPR signals the demise of third-party data collectors as we know them. They predict that more and more companies will choose to focus on first-party data, getting to know their customers solely on their terms and nurturing a transparent one-on-one relationship.
Only time will tell if their prediction comes true. In the meantime, due diligence is key as you look into whether your third-party data collectors are on the up and up when it comes to GDPR compliance.
Learn more about Apomaya and how our breakthrough technology can help you regain visibility and control of the third-party system. We can help protect your company’s reputation and avoid legal complications due to a third party’s negligence.
To learn more about transforming your third-party ecosystem of digital advertising to a first-party one and regaining visibility and control, please: