Privacy and data protection regulations impact the work of every advertising, marketing and PR communications professional around the globe, and the focus on privacy by consumers and regulators continues to increase. W2O’s team is tracking the most important news and changes that directly influence our industry, including the latest on legislation, new privacy technology, enforcement actions, analysis and thought leadership in privacy and data protection.
Here’s the latest news we’re paying attention to right now. This week’s news includes a French startup avoiding GDPR fines by quickly complying, second-party deals beginning to rise as a result of privacy legislation, data subject access request phishing, private blockchain usage guidance from CNIL, and IAB begins testing on their use of blockchain for consent management.
One of the first companies to get the attention of French CNIL regulators under GDPR for processing data without consent made the necessary changes to comply and avoided fines. It took the company roughly two months to implement proper privacy and consent controls.
What this might mean for brands – Some observers suggest that while fines under GDPR can be severe, companies that take appropriate action when receiving a complaint will not necessarily suffer the full potential penalty. Many believe that EU regulators see GDPR as a way to encourage compliance, not necessarily a method of penalization. That said, no one knows what CNIL will do next, and if it will choose to make an example out of the next violation.
While GDPR has not yet had the far-reaching consequences to the ad industry that some feared, it is changing ad buying behaviors. With increases in the use of contextual targeting and consolidation into the large ecosystems, some publishers are reviving the use of second-party data partnerships. Similar to targeting known audiences on large ecosystems like Facebook, first party advertiser data is being used more and more within large multi-property publisher ecosystems to target both known and look-a-like audiences.
What this might mean for brands – Large publishers are creating new models that combine and unify audience data sets across their multiple owned publications, and that will give them both scale and a closed ecosystem with verified consent that brings them into competition with Google, Amazon and Facebook. Some organizations have shifted advertising budgets away from programmatic and towards the “big three” as they perceive them to be safer for compliance than third-party targeting, and now larger publishers are beginning to offer similar benefits.
Ever since fraudulent emails claiming to be Airbnb tried to use GDPR update emails to steal user information, attention has been focused on preventing exploitation – particularly exploitation of data subject access requests – which could allow a phisher to impersonate a data subject. Spotify was the first company to make the news for releasing data subject information to a hacked account, and the recent Facebook hack is placing more focus on this potential use of GDPR to steal private data.
What this might mean for brands – Many believe that these types of privacy breaches will increase in the future. Two factor authentication, while not a legal requirement of GDPR, has been posed as a relatively simple solution instead of simply releasing information to logged-in accounts as Spotify did. Brands would be well advised to build this type of identity verification into their data subject access request work flows and privacy governance processes.
The concept of blockchain inherently seems to conflict with GDPR “right to be forgotten” – essentially the right to request erasure of the data – which is not currently possible on public blockchain networks. Recently, France’s Commission Nationale de l’informatique et des Libertés (CNIL) became the first European data protection agency to offer guidance. CNIL determined that users of blockchain ledgers can be classified as data controllers under GDPR. They also stated that erasure can be possible on private blockchains by deleting private keys to which users access the blockchain. There is already debate as to whether this will work in practice, and whether destroying access keys amounts to erasure under GDPR. Regulating public blockchains like Bitcoin and Ethereum will pose a much greater challenge because they are already decentralized.
What this might mean for brands – Businesses who choose to use blockchain technologies need to be mindful that such usage could present difficulties in complying with GDPR, and particularly the “privacy by design” provisions. CNIL’s paper calls on organizations to consider whether it’s appropriate and suitable to use blockchain technology over an alternative for processing of personal data.
The opinions expressed in this post do not constitute or represent legal advice. No liability is accepted by the authors or W2O Group for any action taken or not taken based on the information or any associated communications.
If you’re interested in learning about W2O, check out our About and Healthcare pages.
Want to chat? Drop us a line.