GDPR is designed to protect Personal Data in Europe and to give consumers more control over how their data will be used. Although there are six lawful methods prescribed to process data under GDPR, one of the most talked about methods for publishers and marketers, especially with the looming ePrivacy Regulation, is consent. Any controller or processor of Personal Data that plans to use consent as its legal grounds for processing must have specific and non-coerced consent from the data subject. What does this really mean? Publishers and advertisers will know that visitors who have opted-in to share data have done so proactively, and are therefore much more engaged.
Is the GDPR consent requirement an opportunity in disguise?
In theory, more engaged visitors should translate to higher advertising CPMs. The recent push for more robust transparency metrics such as viewability and completion rate is evidence that buyers are increasingly concerned with viewer engagement. If a buyer knows that the visitor has opted-in to have his/her data be used for more relevant advertising, prices for those audiences should go up. Moreover, the opt-in process will inevitably reduce the total pool of available visitors to target, which should drive up CPMs due to scarcity alone.
Additionally, this could represent a significant opportunity for publishers to regain control of their audience data. Rather than having valuable audience data leak to the buy side as it sometimes does today (where it can then be used in an ethical gray area, to target the same audience on different, less expensive properties), publishers’ first-party data will become much more valuable in a consent driven world because the buy side will struggle to get the right permissions to use the data elsewhere.
Publishers with a less consistent audience may struggle to gain consent
This sounds great for publishers with loyal audiences who will readily give consent. These will be publishers providing differentiated, valuable content with the resources to incentivize consent. But what about smaller publishers that lack a user base of hungry and loyal fans that return frequently or those without the resources to properly communicate and encourage consent?
Under GDPR, and eventually ePrivacy, consent requests on web properties will likely be more cumbersome and invasive than they already are in the EU. This change damages the user experience and could cause fatigue among site visitors.
Here is an example consent banner, aka ‘consent wall,’ from GDPR consultancy SecurePrivacy, which is much larger, and more invasive (requiring two clicks from the user) than the current banner consents that users encounter.
1): Consent should be affirmative, specific and unambiguous 2) Details of recipients and data controller 3) Purpose of processing and notification of profiling 4) Duration 5) Withdraw consent 6) Link to complain, correct and transfer data 7) Can decline
Another example, from PageFair, involves a significant amount of reading. In addition to taking nine clicks to read through, they also display an overwhelming number of companies they want to share your data with (252 to be exact).
In contrast, witness a current example from AirBnB that follows the requirements of the existing 2011 Cookie Law and represents the minimalist implied consent that Europeans are used to.
It remains to be seen exactly how each publisher will implement its consent/tracking banner in a post-GDPR world. Some may rely on implied consent like they do under current guidance. However, if banners become more invasive on every site, one can see how surfing the internet for entertainment will become more annoying, and users will be less likely to click away from closed silos of content. Thus, users may give a small number of ‘lucky winners’ their consent, either because of improved UX, incentives, or convenience, and may just ignore the consent requests everywhere else. In this manner, users may find the discovery of new content to be more difficult, which could disproportionately affect smaller publishers that have fewer ways to attract new audiences.
Who has the most power to gain consent? Facebook and Google.
Privacy advocates and marketers are rightly concerned that the walled garden duopoly of Facebook and Google have enormous power and control over user data. According to eMarketer, the duopoly already controls 63% of the digital ad market and is poised to capture nearly all of the growth in the market through 2019 to the tune of almost $30 billion. Many thought GDPR, as a consumer protection regulation, would help break some of the grip that Google and Facebook have over the market. However, it is just as likely that Google and Facebook’s data will become even more valuable.
Google and Facebook thrive by creating services customers feel they can’t live without. Every day, customers gladly give over their personal information to use these services. Although consent is not allowed to be coerced under GDPR, Google and Facebook’s products and services are sufficient incentives for users to fork over their valuable data, willingly and with enthusiasm… no coercion necessary. Google especially has so many touchpoints with consumers (Search, Mail, Calendar, Maps, Android OS) that consent will be downright easy. Moreover, these companies may be able to claim that it is necessary to process data in order to provide their services, in contrast to publishing where customer data is not needed to make the content itself functional.
What does this mean?
GDPR and ePrivacy make it more difficult for the average publisher to get consent for data processing from their users. Even those that can get consent will likely get it from a smaller number of their most loyal fans. Under this regime, the value of first-party data increases while that of third-party data diminishes because it is more difficult for third-parties to get permission without a direct relationship with the consumer. Who has the most valuable and robust first-party data, particularly after gathering consent from more users than anywhere else? Google and Facebook.
Make great content
So what can publishers do to try to capture some of the upsides of these changes? Make great content, for starters. Great content breeds loyal fans engaged in your content and wanting more. This is a worthy incentive for consent which will grow your first-party data and give you more power than other publishers. Although publishers are forbidden from withholding their content in exchange for consent, it is much more likely that a user will freely give consent if you add value by creating interesting, differentiated content. So, while Facebook and Google are well-positioned to succeed in a post-GDPR world, there are still plenty of opportunities to shift the balance of power to the best publishers.
Want to learn more about GDPR? Check out the rest of our series:
- SpotX’s GDPR Task Force
- What is GDPR? What You need to Know about Ad Tech and the General Data Protection Regulation
- GDPR: Top 7 Things Publishers Should Do to Protect Themselves
- How US Based companies should be thinking about GDPR
- Why US companies should care about PII, non-PII, and Personal Data
- What is ‘Privacy by Design and Default’ and how can it help me make tough choices in a post-GDPR world?
- How GDPR will tighten Google and Facebook’s grip on global advertising dollars – Isn’t it ironic?
- Vlog: Senior Product Manager, Jessica Berman Speaks on GDPR
This article was written by Eric Shiffman, product marketing manager at SpotX.