GDPR & ePrivacy – What They Mean for AdTech and MarTech From a Technical Standpoint
Out of all 99 articles and 173 recitals, there are some areas of the GDPR that apply specifically to online advertising and marketing companies.
What Does the GDPR Say About Personal Data?
In simple terms: If a piece of information, either separately or combined with other pieces of data, can be used to identify a person, then it’s classed as personal data. Identity in this sense doesn’t just refer to knowing a person’s name. It also refers to identification, meaning if a user visits your website or sees one of your ads, they are considered identifiable if you can later recognize them (by identifying and recognizing via their cookie ID or other identifier) if they return to your website or see another one of your ads.
The same principle applies to singling out an individual based on several data points, such as their postal code, gender, and age. In this case, even though you don’t know the person’s name or have an identifier (for example, a user ID in a cookie assigned to them), you could still potentially identify them.
Typically, AdTech vendors and most MarTech vendors have based their privacy policies on the fact that they are not collecting or dealing with personal data. The reason for this is because up until this point, online identifiers, such as cookie IDs, IP addresses, device advertising IDs, and device fingerprints were not considered examples of personal data.
However, under the GDPR and ePrivacy, essentially any piece of data or information that can in some way identify a person is classed as personal data.
What Does This Mean for AdTech and MarTech From a Technical Perspective?
The definition of personal data is somewhat unchanged from the definition given in the Directive; however, it broadened the scope of the data-protection law. One example of the change in scope is that the GDPR now considers online identifiers and location data as personal data.
As most online advertisers, marketers, and publishers collect and use online identifiers, such as those mentioned above, as well as location data, they will now have to take additional steps to ensure they are compliant with the GDPR’s rules regarding the collection, storage, and usage of personal data.
The GDPR states that companies collecting personal data should implement measures to ensure the data is protected at all times, via encryption and pseudonymization, for instance. Although most companies already do this with obvious examples of personal data, such as emails, phone numbers, and IP addresses, they now have to apply this to all types of data they collect.
While these measures will help online advertising and marketing companies mitigate risks associated with data security, encrypted and pseudonymized data are still classed as personal data, meaning companies still have to obtain user consent and carry out various data-protection measures if they wish to collect and use the information.
The main challenges advertising and marketing companies face with personal data are collecting it in the first place (i.e. obtaining consent), ensuring its security, and creating a chain of responsibility with their partners when they exchange with them.
The real test for both the AdTech and MarTech industries will be to update their current platforms so they can anonymize and pseudonymize data to meet their data-protection obligations, and create future-proof businesses that allow clients to run effective and successful advertising and marketing campaigns that respect user privacy and limit their exposure to the GDPR and ePrivacy regulation.