The EU’s General Data Protection Regulation (GDPR), which will become law next May, is stressing out the marketing industry. “I have a feeling that people are just scared,” Acxiom’s European privacy officer, Sachiko Scheuing, told AdExchanger at Dmexco in Cologne, Germany. That fear may be preventing many advertisers from speaking up in the debate over GDPR.
GDPR was supposed to establish what sort of data sites can collect without asking for an opt-in. However, a part of GDPR that’s still being drafted – called the ePrivacy Regulations – requires an opt-in for any data that is collected. This stance contradicts the more permissive parts of the GDPR, and it’s creating consternation among publishers, who argue that those with the largest audiences will have an easier time collecting opt-ins than smaller companies. This situation will allow power to accrue to only a handful of powerful players with large audiences.
“They are saying [in regulation drafts] that maybe the browser setting is sufficient,“ Scheuing said. “99.9999% of all the companies in the digital ecosystem and advertising and marketing field will not have much of a say in how the browser can function.” Scheuing teased out more of the nuances of GDPR – and explained some of the basics – to AdExchanger.
AdExchanger: What’s the background of GDPR?
SACHIKO SCHEUING: It was not created with the vision of making a stumbling block for the economy. A long time ago, when EU President [Jean-Claude] Juncker took his position, he took a look at the digital sector. He proposed a single market vision to make sure there was a legal framework to support more startups, and one of the first laws to be adopted is GDPR. The goal was to make privacy law in Europe uniform to help European economic expansion.
What are the consequences of GDPR that have everyone so worried?
You will have a maximum of 4% of your global annual turnover as sanction. You can be a DMP that is working on a margin of 10% or 20%, and they don’t give a toss. Since it’s your turnover, it could really hit companies. And they are introducing this concept of collective redress, which sounds fancy but it’s a class action in European English, which is also making people nervous. The law is applicable for companies established outside the EU, but who doesn’t sell goods and services to European consumers?
The original goal was to replace opt-ins. Why?
First, as a user I get annoyed every time I have to click “Yes, I agree.” I just got a new mobile phone and the number of times I had to do that was not normal. But the real problem is that by having the consumer click “I accept,” the legal responsibility is shoved over to the user. GDPR is going to make companies accountable by default, that they are respecting the privacy of their users. I think this is a fair deal.
What are these accountability standards?
You have to satisfy three conditions. One, you have to have a legitimate interest. The law says that direct marketing is a legitimate interest. And you have to balance your interests against the interest of the consumer, which is referred to as “balance of interest.” Condition two is that it has to meet the consumer expectation, and lawyers interpret that to mean more transparent. The third thing is that you provide an opt-out link. If you fulfill those conditions, and do have a legitimate interest, that is the legal ground upon which you can process data. That’s the one good news.
The draft of the ePrivacy Regulation, on the other hand, is requiring an opt-in.
There is a huge discrepancy between [GDPR and ePrivacy Regulation], which is a sector-specific law of GDPR. We current have the first draft from the European Commission, and they say you can only do everything and anything if you have an opt-in. On one side, you have people saying you need to think about the nature of this law. It’s supposed to be a specification of GDPR. We acknowledge that opt-in consent is not working, so why are we throwing that out of the window? The other camp, and this is often the Greens or the socialists, are saying that this is a human right, and they will not back down from an opt-in.
The opt-in requirement is not drawing raves from publishers.
Absolutely. Last week I was at a European publisher conference in Brussels, and they had a lively debate with the European reps of parliament, the commission and the industry. They were appealing to the coalition that even with the millions of readers that some newspaper publishers have, it’s still limited [reach]. If this is going to be opt-in, it’s going to be bad for consumers. Parliamentarians were saying that if users are paying with their data, publishers should just ask them for X euros to view the article. To that, the publishers said, “We are not only interested in revenue, but also wide readership. We want to spread the news, and that is going to kill information plurality, because only those who can collect opt-ins will be able to provide articles.”
Acxiom-owned LiveRamp is involved in a consortium with other ad tech companies that will create a single identifier across companies. Is there a GDPR angle behind this consortium?
The moment you are doing something with European data, it’s applicable, and we have privacy engineers at Acxiom heavily involved. What’s good about this is that [the consortium] is a pseudonymous process. Pseudonymous data is personal data, but like cookies or device IDs, I don’t know whose device ID is it unless I have the registration data.
The term comes from Germany, which has had it for decades, and it’s why Germany is flourishing despite having the toughest of privacy laws. By using pseudonymous data, you are protecting the risk a lot more. It’s important for us to sell this idea of how to use pseudonymous data, and how it can protect data but also enable economic growth and free usage. Why not put pseudonymous data into ePrivacy Regulation? Imagine the benefit it would bring to all of us, and it will be in line with GDPR.
This interview has been condensed and edited.