In many ways, 2018 was a year of waiting. Waiting first for the General Data Protection Regulation (GDPR) to go into effect on May 25th. Then waiting again to see how regulators sought to investigate privacy complaints and enforce the new law. Now within the first two months of 2019, we’ve seen the beginnings of the anticipated uptick in European enforcement activity. And it is not a surprise to see the ad-tech space drawing most of that regulator attention.
Topping the headlines in January, the CNIL (the French Data Protection Authority) has already levied a large fine against a major technology company and cornerstone player in the ad-tech space. The basis of the fine is – simply put -the company’s alleged lack of transparent handling of consumer personal data. The CNIL is also investigating another, much smaller ad tech due to the company’s (possibly improper) implementation of the industry-backed Interactive Advertising Bureau (IAB) Transparency & Consent Framework.
A note on the IAB tech lab transparency & consent framework. This framework was developed by a top industry consortium and seeks to establish a standard under which reportable consent can be collected and validated against a centralized list of approved third parties. Several leaders in the digital advertising space as well as the top brands they support have purportedly adopted this framework, which could set the stage for enhanced consent traceability practices on a widespread scale. Based on the outcome of the CNIL review, we should receive some clarity as to whether regulators are of the same opinion.
While fines are an alarming prospect, the injunctive capabilities of regulators likely serve as more of a direct threat to ad-techs. Regulators can order companies to stop processing personal data until the company conforms with the GDPR. For companies such as ad-techs, where the entire business model is fueled by personal data, this can mean a minute-by-minute loss of revenue.
So, ad techs will likely continue to feel the pressure of the new privacy regulatory climate, perhaps more than any other industry segment. As such, ad techs should take a few key steps to begin strengthening their privacy risk posture with respect to their transparency and consent controls. These include:
- Consistently review all data privacy notices to ensure alignment with the actual use of the personal data your organization collects;
- Bring in voices from around the organization (non-lawyers, non-data privacy experts) to review your privacy policies, "just in time notices" and common data entry forms to confirm clarity and straightforwardness;
- Conduct a thorough review of your technology to confirm safe and transparent use of personal data;
- Engage brands or other digital ad partners you may do business with to clarify how your technology works, how it uses personal data, and the controls you have in place to meet GDPR and global data privacy requirements;
- Continuously test your company’s consent management tools and opt out preference management systems to verify that the end user’s choice is actually respected (e.g. if the user changes his or her communication preferences to "no longer receive the company newsletter", confirm that these newsletter communications are in fact suppressed appropriately);
- Implement a privacy program to oversee and manage all components of data privacy risk;
- Align with trusted privacy experts to identify risks and design possible solutions that enable compliance with GDPR requirements.