The media agency’s guide to GDPR and ePrivacy

On May 25th, when the European Union’s General Data Protection Regulation (GDPR) goes into effect, media agencies will be subject to a new set of laws around targeting European consumers.

The GDPR, which makes it illegal for businesses to use EU citizens’ data without proper basis or consent, will limit media agencies’ ability to target European consumers programmatically, even if they don’t have EU-based clients. The law classifies anonymous identifiers, like cookies and device IDs, as personally identifiable information.

Preparing for GDPR is a resource burden for agencies, especially those working with thousands of vendors and suppliers. Agencies have to vet all of their vendors and rewrite contracts to make sure they’re working with compliant parties, because working with a noncompliant vendor could put the agency on the hook for a violation.

But it will be difficult to know for sure which vendors and practices are compliant until ePrivacy, the European directive pertaining to electronic communications, is finalized. While the GDPR recognizes “legitimate interest” as a legal basis for processing data without consent, ePrivacy in its current state does not.

GDPR also gives consumers fundamental rights over their data, which agencies need to comply with or risk the law’s massive fine: 20 million euros or 4% of global annual turnover.

Here’s how agencies should be preparing for the May 25th deadline.

Agencies Are Both Controllers And Processors

Under GDPR, all companies harvesting EU consumer data must define themselves as data controllers or processors. Media agencies are usually both, acting as processors for their internal data and controllers when acquiring data from consumers or third parties for clients.

As a processor, media and CRM agency Merkle hosts and buys PII data on behalf of large institutions. As a controller, it uses data to buy targeted media for clients that reach 90% of the UK population, said Nick McCarthy, SVP of data solutions at Merkle.

But the definitions of processor and controller trigger different responsibilities. While processors need to provide a legal basis for processing EU consumer data, controllers have the added work of ensuring that all of the processors they work with, such as third-party data providers and programmatic vendors, are compliant too.

If they don’t, they’re liable for violating GDPR and will face the fine and legal repercussion, said Sheila Colclasure, global chief data ethics officer at Acxiom.

“The media agency needs to ensure they’re working with vendors that have covered off on their GDPR requirements,” she said. “If they don’t, they’re assuming risk.”

To ensure compliance, agencies need to understand which aspects of their business model trigger the definitions of controller or processor and document their activity under both definitions, Colclasure said. That requires them to hire the right staff against GDPR compliance under a data protection officer (DPO), who can oversee data privacy compliance for the agency.

GroupM brought on a DPO in last year who will help the media agency group prepare for and ensure ongoing compliance with GDPR, said Rachel Glasser, director of digital privacy at GroupM.

“A lot of the data we collect and use for behavioral advertising, the audience segments we build and the profiling that’s done – that kind of activity would require a DPO,” she said.

In addition to preparing themselves for GDPR, agencies have to make the proper disclosures to consumers about the data they have, how they’re using it and why.

Merkle launched a website in Europe that explains how consumers can exercise their data privacy rights or speak to the agency’s DPO, McCarthy said.

“Being a controller puts you in a position where you need to be really transparent and open with consumers about the data you’re holding and where,” he said. “That starts by ensuring we have the right notifications.”

Everyone Gets Reevaluated

Agencies are responsible for making sure the vendors they work with are compliant under GDPR, said Colclasure, because if a vendor is in violation, the agency could also be fined and face a court hearing.

Evaluating vendors is part of agency life. But until the ePrivacy directive is rewritten, it’s hard for agencies to know for sure who will be deemed compliant under EU law.

If ePrivacy doesn’t recognize digital advertising as a form of legitimate interest, vendors will have to gain direct consent for programmatic targeting, Colclasure said. That may be difficult, given consumer sentiment around digital advertising and the fact that most vendors don’t have consumer-facing brands.

For now, agencies hope they’ll get consent for programmatic campaigns through publishers, which, as consumer-facing businesses, have a better chance of appealing to EU citizens. If publishers can’t get consent, agencies may have to scale back their targeting and rely on things like contextual data when reaching European consumers.

“Maybe behavioral targeting takes a dip for a bit, people stop getting personalized ads and realize that there was value to it,” Glasser said. “It’s been a really long time since we’ve not had interest-based advertising on the internet.”

Regardless of what happens with ePrivacy, agencies should prepare for more scrutiny by clients under GDPR, who are likely to increase their agency audits once the law takes effect, McCarthy said.

“One of the big outcomes of GDPR is making sure you’ve got the right audit trails,” he said, “Whether that’s to give more transparency around data flows, how data is captured and how we gain permissions or ensuring that we have the right reps and warranties to that data.”

Dealing With Consumer Demands

Under GDPR, consumers can ask entities holding their personal data to erase it, rectify mistakes or port it to another location. Under the law, entities that hold consumer data are required to take reasonable steps to ensure the data is also deleted by third parties.

Agencies will be expected to comply with consumer demands quickly, Colclasure said.

“There is pressure from authorities to figure out how to do a cookie-to-cookie read and respond accordingly,” she said.

Because Merkle’s data platform organizes cookies and device IDs around a unique identifier, the agency can erase all of the data it has on a consumer in one fell swoop, McCarthy said.

“We delete the individual, notify the individual they’ve been deleted and keep a record,” he said. “We can have that done within seven days. Our plan is to do that much quicker.”

But because GDPR requires companies to regularly delete data that’s no longer necessary for the purpose it was acquired, agencies will need a legitimate business case to hold on to data in these platforms to inform ongoing campaigns, Colclasure said.

“If they need data to inform subsequent campaigns, that’s a defensible purpose, and they should articulate that,” she said. “If, at some point, the old stuff ages out, then they may need a deletion schedule.”

The ePrivacy Wild Card

Until the ePrivacy regulation is updated – regulators hope to have it done by May to coincide with GDPR – and regulators have shown their appetite for investigation, all the industry can do is speculate about how GDPR will work once enforced. But from what regulators are indicating, the focus is on protecting human rights, Colclasure said.

This means that managing permissions, notifications and opt-outs will be critical, McCarthy said. But because agencies lack a relationship with the consumer, they’ll have to rely on publishers to make the right disclosures and get consent in a legal way.

As GDPR pushes agencies to work with publishers and vendors they can trust are compliant, the availability of consent in the marketplace will shift toward logged-in environments, McCarthy added.

“The more logged-in consumers open to receiving communication in a more personalized way, that’s good for me,” he said.

And while GDPR will put constraints on agencies, it could also open up opportunities for new conversations and business arrangements with clients around data and media strategy, said Brian Wieser, analyst at Pivotal Research. Merkle, for example, already has a small consulting team dedicated to helping clients prepare for GDPR.

“This has to be a catalyst for, at minimum, a conversation around data strategy and the mix of paid, owned and earned,” he said. “Your strategy will change if you’re a certain type of marketer. That could be good for agencies.”

By  Alison Weissbrot, Reporter, AdExchanger

GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.

Further information and conference details are available at