What's next for GDPR and data regulation? A Q&A with Jon Taylor and Mark Syal
A year after the introduction of GDPR (General Data Protection Regulation), Jon Taylor, SVP, Data Strategy at Essence and Mark Syal, Managing Director, EMEA, discussed what we've learned and what we might be able to expect in the future with Senior Director for Thought Leadership & Innovation Kate Scott-Dawkins.
Listen to the interview on SoundCloud, or read the transcript (edited for clarity) below
Kate Scott-Dawkins (KSD): Hello and welcome. You're listening to a special audio segment of the Essence client newsletter Adventures. On tap for today is a Q&A with two representatives of Essence’s product leadership who will answer questions on some of the impacts and learnings from the General Data Protection Regulation (GDPR) and other privacy regulation and what our clients should be watching for this year and in the future. Let me welcome Jon Taylor, SVP Global Data Strategy - hello John. And Mark Syal our EMEA Head of Product - hello Mark. Great, so what have we learned one year on from GDPR? Has it in fact had the intended results? And I'm thinking that answer might be quite different based on whether you're talking about users or companies, large and small.
Mark Syal (MS): I think it’s probably too early to tell if it’s had or is going to have the intended results, but it’s certainly had an impact. Some of those things were what was intended. If you look at companies and you look at their awareness of data issues, and the conversations they’re now having around the importance of handling data correctly and gaining consent, that’s now common, and I don’t think it was as common before before the 25th of May last year. So, in that sense it has achieved an aim. On the other side, has it led to a huge change in the way data is used by people in ad tech, to target individuals and to select ads for people? I don’t think it really has. We’re seeing different ways of gaining consent, but people doing the same thing under the new regime, not doing different things.
KSD: Jon, we’re seeing more privacy legislation spoken about in the U.S. now as well. There’s California's Consumer Privacy Act (CCPA) and there was also a bill passed in Maine recently about Internet Service Providers (ISPs) needing to get permission from their customers to share data. So, the awareness that Mark was talking about - do you think that exists, maybe not in the same way, but does it exist in the United States or are U.S. companies going to have to play some serious catch up here?
Jon Taylor (JT): I think the awareness exists for sure, I mean, CCPA's grabbed the headlines when it comes to U.S. privacy laws and changes to those laws and so forth for quite a while now. It’s often written about as the GDPR of the U.S. which is probably not quite true, but is enough to make people sit up and take note. It’s also inspired a lot more state-level proposals than I think most people realize. You mentioned the recent Maine bill which went through that limits the power of ISPs to sell data without consent. There was something not dissimilar passed in Vermont last year, post Equifax data breach. There have been a number of other fairly high profile data breaches over the past couple years that have affected U.S. consumers, so I think both the public consciousness and the company consciousness is higher than ever. And I would say that the idea that companies apply more delibracy to the way they think about their customer data and the data they acquire, to Mark’s point, I think that’s true in the U.S. as well, but not being part of an in-house counsel team, it’s hard to say whether companies are taking steps behind the scenes to prepare for what might come to pass from a legislation perspective. It’s early, there are lots of moving parts, there’s lots of speculation. All this stuff tends to get more complicated the higher up in government it goes, so I don’t think anyone is in a real position to place a bet on what they should do strategically just yet.
KSD: What about advertisers? How are clients coping with the loss of data management platform (DMP) [data] and log-level data - after changes that Google [and others] made last year? Mark, we’ll start with you on the EMEA clients and Jon jump in on what you’ve heard from global clients as well.
MS: Let me firstly say, there are quite a lot of clients in the industry who simply weren’t using that data, so they probably didn’t notice a huge amount of difference. At Essence, we were very reliant on that data. We really plumbed those depths, and built a lot of technical solutions that could use that data. So, in the two to three weeks in the run up to the 25th of May, we were getting a series of notices from vendors, who were all making decisions, allegedly as a result of GDPR, to change the way they were going to provide data and what data they were going to provide to us. With very little notice, we were finding that a lot of the uses were just becoming impossible. At one count, out of twelve use cases for log file data, nine stopped being possible in a two week window. And that’s made us think differently. We were able to replicate them in different ways, and I guess in more compliant, future-proof ways within about two months of that, we’d got most of those use cases back in one way or another. So, although it created a huge amount of work for us at the time, it has made us think differently and it led to a lot of invention in a very short space of time. Yeah, it was very disruptive though, I have to say. For the clients who were heavily into it, it caused a lot of work, and it’s created a lot of workarounds, a lot of invention which may have some positive impacts later, down the line. Those clients who weren’t using it of course wouldn’t have been impacted.
