December 6, 2017
The May 25th deadline announces a period great reckoning for data-driven marketing in Europe. The question marketers ask me most often is “Can we continue to do this…” or in other words, will this type of activity be allowed under the GDPR? But often, with this Regulation, the question is not whether you can or cannot pursue an activity, it is whether your organization is managing its data in such a way that it will be allowed to continue carrying out the activity.
In practice, GDPR impacts digital marketing and advertising in slightly different ways. If most marketing (eg, email, postal mail, SMS, etc) activities today already rely on some form of opt-in, digital advertising lives in a grey area where the need for consent is very much dependent on the type of activity/processing the marketing organization wants to carry out.
Consent is often misunderstood as the necessary (if not the only) legal basis to justify data collection and processing for data-driven advertising. But organizations today rely primarily on legitimate interest, rather than consent, and to a large extent this is likely to continue after GDPR. The notion that advertisers would have to secure consent for any type of ad personalization or targeting is unpractical (because of the burden associated with obtaining, preserving, and implementing consent at scale) and it is unnecessary in many personalization use cases. This means marketers need to better understand what legitimate interest allows, where it is sufficient, and what are its limits.
The complexity in doing so is that legitimate interest is contextual. Campaign parameters will determine where legitimate interest is enough and where consent will be needed. Marketers will have to look out for a combination of factors, such as:
- The purpose for processing. Is the processing consistent with the initial purpose for which the data was collected? Were information notices fully reflective of the extent of the data processing?
- The level of targeting. Is the processing done at an individual or cluster-level?
- The type of processing. What is the level and impact of automated decision-making?
- The outcome of the processing. Is there any risk of causing prejudice to the consumer? Could the consumer have expected the outcome of the processing activity?
Among other things, this means that:
- If many personalization effort will continue unhindered, the GDPR does raise additional barriers for 1:1 personalization and advanced form of automated data processing that leverage machine learning, such as predictive modeling, propensity scoring, identity recognition.
- The real burden is one of data management: If a company uses personal data, it must be able to prove that it did so compliantly. This means it must be able to record when, why, how the data was collected and show that it was used in a manner that is aligned with the initial purpose for collecting the data. This challenges how most organizations record, manage and track the data they collect today, and will require extensive architecture of data management systems and processes.
I explore these questions in greater detail in the recently published Digital Advertising Under GDPR Hinges On Data Management. And for a broader outlook on data privacy and the development we expect to see happen in 2018, we also released our 2018 predictions report in November, quite aptly titled “Predictions 2018: Europe’s Privacy Laws Will Bite US Martech And Slow AI’s March Into Marketing”.