Organisations on the buy-side of a digital advertising transaction have a range of data protection compliance issues to consider. However, their job is made harder by the fact that in most cases they have no direct relationship with the individual who ultimately sees the ad, and because ad buys tend to be carried out by agencies.
This guide sets out a few key issues for advertisers, and other organisations on the buy-side, to consider when processing personal data in relation to digital ad buying.
Top tips for buy-side organisations:
Utilise first party data, but do so with care
Commonly advertisers wish to feed their valuable first party data into their digital advertising efforts. This might involve “on-boarding” offline customer data (e.g. from a CRM system), or collecting website or app user data through the operation of a pixel, in order to then build out audiences for digital ads.
The advertiser has primary responsibility for using and sharing this data in a compliant way. This means that privacy notices must be very clear about the way in which customer data will be used. Where cookies, pixels or similar technologies are used to collect website or app user data, ensure that opt-in, GDPR standard, consent, is obtained.
Where data is shared with third parties, for example, DMP providers, agencies or other demand side platforms (“DSPs”), make sure appropriate contractual restrictions are in place to ensure this data is only used for the advertiser’s purposes.
Be selective about enrichment, audience extension and other uses of third party data
The value added by a DMP provider is usually the ability to link the advertiser’s first party data with a range of other third party datasets, in order to enrich and extend the audiences.
In an ideal world, the advertiser and its agency would have complete visibility over the sourcing of third party datasets, to ensure that the data providers had collected the data in a compliant way.
However, in practice data providers are generally reluctant to give advertisers this visibility, or will give only general assurances, leaving advertisers in the difficult position of assessing whether or not to make use of the data.
Some risks can be mitigated by prioritising direct deals with data providers over DMP-facilitated marketplace arrangements, on the basis that more source due diligence may be achievable. Otherwise, advertisers should give careful consideration to which third parties are strictly required for their campaigns, and use only reputable data providers.
Set clear guardrails for agencies and other intermediaries
Generally, it is the advertiser’s agency, or a DSP, which will execute programmatic ad buys on its behalf, and which will process user level bid data for this purpose. This is particularly the case for open real-time bidding type (“RTB”) transactions.
Advertisers should look to set some clear parameters on this. For example, advertisers could consider placing restrictions on the use of special category data, or could input on the list of publishers and sell-side intermediaries used for an ad buy.
Consider mix of transaction types
Some advertisers are increasingly looking away from open RTB, and placing greater emphasis on other types of ad buying transaction, including traditional direct deals, private auctions and programmatic guaranteed.
These alternatives to open RTB generally involve less sharing of data with multiple intermediaries, and in some cases less processing of user-level bid data and, therefore, are less likely to attract the attention of data protection regulators.
Risk assess and mitigate high risk activities
Advertisers should consider putting in place data protection impact assessments (“DPIAs”) to document the risks and mitigations for high-risk ad buying activities. In particular, this is recommended where third party datasets are used for enrichment, and where an advertiser makes heavy use of open RTB for its ad buys.
To download the digital ad buying practical guide, or to contact the wider Adtech team, please click here.