The European General Data Protection Regulation (GDPR), which once seemed to loom in the far-off distance, is suddenly becoming an urgent priority for digital marketers, many of whom are now rushing to ensure that they will be in full compliance with the behavioral targeting and data collection mandates of the GDPR. Starting in May 2018, they simply won’t have the same latitude to track consumers and collect their personal data on the Internet, and that could call into question what has become business-as-usual among most digital marketers.
Behavioral targeting, now itself a target
For years, behavioral targeting has been one of the key elements of any digital marketing strategy. The idea is simple: track customers as soon as they arrive on your website or open up your mobile app, and then collect as much data as possible about them so that you can target them later with customized offers. By some accounts, there are often more than 100 cookies, pixels or data collection code snippets that go to work immediately as soon as you land on a popular site. Behavioral targeting is the reason that some annoying ads seem to follow you around the Internet, wherever you go.
From the perspective of the digital marketer, these pixels and cookies are pure gold – they work unobtrusively in the background, to the point that most Internet users may not even realize that they are being so thoroughly tracked. And analyzing user behavioral patterns can deliver stellar results, especially when you combine seemingly unrelated types of data – such as geolocation data and browsing history – into one complete customer profile.
The problem, though, is that most digital marketers have a very incomplete picture of their digital marketing networks and how behavorial targeting works. They may assume that they are only collecting and processing data for which they have already received consumer consent, but that’s not always the case.
According to Chris Olson, CEO of The Media Trust, a company that released a comprehensive GDPR compliance mechanism known as Digital Vendor Risk Management (DVRM) in mid-September, the reason for this confusion about behavioral targeting is simple: up to 75 percent of the code working in the background of websites or apps are from third-party vendors.
“The internet is a highly complex, dynamic environment that relies on a host of third parties to render final, consumer-facing content via websites and mobile apps,” says Olson. “The only way enterprises can control data collection is to know all of the parties contributing to the consumer experience. From there, enterprises must clearly communicate and enforce their digital asset policies regarding authorized vendor activity.”
Thus, while a company may have a very good idea of what kind of behavioral targeting its home-made cookies are up to, they may have only a very fuzzy idea of what type of data those third-party cookies are collecting. In a worst-case scenario, all of those third-party cookies, pixels and snippets of code could be collecting data and personal privacy information that would put the company in non-compliance with the GDPR behavioral targeting provisions.
Given the stiff monetary penalties associated with non-compliance, this could mean a direct hit to the company’s bottom line – so there’s a real business case to be made for adopting a GDPR compliance mechanism. For that reason, DVRM’s proprietary scanning engine scans more than 30 million sources of third-party code and millions of websites each day, providing an unprecedented view of the online and mobile ecosystems and an in-depth understanding and knowledge of the third-party partners used to deliver today’s digital experience.
The bottom line here is that advertisers and marketers must know more about a new digital campaign than just the creative — they must also understand the nuts and bolts of how that online campaign works. It’s important not to underestimate this change, suggests Olson: “Advertisers running ad campaigns need to know everything about the creative, ad tags and landing pages. When launching a campaign, it’s critical to be aware of not only the data that is used in targeting but also the prospect of data leakage and/or theft during the campaign.”