The adtech industry is one of the most important industries in the online world, underpinning the adverts that enable many sites to make money, but it has a serious problem: one of its central technologies is not fully compliant with GDPR.
The problem surrounds what is known as real-time bidding (RTB), the process that enables targeted adverts to be shown to individual users.
As you load a website, automated real-time auctions are occurring to determine which ad is shown to you. These happen in a matter of microseconds and ultimately result in the ad that pays the most being displayed on the website you are visiting.
However, in order for the advertisers participating in RTB to decide if your attention is worth bidding on, these platforms share known data about you, including your device, the website you are visiting and where you are, as well as inferred information about your age, gender, income and interests.
It is through this process that you may sometimes see suspiciously accurate adverts that can make you feel like you are being watched. And under GDPR, this kind of data sharing without your explicit informed consent is not permitted.
Real-time bidding and GDPR: Proposed solutions from the adtech industry
The adtech industry knows this, and while the Information Commissioner’s Office (ICO) has accused adtech companies of having their “heads firmly in the sand” over RTB’s non-compliance with GDPR, there are those scrambling to find a workable solution.
So far, two leading alternatives have emerged.
The first is known as the Walled Garden approach, which is used by Google, Facebook and Amazon, which puts these companies firmly in control of the data they have about you, which, as an account holder with them, you have given consent to them having.
All adverts have to be handled entirely through their system, and the information shared with advertisers is limited and not possible to export. While this system enables the data being shared to be strictly managed, it puts a very small number of companies in a position of enormous power within the adtech industry and so in how adverts work and are displayed online.
The other notable approach is being led by the Internet Advertising Bureau (IAB), which focuses on keeping the RTB system inherently the same, and so protecting the presence of smaller companies within the adtech industry, but tightening up a number of key areas. These include how data is secured and shared, as well as improving how cookie notifications are used to inform users.
However, there are those that think that a more ethical approach should be pursued, and today a new working group has been launched to develop a third solution to GDPR-compliant RTB for the adtech industry.
5th Cookie: Making ethical adtech a reality
Announced today, 5th Cookie is a working group that is finding an ethical but practical solution to the adtech industry issue of GDPR-compliant RTB.
It sees three organisations come together on the issue: data privacy technology company Anonos, marketing data foundation Acxiom and global information policy think tank the Information Accountability Foundation (IAF).
The principle behind the working group is that it is possible to create a solution for the adtech industry that is completely GDPR compliant, but which everyone, from small companies to major players can participate in. And to achieve this, the group plans to draw heavily from GDPR itself.
The group’s solution focuses on the idea of pseudonymisation, by shifting from the current system where individuals are identified by their pool of data to placing individuals into “micro segments” based on their interests and personal profiles.
Advertisers would have no knowledge of particular individuals, just that they were targeting people with a set profile and group of interests. Individuals would only be identified if they chose to be ‘seen’ by advertiser by responding to the advert, and could also opt out of being in micro-segments altogether.
“Augmenting the options of so-called walled gardens and contract-focused solutions with GDPR pseudonymisation-enabled micro segmentation techniques is consistent with the principles embodied in Acxiom’s Data Ethics by Design framework,” said Dr Sachiko Scheuing, european privacy officer for Acxiom.
“The 5th Cookie model could provide consumers with enhanced privacy while allowing effective marketing for brands.”
“Under the GDPR, pseudonymisation is an established legal standard that allows all sides to ‘win’ by balancing data protection and innovation,” added Gary LaFever, CEO and general counsel at Anonos.
“The 5th Cookie model embraces GDPR compliant pseudonymisation and data protection by design and by default to support GDPR compliant Legitimate Interest processing as a complement to consent.”
However, there is far more work to be done to make this approach a reality, and the 5th Cookie working group plans to publish more details over the next few weeks.