From GDPR to ePrivacy: a roadmap for publishers

Teavaro’s Nico Pizzolato examines the role of the publisher in the post-GDPR landscape and how media owners can traverse the journey between GDPR and as-yet-unconfirmed ePrivacy requirements with a focus on their customers.

Meeting publishers at networking events such as Mobile Marketing’s Programmatic for Publishers Summit last month, we have heard the type of concerns that are igniting new conversations in the industry. How will GDPR and ePrivacy effect programmatic? And what is the right strategy in a period in which the first is an impending reality and the second not exactly defined yet?
How can we continue to ensure and improve advertising quality in the programmatic space? What is the best strategy to adapt to the new industry UX requirements, engaging consumers with brands, and protecting or increasing publisher yield?

At Teavaro we have been grappling with these questions since our inception in 2014 – well before the legislative shake-up dictated the agenda of change – because we recognised that publishers were navigating an ecosystem marred by data leakage, increasing ad-blocking, lack of transparency, and diminishing yields for their inventory.

Informed consent
The first obvious issue for publishers is how to be strategic about their role in collecting the informed consent of the users. GDPR requires much more transparency about the use of data, and publishers need now to be mindful of how to engage users in a way that presents them with clear options and choices about the benefits users can expect in return for the use of their data. Data value exchange and user experience will be the driving forces of change in the way publishers move within programmatic.

What follows – the second issue – is what kind of relationships publishers intend to foster within the adtech supply chain to marry protection of data privacy with yield for their inventory. The forecast is that the supply chain will shrink and that big publishers, as well as brands, might manage in-house part of what they were outsourcing in terms of the handling of data.

When it comes to explaining in privacy notices how customer data is processed and who is controlling and processing that data for profiling, aggregating with what other data, and for what purpose, fewer players might be more palatable to the user than the dozens currently triggered by the typical web page request.

Supply chain mishaps
We have seen the beginning of wrangling over the wording of contracts between the buy side and the sell side. Front line data controllers, such as publishers, would want to write liability into contracts to protect themselves against any mishaps in the supply chain. At the same time large media-buying agencies – GroupM is a case in point – are allegedly trying to gain controller’s rights, forcing publishers to collect consent on their behalf as a precondition for buying inventory.

The IAB’s suggested mechanism goes in the same direction and is based on the consideration that since publishers are in the best position to obtain consent directly from users, they should do so on behalf of the whole ecosystem if programmatic is to have a chance to survive. The extent to which publishers are going to bend over backwards to get consent for ad-targeting, risking a compromise of their prized relationship with users, will depend on what opportunities they see available within these new constraints.

The third issue is how to survive and prosper in a new programmatic environment shaped by GDPR and ePrivacy. We believe that publishers can establish new business models through incremental changes in the kind of data they collect, for what purpose, how they manage it and with whom they share it.

For instance, reducing the number of identifiers publishers handle from users through their site to enable the adtech companies’ ID sync would ease the challenge of gaining consent. Teavaro facilitates a method that builds a publisher’s identifiers into an ID graph and then maps this against an advertiser’s own ID graph in a secure and transparent way. By stitching together different first-party data points, in collaboration with brands, publishers can reach a deterministic identification of their audience, without trampling the rights of privacy.

It also opens up new opportunities to enhance the audience identification and quality; ultimately, possibly mirroring aspects of the data access and control of the existing EU standard and PSD2 directive for financial services.

Legitimate interest
The GDPR deadline on 25 May will begin a period in which publishers, as well as advertisers, the wider industry and even regulators, will try to figure out what works and what doesn’t. As ePrivacy is now likely to be delayed until at least 2020, whatever precise form that may take, it is worth leveraging GDPR’s notion of “legitimate interest” as a basis for the optimisation of the customer journey, personalised offers and customer engagement.

While mindful of the uncertainty that ePrivacy casts upon this notion (will it apply to online advertising? In what shape will it survive?), legitimate interests open opportunities for internal marketing and performance management, as long as the opt-out option is guaranteed and clearly presented to users.

Furthermore, as it stands, the ePrivacy directive is still vague about the cases in which access to the service can be conditional to consent being given by the user (Article 6, commas 3a and 3b) and has been criticised for being so.

We can expect a legal, political and philosophical battle to be fought over what exactly “freely given” consent means. In the interim, of course, all in the industry must balance the different local laws implementing the EU directive on cookies (ePrivacy’s predecessor) with the requirements of the GDPR.

By balancing legitimate interest with “affirmative action”, publishers could make incremental steps to educate their readers to the value that the latter can draw by allowing a controlled use of their data; for instance, they could concoct offer propositions tailored to the kind of data the user is willing to offer access to. In this way, publishers would find themselves best positioned when, and in whatever form, ePrivacy gives users the final word about the extent to which they want to be tracked online.