How are you preparing for GDPR?

By Josefine Vinberg, Head of Product, Widespace

There is little doubt that the advertising industry will feel the impact of GDPR, the regulation will change everything from how data is collected right through to how it is stored. The new guidelines have left everyone from brands to tech vendors confused and unsure about what the future holds. The one thing that is for certain is that GDPR is fast approaching, and with less than  a month to go it’s high time to get your data in order.

At Widespace, we have worked diligently over the last year to adapt our product suite and contractual commitments to ensure that we comply with the new regulation.  We have therefore put together a handy FAQ guide for you to get the insight you need on how GDPR will impact the online advertising industry and what Widespace are doing to ensure we are compliant.

Can personal data no longer be used for segmentation and profiling under GDPR?

It’s a common misconception that GDPR forbids the processing of personal data for the purposes of online advertising. What is new in GDPR compared to the ePrivacy directive is a more conservative attitude towards the lawful basis of collecting and processing data. The passive consent required by the ePrivacy Directive will no longer be enough, and under GDPR a user consent should be freely given, specific, informed and unambiguous. A clear affirmative action, such as an opt-in, is required.

What responsibility do agencies have for the data they collect and process on behalf of the clients?

End user data is often shared by several parties in the online advertising ecosystem, and it’s sometimes quite complex to understand who is the data controller and who is the data processor. As an agency, the first thing to do is to evaluate which role you play in the data processing. Are you acting strictly on behalf of your client, or do you determine the purposes and means of the processing of personal data? Regardless of which role you take, make sure that you document each party’s obligations and responsibilities in a Data Processing Agreement.


Is consent really necessary for all processing?

Consent is only one of six legal grounds for processing that is recognised by the GDPR, and there is an ongoing discussion as to whether or not “legitimate interest” should be considered legal basis for the processing of end user data for online advertising purposes. Some argue that legitimate interest is viable, since the processing of personal data is needed for example for the detection and prevention of fraud and invalid inventory, and to perform frequency capping.

Do I only need consent for cookies?

Consent, or one of the other five legal grounds under GDPR, is necessary for the processing of all personal data, and not only cookies. The GDPR includes location data, IP address, cookie ID, and advertising identifiers within the scope of personal data when combined with certain types of information.

How will consent be communicated throughout the online advertising ecosystem?

The advertising industry alongside the IAB Europe have joined forces to create a standardized framework that can be used throughout the ecosystem to collect and share information on user consent, see advertisingconsent.eu. Widespace is supporting the framework, and we strongly encourage our publishers and partners to follow in our footsteps. Ad tech providers should join the global vendor list as soon as possible, and publishers and advertisers should encourage their partners to do so. We believe that collectively establishing a common means for sharing information about consent will be key under GDPR.

So how will GDPR impact the industry?

Bottom line is that everyone agrees that GDPR will affect the industry, but no one knows how or to what extent. GDPR regulates the processing of personal data, which includes location data, IP address, cookie ID and advertising identifiers. Online advertising, and especially so programmatic advertising, is heavily dependent on personal data.

A probable outcome of GDPR, at least short term, is that it will become more difficult to access user data, and more challenging than before to target users purely based on cookie matching. As a result, intelligent ad algorithms based on AI will most likely gain ground, while pure cookie based targeting solutions will suffer.

At Widespace, we also expect to see a revival for contextual targeting and other solutions that are not dependent on personal data. GDPR does however bring a real opportunity for the industry to clear up it’s act when it comes to how it approaches, collects and stores data and that, in the most part, is better for the consumer.

The long term impact of GDPR remains to be seen, but one thing is certain. GDPR compliance is not a zero sum game, and all parties in the industry need to join forces and agree on how to handle user consent in order to not just survive but to thrive.