Keeping Up with Data Governance: Q&A with Adrian Newby, CTO Crownpeak
The Cambridge Analytica/Facebook scandal has thrown issues like trust and transparency in the programmatic industry into sharp relief. In this Q&A with ExchangeWire, Adrian Newby (pictured below), CTO, Crownpeak, talks about the appropriate consent and ePrivacy measures going forward, and how the GDPR is going to impact user experiences.
ExchangeWire: Does the publicity around Cambridge Analytica reflect long-term trust issues in the advertising ecosystem? If so, what should the industry do about this?
Adrian Newby: The Cambridge Analytica and Facebook data breach has highlighted the importance of trust when it comes to data-driven advertising. Consumer awareness is growing, as is concern about how data is used, accessed, and stored. Inevitably, this will undermine data quality and advertising effectiveness, at least in the short term. Legislators still remain behind the market in terms of understanding and being able to set rules for this aspect of modern digital society. The industry, therefore, has an opportunity to provide leadership to improve the situation for all.
Trust between parties is the casualty of this mismatch between transparency and understanding. According to an RSA Data Privacy & Security survey, 41% of consumers purposely provide false personal data online. This demonstrates the need for companies to be more transparent and ethical, ensuring that appropriate consent procedures are in place and enforced. There is significant work ahead, but this will secure the industry’s long-term future.
Is consent set to become an increasingly important issue?
With the imminent arrival of the GDPR in May, and the impending ePrivacy Regulation, consent is now a key issue worldwide. GDPR is likely to become a de facto standard for data governance. Companies established in the EEA, as well as those outside Europe that market to, or profile, EU residents are already subject to GDPR. However, global companies, such as Facebook and Apple, have announced their intention to apply GDPR-like principles in jurisdictions outside of this region.
Beyond Europe, Canada has introduced PIPEDA, which establishes rights and protection for individuals’ personal information and in the U.S., California has the Online Privacy Protection Act, which targets all commercial activity within state borders.
The process of seeking consent for the processing of personal information is set to transform radically over the coming months, to become a more genuine experience. Instead of an obstructive, quick ‘tick box’ exercise. Marketers will need to ask permission from audiences for every aspect of data usage. Consent notices will become a first-class citizen in delivering a superior user experience, and we will start to see more layered approaches to consent, in which a quick overview is first presented, with options to click further for more information about usage. Just-in-time notices, which defer the request for consent to the point of collection, will demonstrate transparency rather than information being buried in a one-size-fits-all notice.
How different will user experience be once the GDPR comes into force?
Most notably, the GDPR will encourage marketers to reassess their digital supply chains, as they will be directly accountable for all third-party technologies that are accessing their users’ data and will need to ensure they ask audiences for consent to share information. The data trail that began with a simple personality quiz for a few hundred thousand people and, reportedly, ended with the delivery of tens of millions of personal data sets to Cambridge Analytica for political exploitation underscores just how important it is to understand exactly what other actors do with the data consumers may share with them. This is underscored by the fact that two-thirds of marketers believe they have third-party technologies operating on their websites of which they are unaware.
An extensive digital supply chain is often also a large contributor to latency issues and technical dysfunction, which can cause users to become frustrated and lead to a high bounce rate, not to mention the competitive disadvantage created by leakage of data to competitors through shared third parties. By gaining a clear view of the digital supply chain, companies can remove unnecessary third-party technologies to improve both user experience and marketing ROI.
Do tightening consent regulations give the ad-tech industry an incentive to consolidate?
Markets comprising asymmetrically sized participants are always ripe for consolidation, and the ad-tech industry is no different. As firms rationalise their digital supply chains, the number of players in the ad-tech market may decrease as larger companies acquire smaller players and reduce the complexity.
However, the GDPR will change market conditions significantly, providing both constraints and incentives. This will inevitably drive growth, as new players emerge that are better-suited to the new market conditions and able to offer more innovative, cost-efficient ways to meet privacy standards, challenging incumbents in the process and, in some cases, displacing them.
Where do you think the regulators will strike first?
Supervisory Authorities – each country’s Data Protection Authority under GDPR –
will gather a great deal of information about a company’s practices from a simple online examination of its public privacy notices and the behaviour of its public-facing web presence. Companies must be diligent in getting their online houses in order.
Regulators are likely to begin by not only ensuring that there is a notice present on a site, but that it meets all the requirements of the ‘fair processing’ disclosure. For data obtained via consent, that means ensuring the consent is being obtained in a freely given, specific, informed, and unambiguous manner. It also means that subjects are being properly informed of their rights and how to exercise them, and that the company has an appropriate process in place to manage any objections.
Supervisory authorities will be able to determine very quickly whether companies have implemented GDPR-compliance procedures, without having to delve deep into the functions of digital supply chains or pursue internal inspections. Luckily, aligning policy with front-of-house data collection practices will be the simplest part of compliance, so there’s really no excuse for not being prepared.