Brands face serious new risks under the GDPR and the ePrivacy Regulation (ePR), and agencies will not be able to shield them. This note explains why, and describes what these risks are.
When the GDPR and the ePrivacy Regulation (ePR) apply a year from now brands that use personal data in their marketing campaigns will become exposed to new legal risks, irrespective of their arrangements with ad agencies. Though the new rules are European, the exposure will be global.
Why agencies can not shield brands
The first reason is legal. The first reason is that the text of the General Data Protection Regulation (GDPR) says that “each controller or processor shall be held liable for the entire damage”, where more than one controller or processor are “involved in the same processing”. In other words, all parties involved in the use of personal data are fully liable. A brand is safe from this liability only if it can prove that it was “not in any way responsible for the event giving rise to the damage”.
The second reason is financial. The administrative fines provided for in the GDPR (and in the proposed ePR) rise to 4% of “total worldwide annual turnover of the preceding financial year”. Apple, for example, will be exposed to €7.6 billion if it or service providers acting on its behalf misuse personal data. For P&G the exposure will be €2.3 billion, based on its 2016 turnover, and for Unilever the exposure will be €2.1 billion. It is not known yet whether data protection authorities will apply these maximum fines, but this new risk is now defined in the text of the Regulations. This potential exposure is so great that agencies can not adequately indemnify brands against losses.
New pressure on brand-agency relationship
This introduces new pressures to the relationship between brands and agencies. Brand-agency contracts generally include limited indemnities. As brands become aware of the risk to which they are about to be exposed, they will expect agencies to take on far greater liability. As a result, contract negotiations between brands and agencies will become fraught.This has already happened in the cloud services industry, where both service providers and clients are acutely aware of the risks and argue fiercely over indemnity.
Not only will advertising agencies be unwilling to take on vast, new liabilities to protect their clients, they may be unable to do so too. Agencies may be inadequately covered by their insurers to offer adequate indemnities to brands. Indeed the exposure may be so great that the question may not be whether an insurer can cover the agency, but whether a re-insurance provider can cover an insurer to do so. The data leakage inherent in the online behavioural advertising system means that insurance and reinsurance companies are likely to take a dim view of the risk involved.
Three causes of brand risk
This leads to the question of what things expose brands to risk. There are three things to consider.
1. The brand’s own personal data
The first type of exposure comes from how brands directly obtain and use personal data. They are exposed in several ways, including if they use personal data that are not compliant, or if their web sites leak these data, or if the personal data they hold are otherwise breached. These causes are immediately decipherable, and are easily remedied.
2. Augmenting personal data held by the brand with broker data
The second type of exposure is less obvious. Many brands purchase data to augment the profiles they maintain of their customers, or of advertising targets. This is seductive from a marketer’s perspective. For example, one data seller offers brands the ability to “tie online and offline data across multiple channels back to the consumer … and activate upon them everywhere”. Brands can buy the location, real names, contact details, interests, purchasing history, and demographic information of customers for whom one has some data from a data broker, to “accurately identify the precise locations of your customers or prospects”.
But however attractive this may be to a marketer, these data are fraught with risk because they are derived from personal data, or are themselves personal data. Combining these data of unknown provenance with a brand’s own first party data therefore exposes a brand to risk, irrespective of whether the brand’s first party data are compliant. There are four reasons for this (see box below).
The Four Dangers of Purchased Data
- The purchased data are personal data, or were generated from personal data, the use of which requires informed consent from the data subject. This is very unlikely to have been obtained.
- Personal data must be accessible, rectifiable, and portable, and a person has the right to object to profiling for direct marketing. These rights are very unlikely to have been adequately provided.
- Personal data can not include “sensitive data” as defined in the GDPR.
- Data subjects must be informed of and able to object to automated decisions that use personal data about them, such as segmentation, where this has a material impact. This is very unlikely to have been provided.
3. Using personal data in online advertising
The third type of exposure is the most challenging. Under the new rules it will be illegal for companies anywhere in the world to pass a European user’s personal information to another company, or to store these data, without agreeing a formal contract with the “data controller” (normally this is the company that requested the data from the user in the first place) that defines limits on how the data can be used.
This is challenging because the online behavioural advertising system passes personal data among countless parties including ad exchanges, retargeting systems, media owners, demand side platforms, data management platforms, and potentially among many unknown others. We drafted this 30 second explanatory video to show how sharing personal data within this system exposes both brands and agencies acting on their behalf to risk.
Snippets of the data discussion at the World Federation of Advertisers’ Global Marketing Week in Toronto 2017
For US-based companies the new rules may seem like an unwarranted European overreaction. But it is important to note that they contain many ideas suggested by American regulators almost a decade ago.
Brands have eleven months to resolve these issues before they become exposed. The first two types of risk – what brands do with their own data, and whether they contaminate these data with purchased data of unknown provenance – are comparatively easy to resolve. The third type of risk, which is inherent to the online behavioural advertising system, is far more difficult to address. But it is addressable. PageFair is now drawing together interested parties to collaborate on a Data Protection Platform that solves this problem.
Please share our call for collaboration on this with any colleagues who might be interested. We are keen to hear from agencies, brands, and publishers.
Thanks to Philip Lee, Partner, Fieldfisher LLP; Anna Buchta, Head of litigation at European Data Protection Supervisor; Rachel Glasser, Director of Digital Privacy at Groupm; Bethan Crocket at Groupm.
Sign up to PageFair Insider to get updates
See previous PageFair Insider notes on the ePrivacy Regulation and the GDPR:
- Why pseudonymization is not the silver bullet for GDPR
- Why the GDPR ‘legitimate interest’ provision will not save you
- European Commission proposal will kill 3rd party cookies
- Europe’s new privacy regime will disrupt the adtech Lumascape
- Video: data leakage in online advertising
PageFair statements at the European Parliament
- PageFair statement at European Parliament rapporteur’s ePrivacy Regulation roundtable
- Supporting new European regulation
Indeed, it would be impossible for them to do so in many cases. Seven of the nine data brokers in the FTC’s 2014 study provided data to each other. “It would be virtually impossible for a consumer to determine how a data broker obtained his or her data; the consumer would have to retrace the path of data through a series of data brokers”. “Data brokers: a call for transparency and accountability”, Federal Trade Commission, May 2014, p. iv.
Here is how this will operate. Current European rules require contracts between data controller and processor that guarantee that the processor handles the personal data only in the manner dictated by the controller. (see Data Protection Directive (95/46/EC) 1995 Article 17, para. 3. (URL: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:31995L0046)) However, this is now backed up by new sanctions, and the GDPR will require that these contracts define the nature and duration of processing (Regulation (EU) 2016/679, Article 28, para. 3). Similar agreements must also be in place when one processor engages another (ibid., Article 28, para. 4), and a processor can only do so with express permission from the controller (ibid., Article 28, para. 2).