Ad Tech and Privacy Law Compliance: A Complicated Relationship

Sep 27, 2019 12:00:00 AM | EU Ad Tech and Privacy Law Compliance: A Complicated Relationship

Back in June, the UK’s Data Protection Authority (ICO) released statements on their stance in regards to ad tech, saying: “If you operate in the adtech space, it’s time to look at what you’re doing now, and to assess how you use personal data” (Simon McDougall, Executive Director for Technology and Innovation at ICO). The ICO also released a report that looked into how the ad tech sector should comply with the GDPR. Below are the most important aspects to take into account if you work in or with the ad tech sector: 

Expect and accept changes

The GDPR was first introduced in May 2018. Since then, ad tech companies, just like any other company, have been making major adjustments to make sure their functions adhere to the data privacy laws set out across the EU. 

Marketing today is naturally dependent on a large amount and variety of data, as in it’s core, it bases decisions and strategies around said customer data. Consequently, the obligations of the GDPR have caused quite a bit of turmoil in regard to lead generation: from how businesses generate ads, through targeting the correct audience, right to retargeting leads.

A working paper done back in July by researchers (Goldberg, Johnson & Shriver) suggests that websites in general are facing a loss of profit as a result of the GDPR. The authors had looked into the data from web marketing service Adobe Analytics, and used different approaches to record page views and revenues. The results showed a fall by about 10% for users in the EU, after the GDPR enforcement deadline.

At the same time, the privacy law ad tech relationship isn’t all just rain and gloom, fortunately! Spice up the relationship by taking the following factors into account.

Back to reality: data collection methods and privacy policy

Despite being a lengthy task, reviewing the privacy policy and making appropriate changes to be fully compliant with the GDPR will surely give you the opportunity to build trust with current and new customers. You should pay special attention to the areas of the policy discussing:

What kind of data is being collected
What the data subjects rights are for the processings
Your legal basis for processing and handling the data
Who is gathering the data
How customers can use their rights (which also includes who they can contact)
Who is the data being shared with, and if appropriate, safeguards that are in place

It's an absolute must that the mentioned parts are written in a clear way, providing customers with the full picture on how their data is being used. As an organisation, below are steps you can, and should take to further ensure a compliant ad tech future


“Give me another chance?” adjusting cookie consents & retargeting methods

Retargeting, also known as “remarketing”, is a method of reaching out to people who visited your website but left without making a purchase. Therefore, they are still within the “consideration phase”. Afterwards, retargeting is done when ads are shown to them through advertisements. Your different products or services are eventually shown, and sometimes even special discounts are offered if they were close to making a purchase. These are done on various channels, most commonly on other websites, or social media channels such as Facebook.    

Once a new user enters your site, gives consent to the cookies, later, when browsing the internet, these cookies will let the retargeting provider know when and where to serve advertisements that may trigger another interest to your site or product. This ensures that the ads are served to users who had previously been on your site before, and who could potentially be future customers. 

However, retargeting campaigns and cookie consents have been heavily shaped by privacy policy changes. Cookie consent is a must-have. As company retargeting methods and cookie consents continue to be looked into by privacy regulators, one part of it has been recently looked into by the ICO: real-time bidding.

Real-time bidding (RTB) is the process when advertisements are served within seconds until a website loads. The ICO, along with privacy advocates and internet browser, Brave, expressed concerns on how RTB allows ad tech companies access the personal details of users without prior consent.

So what’s next then? 

Be transparent with sign up forms and engagement methods

Any form or method of engagement that asks users to fill out personal information, must include at least a notification and a brief explanation on what data you collect, and even more importantly, your plans for its use. A pro tip here is to include even a link that users can click to further read your privacy policy.

What it should look like is to have empty checkboxes that users can click on, agreeing to give consent. These checkboxes should also have the option to be un-ticked any time. While this notice may create a disruption with audience engagement - even a possibility of a significant drop in conversions, this measure is absolutely necessary to ensure that users who do proceed to give their information are also opt-ing to various types of further activities, from collecting marketing analytics information, allowing your organisation to communicate with these users about marketing information via email.

Letting go: shaping up that email list


Email marketing is still going strong, in fact, it’s only getting stronger. According to Acoustic’s Marketing Benchmark Report, audience engagement with email marketing campaigns are again rapidly increasing due to a change of marketing strategies, heavily influenced by new privacy regulations.

However, the time of purchasing customer records, or in other words “buying leads” has certainly reached its end. Not being able to tell which contacts were opt-ins and which ones were purchased for your email list is already a situation leading up to future problems. If this fits your case, it’s recommended to keep track of mailing lists, and even to start from scratch again.

Take into account British airline Flybe, who back in 2017 intended to do the right thing of notifying customers about their privacy policy updates. They might have missed out on updating their email list before doing so. The emails were sent out with the intention to advise people to amend their personal information as well as update marketing preferences, but regulators eventually saw it as a GDPR violation, saying that they should have obtained consent before sending the emails out. Eventually, Flybe was fined £70,000 roughly, around 78,000, for sending 3.3 million “unwanted” emails to users. Not a pretty picture you want to be part of. 

Moving on: looking into alternatives for handling valuable data


Storing valuable data, such as customer information, on spreadsheets is now a thing of the past. That being said, with the GDPR in place, handling such data should be done securely to reduce the risk of violating the regulation and putting customer data at risk. In order to reduce this risk, using automation to help process customer data may be the strongest and most efficient way. Centralizing data in a system would make a smoother process in accessing, managing, and making changes to such sensitive information.

Bouncing back

In summary, the GDPR shouldn’t be seen as a barrier for communications. On the contrary, the GDPR should be seen as an opportunity to improve the quality of data, to increase a firm stance on transparency, and to increase the quality of consumer/client relationships. By taking the steps to further comply with the privacy laws, your company will not only decrease the risks of fines for noncompliance, but will also cover the appropriate steps to “win” new customers and “win back” current ones.

All in all, creating a happy relationship.