The European General Data Protection Regulation (GDPR), which once seemed to loom in the far-off distance, is suddenly becoming an urgent priority for digital marketers, many of whom are now rushing to ensure that they will be in full compliance with the behavioral targeting and data collection mandates of the GDPR. Starting in May 2018, they simply won’t have the same latitude to track consumers and collect their personal data on the Internet, and that could call into question what has become business-as-usual among most digital marketers.
Behavioral targeting, now itself a target
For years, behavioral targeting has been one of the key elements of any digital marketing strategy. The idea is simple: track customers as soon as they arrive on your website or open up your mobile app, and then collect as much data as possible about them so that you can target them later with customized offers. By some accounts, there are often more than 100 cookies, pixels or data collection code snippets that go to work immediately as soon as you land on a popular site. Behavioral targeting is the reason that some annoying ads seem to follow you around the Internet, wherever you go.
From the perspective of the digital marketer, these pixels and cookies are pure gold – they work unobtrusively in the background, to the point that most Internet users may not even realize that they are being so thoroughly tracked. And analyzing user behavioral patterns can deliver stellar results, especially when you combine seemingly unrelated types of data – such as geolocation data and browsing history – into one complete customer profile.
The problem, though, is that most digital marketers have a very incomplete picture of their digital marketing networks and how behavorial targeting works. They may assume that they are only collecting and processing data for which they have already received consumer consent, but that’s not always the case.
According to Chris Olson, CEO of The Media Trust, a company that released a comprehensive GDPR compliance mechanism known as Digital Vendor Risk Management (DVRM) in mid-September, the reason for this confusion about behavioral targeting is simple: up to 75 percent of the code working in the background of websites or apps are from third-party vendors.
“The internet is a highly complex, dynamic environment that relies on a host of third parties to render final, consumer-facing content via websites and mobile apps,” says Olson. “The only way enterprises can control data collection is to know all of the parties contributing to the consumer experience. From there, enterprises must clearly communicate and enforce their digital asset policies regarding authorized vendor activity.”
Thus, while a company may have a very good idea of what kind of behavioral targeting its home-made cookies are up to, they may have only a very fuzzy idea of what type of data those third-party cookies are collecting. In a worst-case scenario, all of those third-party cookies, pixels and snippets of code could be collecting data and personal privacy information that would put the company in non-compliance with the GDPR behavioral targeting provisions.
Given the stiff monetary penalties associated with non-compliance, this could mean a direct hit to the company’s bottom line – so there’s a real business case to be made for adopting a GDPR compliance mechanism. For that reason, DVRM’s proprietary scanning engine scans more than 30 million sources of third-party code and millions of websites each day, providing an unprecedented view of the online and mobile ecosystems and an in-depth understanding and knowledge of the third-party partners used to deliver today’s digital experience.
The bottom line here is that advertisers and marketers must know more about a new digital campaign than just the creative — they must also understand the nuts and bolts of how that online campaign works. It’s important not to underestimate this change, suggests Olson: “Advertisers running ad campaigns need to know everything about the creative, ad tags and landing pages. When launching a campaign, it’s critical to be aware of not only the data that is used in targeting but also the prospect of data leakage and/or theft during the campaign.”
DVRM vs. the GDPR
At its core, the new DVRM compliance solution from The Media Trust is meant to provide brands, publishers and e-commerce companies with a real-time view of what’s going on in the background of their websites. The DVRM monitors a website in real-time, and when it finds potential behavioral targeting violations, attempts to resolve them with the responsible party. Since The Media Trust has partnered with over 100 digital vendors on ensuring compliance with the upcoming GDPR, it’s easy to see how the DVRM could be a real life-saver for companies who have pushed off thoughts about GDPR compliance to the last minute.
“GDPR’s impending arrival means it’s no longer feasible for IT, risk, security and ad/website operations teams to have an incomplete picture of their digital ecosystem,” says Olson. “Serving as a comprehensive GDPR compliance mechanism, DVRM not only identifies digital vendors and evaluates their adoption of an enterprise’s digital policy, but also resolves non-compliant activity. Terminating violations at the source is critical to enhancing the overall health of the global digital ecosystem.”
GDPR is just the start of more regulations to come
For companies just now starting to wrap their arms around the implications of the GDPR, there is certainly a growing sense of urgency. That’s because the same type of strict data privacy regulations could be headed to other major Western markets beyond just Europe.
For example, within the United States, the Illinois State legislature recently passed a groundbreaking data privacy bill that specifically focuses on protecting consumer geolocation data. The Geolocation Privacy Protection Act is currently waiting to be signed by Governor Bruce Rauner. According to Olson, the bill is very much in the spirit of the GDPR, “Much like the EU’s trailblazing data privacy regulation (General Data Protection Regulation or GDPR), this bill aims to give consumers some control over their personal data.” This bill would require internet companies and entities to tell consumers what geolocation data they are collecting, why they are gathering that information and with whom they are sharing it.
There’s a good reason why geolocation data is now very much in the spotlight – consumers who carry around their smartphones and tablets everywhere they go may not realize how much geolocation data is being collected about them or how it is ultimately being used. With geolocation data, companies know not only what you are doing online, but also where you are when you do it.
In one scenario, a customer walking through a shopping mall might receive a constant cascade of offers from retailers located within that mall. The first time you receive a mobile alert about a huge sale taking place near you, you might think it’s pretty nifty. But when those alerts take place repeatedly over a relatively short period of time, it’s going to seem very creepy.
In search of a compromise solution
In many ways, the new DVRM solution from The Media Trust represents a compromise solution that benefits both marketers and consumers. It ensures that marketers can continue to use behavioral targeting techniques, and also makes it possible to monitor and resolve any violations in real-time, to avoid any non-compliance issues involving data subjects. And, from the consumer perspective, it ensures that they are only making available the data for which they have already given their informed consent.
While the new compliance requirements of the GDPR may appear onerous, Chris Olson of The Media Trust is taking a more optimistic view of the situation. From his perspective, new compliance mechanisms such as DVRM might actually help organizations make sense of what he refers to as the “digital shadow IT” lurking within any company’s website architecture.
Once organizations have a more complete view of their digital ecosystems, they will be better prepared to make adjustments on the fly when new data privacy regulations – such as the new geolocation bill in the U.S. – appear on the horizon.