Privacy and data protection regulations impact the work of every advertising, marketing and PR communications professional around the globe, and the focus on privacy by consumers and regulators continues to increase. W2O’s team is tracking the most important news and changes that directly influence our industry, including the latest on legislation, new privacy technology, enforcement actions, analysis and thought leadership in privacy and data protection.

Here’s the latest news we’re paying attention to right now. This week’s updates include a 60 Minutes news feature on GDPR, Dutch Regulators finding Microsoft GDPR violations, and new surveys indicating the rising importance of privacy protection for both consumers and marketers.

GDPR and the Marriott Mega-Breach

Last week Marriott revealed that a Starwood guest reservation system had been hacked in a breach going back to 2014, potentially exposing the personal data of 500 million people. It is not currently known ifMarriott reported the breach to EU data protection authorities within the 72hour maximum allowed by GDPR – but assuming that data of those based in the EUis included in the breach, Marriott could face a massive fine. That said, it is likely that any fine will depend on how quicklyMarriott acted and an investigation will likely take many months.

What this might mean for brands

Adding fuel to fire, this breach is already causing US senators to call for both data breach penalties and more robust privacy laws. Specific to GDPR, attention will be given specifically to “data protection by design” and “purpose and usage limitation” clauses. Expectations of data privacy will continue to rise, particularly for brands who hold very sensitive information such as passport data. Brands who hold personal data should expect further media and public attention, and be prepared with full data privacy programs.

Irish Data Protection Commissioner Investigates LinkedIn

A recent report published by Ireland’s Data ProtectionCommissioner (DPC) lists several investigations that have previously been widely known about, including Facebook and several others – and it also included an investigation that had not been previously reported detailingLinkedIn’s use of email addresses to target advertising. The DPC discovered that LinkedIn had obtained 18 million emails from non-members, and used these to advertise for new members on Facebook. The DPC indicated the complaint was ultimately resolved thanks to LinkedIn making several changes that stopped the use of the data in question – although it is not clear how LinkedIn obtained the email addresses.

It was also revealed in a resulting audit that LinkedIn was using algorithms to “suggest professional networks” for non-members in attempts to get more people to join. The DPC ordered LinkedIn to cease the “pre-compute” process and delete all personal data associated with it. Fines have not been issued, likely because the infractions mostly took place before GDPR came into effect.

What this might mean for brands

Brands should be conducting comprehensive audits of their data sources and uses as part of their overall GDPR programs. Particular attention is being paid by regulators to third party data usage for marketing, and documentation of the lawful basis of processing, and if needed consent, are key to ensuring compliance.

‘Consent String Fraud’ Worries Appear

Consent strings were first created by the Interactive Advertising Bureau (IAB) Europe as a relatively easy method for tracking consent between various parts of the advertising technology ecosystem. These numeric strings act as a record of consent combined with vendor id numbers assigned by the IAB, and Google has their own version which is not interoperable with the IAB version. This record is then used by adtech to determine if personalized ads can be served or not with a simple 1/0,Yes/No verification.

Unfortunately, it’s relatively easy for vendors to either mistakenly or fraudulently change a 0 to a 1. Errors can and do occur when moving back and forth between the IAB and Google frameworks – which is a technical challenge to solve, and changing the value as part of an ad fraud scheme is also happening. It is currently unclear how regulatory authorities will react, and legitimate vendors are beginning to express their worries.

What this might mean for brands

With GDPR well established and California’s CCPA on the way, brands should be auditing their ad tech ecosystem to ensure their consent frameworks are compliant with all applicable legislation.


If you’re interested in learning about W2O, check out our About and Analytics pages.

Want to chat? Drop us a line.