KSD: So that’s really contrary - I think a lot of the, or not a lot, we heard some argument from some companies leading up to a lot of these rules and especially GDPR where they were worried that these kinds of restrictions were going to limit innovation and what I'm hearing is that that that didn't happen, that it actually created some future-proofing and invention, as you said, in response to this.
MS: Yes. I mean, I haven’t got a crystal ball, but it has certainly made us think differently and think of new methods, and that’s not always a bad thing.
KSD: What about user experience? I want to touch on that quickly. That’s another topic we’ve seen a bit in these “one year on” wrap ups. There have been a lot of cookie acceptances. Are advertisers feeling any blow back from that, or is it just the new normal now?
MS: We’re seeing this globally now, aren’t we? In general, for the average user, it’s gotten a lot worse. The consent notices are so hard to avoid that now I think most users would say that it’s worse than it used to be. So from that perspective, I think things haven’t taken a step forward. Also, this is another example of people trying to do the same thing they were doing before and finding a workaround no matter how painful, in order to achieve that. The way those consents are being gathered, the Interactive Advertising Bureau (IAB) consent framework for example - we don’t actually know if that’s compliant or not. Only now are we starting to get enforcement of the regulations, so we’re starting to see some court cases, we’re seeing some sizable fines have been levied for the first time in the last three months or so. We’re only just finding out now what the specifics, the implementation of the law actually is. So I don’t know whether the current workarounds are permanent and if they are justified in terms of satisfying that regulation, or if we’ve got it wrong [as an industry] and will have to think again in a few months’ time.
KSD: Speaking about regulation, Jon you’ve spoken about this before, but what needs to happen especially with government and their understanding to make this new world ecosystem work?
JT: It’s probably fair to say that at the moment, the state legislatures are somewhat wiser to a lot of these issues than they’ve ever been, but maybe even more so than federal government at this point. Judging by some recent Q&As with some of the leaders of our industry, it’s clear that U.S. government is quite far behind in terms of their knowledge and their ability to even ask basic questions about how the internet works. We probably shouldn’t be completely surprised by this, but unless we want to go down a path where we have CCPA-like regulation in multiple states, then the federal government needs to think about how do we create a system that is equitable for all, but at the same time maintains some level of comprehensiveness, that has parity with what the states are able to create. If the federal government tries to come up with something to pave over what states themselves could do on their own steam, if those proposals are weaker than what the states themselves can enact, then they will reject them. There’s a lot of catching up to do if we’re going to see any country wide regulation. It’s going to have to be devised by a group of people that I don’t think exist in the government today in order for it to be effective, and credible.
KSD: So you think we have to wait for a generational shift in government for this?
JT: I don’t know about that. Brian O’Kelley [former CEO of AppNexus] seems to fancy a go at making some changes, so let’s see if guys like him can be successful.
KSD: Before we move on from regulation, any other thoughts on [The ePrivacy Regulation] Mark? Anything else you’re seeing in EMEA or the wider world?
MS: Things have gone very quiet on the ePrivacy front. At one point, that was going to come shortly after GDPR, it didn’t. The latest is that we’re expecting something to come in 2021, so a couple of years’ time. It’s still a bit vague as to what that’s going to entail, but there are two or three things we do know -
It will be a regulation, like the GDPR, which means unlike a directive, which applies only to EU citizens in the EU, the regulation will be like GDPR, so it’s EU citizens wherever they are. So if a media company from outside is profiling EU citizens, that will come under the scope of [ePrivacy] and it will probably feature they same kind of fines, you know those eye-watering four percent of global turnover type fines for infringing upon it. It will be something that everyone will have to pay attention to.
It’s going to restrict some of the things we do already. Not necessarily in a bad way, but further restrict some of the tracking that people do using cookies for example or other unique identifiers. Right now, you can do quite a lot using justifications that you need to do it for analysis or because your business relies on doing it. In the future, we may find it harder to do things like capture order values as we track people through websites, and then append order values and cash amounts or profitability, or whatever it is to those orders to analyze campaigns. That may not be possible anymore.
