Opportunity from crisis: Brand future under GDPR

As GDPR approaches its first birthday, Teavaro’s Ben McDermott reports that advertisers need to consider first party as their future, and the best way to deal with new developments and upcoming regulatory requirements.

Holding hands interlinked connectedRecent reports and stories surrounding GDPR are painting an interesting picture of the first months of this new regulation standard:
DLA Piper have released survey results estimating many thousands of data breaches in the first months of GDPR
• Google has been fined €50m in January; the biggest of over 90 fines related to GDPR
• multiple lawsuits have been brought against companies (Google, Facebook) to industry bodies (IAB); a heavy workload for regulators
It would seem that two years’ preparation for GDPR might not have been enough for some, particularly as the landscape continues to evolve, with the new ePrivacy Regulation approaching, and other regional regulations appearing too. What is positive is that regulators are aware of this and are willing to tread more lightly for now as companies adjust, rather than throwing the full force of punitive measures at those who fail to meet the regulations.
We at Teavaro have long seen the changes imposed by the GDPR Regulation as an opportunity ahead of a burden. The issues that have been most pertinent for digital marketing – lack of transparency, accountability and control – can all be addressed by the requirements of these laws. ‘Data controllers’, as defined by the regulations, should embrace the chance to make that mean something more than mere regulatory responsibility. But, as with anything desirable, this will require embracing the changes that come with that opportunity.
Technologically, the developments of this past year have flown counter to the prevailing winds of the digital marketing industry. The whole ecosystem has grown for years around an ethos of third-party: third-party solutions dealing in third-party data through third-party connections. But it is no wonder that the primary focus of GDPR has been setting a locus of responsibility in a landscape built upon the mantra of “that’s somebody else’s problem”. It should be apparent to any marketer that not having direct access to the customer (i.e. their identity and their data) is problematic. Not to mention costly. So, for the digital marketer to be given the agency to change that makes for a very powerful motivator.
What brands and publishers need to realise is that the erosion of the third-party model will continue. It is time to embrace first-party and collaborative partnerships between advertisers and media owners that unlock the unique benefits each can offer the other.
With the first anniversary of GDPR fast approaching, reviews and audits of processes, partners and policies will highlight the improvements needed. Data controllers will look to the developments of the past year, such as the updates to browser cookie policies (Safari’s recent ITP 2.1 release reducing first-party cookie life to seven days, for example), the impacts they are having upon their business model, and existing solutions for these new hurdles.
Of course, we are also looking at mid- to long-term opportunities here: the digital marketing industry is not simply going to surrender the status quo silently, as demonstrated by the delay to an ePrivacy Regulation that has already ceded several major concessions to the lobbyists. There are short-term gains to be had in changing how customer data is handled and monetised from within the data controllers themselves, but these will be incremental. Teavaro has propelled the compound benefits of these increments across our clients for several years now, and they accrue quickly. The predicted path for first-party adoption paints a positive future for digital marketers who embrace it.
By definition, where data controllers lead, the data processors – and that’s the majority of the digital marketing industry (Google and Facebook are somewhat exempt) – will be compelled to follow. This is why the introduction of first-party identifiers as an industry standard (i.e. as an effective means to control first-party data use) would greatly benefit the data controller, both media owner and advertiser. With the current reliance on third-party identification being placed increasingly under threat, a switch to first-party is the only viable alternative.
As mentioned, such a change to would require a framework of collaboration that, in some ways, already exists in the third-party ecosystem, but with an onus on consent and ‘conscious coupling’ of customers, brands and media owners. Rather than connections erring on the creepy – as neither controllers nor customers have any view or understanding of how adverts follow them around online channels and across devices – a wider first-party-driven ecosystem would increase the active engagement of data subjects (though issues such as consent fatigue need to be and are being addressed). Surely something as coveted as ‘active engagement’ is an opportunity rather than a burden?
In short, advertisers will benefit from collaborating with media owner reach and engagement, and media owners will benefit from the wealth of data advertisers have on their customer to improve the value of their audiences. By matching the identification of the individual – with the consent of the data subject, of course – such collaborative partnerships mimic an existing model: the “walled garden” (e.g. Google, Facebook). There is an opportunity that the limitations of that model (e.g. the inequity of the relationship) would also be addressed in the spirit of mutual beneficence.
Indeed, an adoption of first-party as a new standard is already being forwarded by a number of cooperatives, both for media owners and for advertisers, set up to counter the influence of giants such as Google and Facebook by mimicking the power of their reach and omnipresence within the digital audience. The implementation of first-party strategy is not a huge leap for those already invested in digital transformation. Ultimately, it will put the control back in the hands of the data controller and, conveniently, the data subject, for whom these regulations were devised in the first place.