Not so long ago, marketers believed programmatic advertising (the use of someone’s personal data to create targeted ads) was “the next big thing”, but many people now claim that the EU General Data Protection Regulation (GDPR) is the “death knell” for this practice.
One of the most common forms of programmatic advertising uses geo-tracking to target adverts based on someone’s location. It’s the reason you receive notifications about special offers at the bookshop you’re about to pass or are sent trailers for new films when you’re near a cinema. Although targeted adverts can be helpful for organisations and potential customers, they also rely on data collectors having constant access to people’s personal information. This freedom will be greatly restricted under the GDPR, but it doesn’t necessarily signal the end for programmatic advertising.
The key is consent
Many people mistakenly think that, under the GDPR, you always need consent to process personal data, but there are actually five other lawful grounds. Nonetheless, consent is necessary in this scenario, as the other grounds probably aren’t applicable.
Consent requirements are much tougher under the GDPR compared to existing laws. Requests must be granted with a “clear affirmative action” and explain to the data subject what data is being collected and what it is being used for. Additionally, as the Information Commissioner’s Office explains, requests need to be:
- Unbundled: i.e. separate from other terms and conditions.
- Opt-in: pre-ticked boxes or other pre-selected options are invalid.
- Granular: if the data is to be used for multiple marketing activities, consent must be granted for each of them separately.
- Named: the request must state all organisations and third parties that will be relying on consent.
- Documented: records must be kept demonstrating when, how and what the individual consented to.
EU General Data Protection Regulation – A Compliance Guide
Gain an overview of the key areas of change introduced by the Regulation and the critical areas organisations need to be aware of when preparing for compliance.
The GDPR also states that organisations can only keep personal data for as long as it’s necessary for processing activities. Organisations would typically continue to advertise to potential customers indefinitely, but instead of assuming that ‘as long as necessary’ means ‘forever’, data collectors will need to ask individuals to ‘re-consent’ on a regular basis – typically every two years.
But when people are made aware of the extent to which they are being monitored, will they let organisations collect and share their location data? That question has led many people to suggest that location-based advertising will die out when the GDPR takes effect. A report by anti-adblocking solutions provider PageFair found that the percentage of users who would grant consent could be as low as 5–20%.
One possible alternative for organisations is to claim the processing meets the lawful basis of legitimate interest. The Regulation states: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” However, marketers always need to balance their own rights against consumers’, and the Regulation makes it clear that individuals should be protected as much as possible.
Johnny Ryan, head of ecosystem at PageFair, doubts that legitimate interest is a viable basis. Instead, he advises organisations not to use personal data.
Organisations could use targeting segments that group users in ways that don’t identify a specific person and therefore doesn’t fall under the GDPR’s scope, he told MarTech Today.
For example, organisations could create a targeted group of users whose site visits and other data indicate they are dog owners, go to hockey games and live in a certain city, because there are many users who match that description.
However, you need to be careful with how many criteria to select or how specific each one is. Once the information can be used to identify someone, it becomes personal data under the GDPR.
Want to learn more about the GDPR?
Sign up for one of our training courses. Depending on your level of expertise, you might be interested in our:
Certified EU GDPR Foundation Training Course
Certified EU GDPR Practitioner Training Course
These courses are available in classroom, distance learning and Live Online formats.