We have to wait and see what actually happens as the regulation comes out in a couple of years. A lot can happen in that space of time, and I think that will make traditional tracking even harder and we’ll have to pursue other avenues. But again, that may not be a bad thing. We’ve all gone down this route of tracking because it’s been easy. Data has been provided to us and literally delivered to us every day, or [in real time] in some cases. We’ve gotten used to that and built things on it because it’s been very convenient - but we need to think differently.
KSD: We’ve talked a lot about logged in users as the next, more universal, or I don’t want to say simple, way of tracking users, but does that look more and more likely? In the U.S., probably through EMEA to a large extent, we have these large - Facebook, Google, Apple (though they won’t share their ‘Sign in with Apple’ or logged in users) and in China you have the BAT (Baidu, Alibaba, Tencent) who can offer advertisers this persistent user using logged in data. Does that look like more and more where at least a portion of the industry is going?
JT: I think we’ve been headed that way a long time. We’ve gone from talking about using labels like “walled gardens” to talking about “logged in ID spaces.” Sort of a pre- and post-GDPR context, but it’s essentially the same thing. I don’t think that much is changing on that front. The thing we have to look at more closely is what’s happening with browsers. Because conceivably, the browser could be the superset engine for all of that if data could be handled in a way that made sense for users. I doubt it will ever head that way. I think we’re headed down a different path at the moment, if you look at what’s happening with Intelligent Tracking Prevention (ITP) and the changes Apple are making at a breakneck speed. There was an assumption with GDPR that first party data would get absolutely crushed from the moment GDPR came into force. But from what we’ve seen, if you look at our clients’ DMPs, the losses there are surprisingly marginal post-GDPR. I think a lot of it has to do with the fact that most of our clients have opt-in and consent frameworks that were quite close to the expectation of GDPR anyway. Maybe not the mechanisms with which to collect that, which, to Mark’s point before, is quite disruptive. I don’t live in the U.K. now, but when I visit and I try and go and browse a website, it’s irritating to say the least. We didn’t see huge losses to first party data pools - even for those clients who may have had a less direct relationship with their customers and were probably less rich in first party data anyway due to the nature of their business. Certainly GDPR was expected to create a huge impact on advertiser data, but I don’t think it’s anything compared to the impact that ITP versions are having, which seem to get worse with every roll out.
KSD: I want to tackle a slightly more thorny question, and the caveat here to address before we start is that this is purely hypothetical, not to be taken as advice or forecasting, but something I’ve seen discussed that I want to get your thoughts on which is around who ultimately owns the data? And that could be click data or DNA data or facial recognition data. We’ve seen more and more of this over the last [few] years - even recently Maurice Levy, formerly of Publicis, said users should be compensated for the data they provide. Some browsers have tried that. I’d love to dig into this in terms of the ownership of data and whether it’s compensated or not. Jon, maybe we start with you.
JT: I think a more effective measure than what maybe Maurice is suggesting would be re-establishing the true nature of the value exchange between the user and the publisher or service provider. This is a little bit philosophical, but I think you gave us that license with your caveat...Where we are today is because we as an industry have allowed ad funded models to be taken behind the scenes into these sort of greed machines, which when we get a glimpse of them, we’re horrified by what we see as consumers and as governments as well. The ultimate antidote is probably fewer, better ads that speak to human nature rather than your recent browsing history. But in terms of who owns data, I’d like to think, again philosophically, that it is me who owns my data. It is the consumer, the user who owns the data that they allow companies - Ancestry, or whoever else - to use to provide them back a service, a business around it. The difference between the past few years and where we are now, is that previously, the reason those behind-the-scenes machines were able to flourish was that users were never empowered or enabled to claim that data as [theirs]. But that idea of being able to claim your data is a core human tenet to GDPR, CCPA and other maybe less broad and comprehensive laws that are being passed and proposed. That’s my point of view. We’re moving to a world where data ownership rests with the user. I just don’t think that compensation through micropayments is an effective way to create an equitable state. That’s just making the user part of the transaction, part of the ecosystem.
KSD: Mark, do you think in the EU where GDPR took effect users feel more empowered? Is that philosophical shift starting to take place?
