GDPR: Website tracking rules will challenge third-party data market

New European Union regulation, aimed at restoring online data privacy, will impose safeguards which will challenge some company business models

If the unfolding Facebook and Cambridge Analytica scandal teaches us anything, it is how little everyday people understand of how the data brokering, adtech and digital marketing industries work.

According to the Economist Intelligence Unit, 92 per cent of people want more control over their data privacy and yet, in 2017, US companies spent $10.05 billion on third-party data, say the Interactive Advertising Bureau Data Center of Excellence and the Data & Marketing Association.

Much of that data would have been collected, sold, modelled and resold several times over without the knowledge of the people it was taken from. The European Union’s General Data Protection Regulation (GDPR), which is effective from May 25, 2018, promises to change all that.

Arguably the most complex piece of regulation the EU has ever produced, the GDPR is a radical and far-reaching human rights provision that fundamentally resets the rules of engagement between individuals and companies online.

“The philosophy underlying the GDPR is to privilege privacy by default, as opposed to openness, data-sharing and monetisation,” explains Eoin O’Dell, associate professor of law at Trinity College Dublin.

Crucially, the GDPR defines personal data much more broadly, giving greater emphasis to individuals’ ownership of the trail of data they leave online, which currently fuels the third-party data market.

What was once deemed anonymous data – cookies, device IDs, IP addresses and other online identifiers – that was about users, will be reclassified as personal data that belongs to users and as such will be given the same safeguards as personally identifiable information, such as name, date of birth, mobile number and email address.

The GDPR signals a huge normative shift in online marketing, but the third-party data market will not disappear completely

Currently, third-party data is traded by data brokers, ranging from market-leading, households names such as Experian, Oracle, Acxiom and Epsilon, whose primary business interests are credit scoring, database management and marketing technology respectively, to small and medium-sized enterprises, and even individuals such as the data scientist at the heart of the Facebook–Cambridge Analytica episode, Dr Aleksandr Kogan.

GDPR website tracking charts
Click to view

The third-party data market is shrouded in opacity. The data itself is often acquired through undisclosed means, aggregated from multiple datasets and subjected to excessive extrapolation, often producing misleading conclusions. Susan Bidel, senior analyst covering data brokerage for the technology research company Forrester, reveals that it is commonly believed within the industry that only 50 per cent of this data is accurate.

Despite its questionable provenance and quality, the use of third-party data is ubiquitous in online marketing. While falling short of industry best practice, it is considered useful by companies that haven’t developed their own consumer data.

In adtech, it is a staple resource. Its uses include enhancing media buys, which in plain English means helping advertisers target relevant consumers, look-alike modelling helping advertisers find internet users that resemble their customers and audience extension, a tool that enables publishers to generate revenue by giving advertisers permission to follow their audiences, for example through tracking cookies across multiple sites.

The principle of consent is likely deliver a fatal blow to the majority of third-party data brokers. The GDPR stipulates that personal data can only be collected, controlled or processed with the explicit consent of its owners and owners must opt in to specific uses, which would include the sale of personal data to third parties.

Consequently, there will be no room for ambiguity. “Consent to use must be genuine consent, not buried in illegible terms and conditions, so the GDPR is likely to lead to awareness among consumers about how their data is used,” says Professor O’Dell.

Website visitors are likely be faced with a pop-up box asking them to opt in to having their personal data tracked and sold. Given that a 2017 survey conducted by the adblocking analytics firm PageFair found that 81 per cent of respondents if given the choice declared they would opt out, there is little reason to believe this is something they would choose voluntarily, especially in the current climate with consumer concerns over privacy at a record high.

What is more, GDPR provisions will apply retroactively to companies’ existing data, so up to 75 per cent of all marketing data in the UK could be rendered obsolete, according to the data cleaning firm W8Data.

Companies in contravention of GDPR rules could face a ruinous fine of up to 4 per cent of their global annual turnover. And GDPR compliance rules stipulate that in the event of a breach occurring, every link across the supply chain – data brokers, data management platforms and companies using illegitimate data – will be liable.

“Businesses that rely on adtech for their main source of revenue may have to re-examine their business model, in so far as it is feasible, sustainable and ethical under a regulatory regime that prioritises people’s human rights,” says Dr Katherine O’Keefe, lead data governance consultant at advisory firm Castlebridge.

The GDPR signals a huge normative shift in online marketing, but the third-party data market will not disappear completely. “The GDPR will shake out a lot of sub-standard actors, clean up the supply chain, lead to consolidation of vendors, and allow consumers to better own and control their data,” says Gareth Davies, entrepreneur in residence at Digital Capital Advisors.

As the unpermissioned data market diminishes, it will become increasing critical for marketers to invest in building and maintaining their own first-party data assets. “This will mean more time engaging with consumers directly, making it clear what data they want to capture, why and for what purpose, and explicitly gaining users’ consent to do so,” explains Mr Davies.

Ultimately, if we are to arrive at a “smart” future, in which commerce, public health, infrastructure and government services are enhanced by data analytics, then we will require data that is accurate, verifiable and reliable. The GDPR is a crucial step in that direction, and will help build an internet regime founded on transparency, consent and trust.