What we learned 14 months after the start of the GDPR

This activity warned the entire advertising industry, as many suppliers admitted that the ICO had given them a second chance. Nobody wants to blow it up. But not everything is catastrophic.

Here is what we learned:

Advertising technology without cookies is the future
Whether it's publishers or advertising technology providers, ad targeting options that do not rely on third-party cookies are the future. In this new era where browsers limit the ability to track people via third-party cookies for advertising purposes, solutions designed to leverage third-party data on a large scale will be a gold dust. Increased scrutiny of data protection regulators around the world has also highlighted the need for this effort so advertisers can be rebadured not to avoid regulations such as the GDPR or the California Consumer Privacy Act.

The post-cookie trend has already produced a cottage industry effect, with all kinds of advertising technology providers competing to offer proprietary cookie-free data tools. Otherwise, existing and established suppliers reveal pivots. This new wave of ad tech innovations, while welcome, will also require careful scrutiny to separate the so-called wheat from the tares in the early days.

Enhanced contextual advertising targeting is the new black
Contextual targeting is hot, again. Traditionally seen as the uninitiated cousin of more finely tuned data targeting methods such as behavioral advertising, contextual targeting has resumed media importance. While the agencies claim that they have always used contextual targeting to a certain extent, most have agreed that the method has gained importance because of the arrival of GDPR and Apple's anti-tracking the Safari browser. Google has also given users the power to disable third-party cookies or not, and most industry players expect it to be a mere precursor to the wave of data-centric data-centric tools. that the tech giant publishes in order to stay on the right. regulators, while staying in step with Apple's position on privacy. The most advanced media agencies are now looking for new options that allow them to leverage advanced contextual targeting capabilities with the user's intentions and other measures to continue precision marketing in a world where the third party cookie is restricted. At the same time, technology-rich publishers, such as the Washington Post, owned by Jeff Bezos, will benefit from being among the first to meet this requirement.

Fines are not the worst
Until ICO announced its intention to fine British Airways £ 183 million ($ 228 million) and £ 99 million ($ 124 million) ) to Marriott for violating the GDPR rules earlier this month, the only other company known to the consumer to be fined by ICO under the old data protection law, which provides for a fine a lot lower than the GDPR), was Google. But fines alone are not necessarily the worst results.

Subscribe for an exclusive overview of what's really going on in the video industry, sent weekly to your inbox.

Many players in the advertising industry have wondered how much the general public really cares about how their data is used for advertising purposes, with the exception of the cohort of advertisers. privacy activists. But the more the fines retained make the headlines, the more likely they are to start. The American technology provider Acquia has just published a study showing that out of 1,000 respondents, 65% said they would stop using a dishonest brand as to how they use their data. At the same time, because of the nervousness of compliance, companies called by regulators may have difficulty rebaduring their partners or finding new ones.

GDPR members will smuggle CCPA
Several advertising technology executives recently pointed out the irony of US advertising technology vendors leaving Europe on the GDPR field, before facing the California Consumer Privacy Act. Take Teemo: the location data provider selected for violation of the GDPR by the CNIL, the French data protection authority. After a few months, the company had managed to comply with the GDPR regulations and would have since expanded to the United States with greater confidence in its ability to respect the CACP front, once entered into. January 1st. For the past few months, US media companies have been looking for consensual management platforms, eager to get ahead of the CCAC and not procrastinate as was the case for compliance with the general regulations, according to ad tech sources. Those who have been rigorous in their compliance and who have not taken shortcuts will not have much to fear from the CCPA or other similar laws.

After all, ICO has teeth
It is possible that many industries in the advertising industry confused the silence of the ICO in the year following the application of the rule by GDPR. While it is true that the OIC has emphasized its preference for carrot implementation at the expense of stick, it has become apparent that when it is about offenses where large volumes of consumer data are affected, the regulator will collapse. In reality, the inaction was probably due to the large number of complaints and notifications that the regulator had to consider, and when investigations were warranted, their processing took a long time. According to a study by the international law firm Pinsent Masons, the OIC currently handles an average of 1,276 monthly GDPR complaints and notifications. In the nine months following the arrival of the GDPR from May to February, the ICO received a total of 11,562 notifications, according to the same report. In contrast, data protection regulators from other major European countries such as France and Spain receive notifications by the hundreds.

"The high number of reports on personal data breaches under the GDPR means that the ICO is facing a backlog in the processing of notifications," said Freya Ollerearnshaw, partner of Pinsent's Cyber ​​Practice. Masons. "This can cause organizations to wait longer before receiving the final decisions." However, she also pointed out that the OIC appeared to have gone through a period of adjustment during which it had started to close more notifications than it was receiving, considering they were not in violation of GDPR.