MS: I don’t think they do feel more empowered, no. I think they’re more aware of their data being captured, but I don’t think that in itself is making them feel more empowered. I think the things like controls within browsers, if that becomes much more widespread, will make them feel more empowered, but we can see it by the fact that, as Jon was saying earlier, a lot of clients haven’t seen a dip in first party data, and people aren’t really opting out of having their data captured by third parties because it’s just easier to click the consent button. It means people aren’t really feeling like they’re in control, or they’re not exercising that control. At the end of the day though, we shouldn’t forget that people are swapping their data in return for free access to a lot of very good content. I think people do deep down understand that if everything was paid for, they’d be consuming far less quality content than they are now. There is a value exchange there, at the heart of things. But there are still people who exist in the ecosystem who only harvest data and don’t provide content, and so it’s not always an equitable swap. I think until it starts being a more equitable swap, people won’t feel the benefit.
JT: I agree with that. I don’t think the first thing people think though, when they see an ad is “Oh, this is paying for my content that I’m enjoying.” There aren’t that many people that have a good sense of the internet economy in that way. I suspect it’s even fewer, actually, than the number who submitted individual complaints about companies from a GDPR perspective. I think the International Association of Privacy Professionals reported 144,000 individual complaints about rights to data access and fair processing, and all those types of things. It’s still a relatively small number relative to the total population of the European Economic Area, but certainly 150,000 people making complaints suggests to me that there’s more empowerment there than there used to be. But again, I’m looking at this from across the Atlantic.
KSD: [On that point] Ofcom just released their recent [Adults: Media use and attitudes] report about U.K. digital users and there were some stats in that around how many people recognized one form of the ways companies tracked them or used data as opposed to how many could name all of the ways companies collect and use data, and it was certainly a much smaller percentage of British citizens who could name all the forms. They were also looking at who understood what advertising paid for versus, say for the BBC, what the license fee paid for. So I think there is still some education to do for users globally, right, around what it is that advertising pays for, what they’re getting, and whether they believe that’s a good value exchange, if that’s the term we’re using.
MS: There are quite a few court cases around the use of image data and facial recognition data at the moment. There are quite a few in New York, and also in London now. It’s interesting that the ones in Europe, they’re not using GDPR as a justification for the prosecution, they’re actually saying it infringes [on] human rights. They’re going down the path of the “right to a private life” [article] of the [U.K.] human rights regulations rather than “that’s my data, and you haven’t sought my permission to capture it.”
KSD: I’m sitting in a studio here in San Francisco, which is, I believe, the first city to ban the use of facial recognition by city officials, so we’ll see how that plays out and whether more cities, or countries make that decision, at least until we understand it better or until the regulations catch up to technology. Which, at the rate of technology, I’m not sure when that’s going to happen.
MS: I do think that there’ve been a lot of positives that have come out of it. I don’t think we’ve yet seen the full impact either, so it’s quite hard to say what the impact’s going to be. There are quite a lot of court cases going through in France, for example at the moment around platforms and the way they gather consent, which they think is watertight and there are those who think it isn’t. So, that’s all yet to be decided. The IAB framework, which everyone is adopting happily at the moment, may not be the answer to the regulation in terms of gathering consents and then passing the ability to use data on to other parties without being entirely explicit about who those parties are. That may not be in keeping with the spirit [of the regulation]. Platforms denying people use of the platform functions, before an opt-in is provided, that may not be in keeping with the regulation. In the next twelve months, quite a lot of that will become apparent as court cases come and go. But I do think it has spurred innovation in thinking. If there’s one good thing that can come out of this, if we don’t rely on the cookie-based tracking that we have been relying on, we may be encouraged to stop thinking about short-term ROI in quite the same way, and start thinking more about short- and long-term ROI which could be one of the biggest benefits of all this. A more rounded approach to optimizing our campaigns.
KSD: Let me thank both of you for joining us, again, Mark Syal in our London office and Jon Taylor in New York.
JT: Thank you.
MS: Thank you.
KSD: We’ve been talking to Jon Taylor and Mark Syal about GDPR and what we’ve seen one year on, as well as upcoming regulation in the United States. If you have any questions or want to discuss this further, please reach out to [email protected]