With the EU’s General Data Protection Regulation now in place, publishers have (for the most part) begun requesting explicit consent from EU users for use of their data, on behalf of both themselves and of the ad tech partners they work with. While some have continued with cookie notifications which seem to assume consent via continued use of the website, others have started to force users to either accept the use of their data, or to opt out (which goes against the EU’s guidelines which explicitly state that consent shouldn’t be a condition of service).
Only time will tell how much of an impact these new consent mechanisms have on the number of users who choose to opt out, but most analysts predict that we will see a rise in users withdrawing consent, it’s just a question of how many.
In cases where consent is not given, there are limits on which kinds of information can be sent within bid requests, but this has essentially been left up to interpretation by supply-side platforms (SSPs) and exchanges. Many are choosing to be cautious, stripping out any and all information which could be considered personal.
AppNexus for example told VAN it will remove data including the user ID, GPs data, and IP address in cases where no consent is given. Smaato also confirmed that its platform will not send any advertising identifier through if consent isn’t provided.
The problem here is these user IDs are integral to the current model for how real time bidding works. “If you cannot target based off a user ID, then you cannot fully exploit the benefits of programmatic,” said Amir Malik, a digital marketing expert at Accenture. “It appears that the whole infrastructure that powers programmatic operationally may not be compliant with GDPR.”
“If you are creating audiences or persona profiles which you wish to target, and that’s being restricted by the supply channel that you’re buying media from, then you run the risk of not delivering your campaign against the correct audience and meeting the campaign objectives. I would argue that at the moment most marketers don’t fully understand this,” said Malik.
Partly, this is just fulfilling GDPR’s main goal, in that it is preventing personal data from being used by companies which don’t have consent to use it, but there are further problems caused by the stripping out of the user ID.
For example, many see contextual targeting as a solution to GDPR, with advertisers targeting ads based on the content surrounding the ad in cases where they can’t target the users themselves. Just a few weeks ago we saw several UK sports publishers launch a new alliance to pool their outstream video inventory, based in part on a belief that contextual targeting would rise post-GDPR.
But contextual targeting is also affected by the removal of user IDs, since they are used for functions like frequency capping (limiting the number of times an ad is shown to a given user). Therefore even contextual bids won’t work in any cases where a frequency cap is included.
“If you want to show ads at a specific frequency, or cap frequency, you have to rely on an identifier, for example a cookie in the desktop world or an IDFA in the in-app world,” said Arndt Groth, president at Smaato.
As a result, many are worries that the current infrastructure for programmatic trading of digital ads isn’t equipped for a world where user IDs are stripped out by exchanges and SSPs, which could hurt both publishers whose inventory becomes less valuable as a result, and ad tech companies whose platforms struggle to cope without advertising identifiers.
Some ad tech vendors believe that a simple solution is to encrypt these IDs. “There are other parties in the market who say a hashed ID, if it’s randomised, would be eligible and allowed under GDPR,” said Groth.
However, it is not absolutely clear whether sending through encrypted IDs would be considered compliant by GDPR regulators, leading to some vendors, including Smaato, to steer clear of it.
Groth says that many within the industry are awaiting clearer guidance from the EU, to help them understand exactly what is and isn’t allowed under the new laws, but this guidance hasn’t been forthcoming. He says that while in some countries, such as Austria, regulators have laid down clear guidance on what they will and won’t enforce, in many countries this hasn’t been the case. “I would have loved for Germany’s minister of commerce to do the same,” he said, but so far that hasn’t happened.
Even if regulators do come out and say that encrypting user IDs is allowable under GDPR though, Malik believes this is more of a temporary solution. “Encryption would be a short-term workaround, but the real issue is that any exchanges that are synchronising IDs need to be 100 percent certain that those IDs have been consented to, and that’s a very difficult thing to achieve right now.”
With further guidance from the EU, it may become clear that there’s no need to strip out user IDs, though it’s hard to predict whether this will happen or not. As Groth told VAN, six different lawyers will give you six different answers on what the law says. If it is necessary to remove user IDs for non-consenting users though, there may need to be a rebuild of programmatic infrastructure so it continues to work effectively under GDPR.