Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Deck at GDPR Summit at Croke Park.

2,486 views

Published on

Slides from presentation at GDPR Summit.

Published in: Business

Deck at GDPR Summit at Croke Park.

  1. 1. WHY ETHICAL DATA WILL SAVE ONLINE MEDIA Dr Johnny Ryan @johnnyryan
  2. 2. “Behavioural” ad targeting & “programmatic” trading. (This jargon means: automatic auctions for the right people’s attention)
  3. 3. /// Visitor Site Brand $
  4. 4. /// Visitor Site SSP DSP DMP Brand $ “Demand side”“Supply side” Ad Exchange
  5. 5. /// Visitor Site SSP Ad Exchange DSP DMP Brand $ “Demand side”“Supply side”
  6. 6. /// Visitor Site SSP Ad Exchange DSP DMP Brand $ store data “Demand side”“Supply side”
  7. 7. /// Visitor Site SSP Ad Exchange DSP DMP request segment Brand $ store data “Demand side”“Supply side”
  8. 8. /// Visitor Site SSP Ad Exchange DSP DMP request segment deliver segment Brand $ store data “Demand side”“Supply side”
  9. 9. /// Visitor Site SSP Ad Exchange DSP DMP request page request segment deliver segment Brand $ store data “Demand side”“Supply side”
  10. 10. /// Visitor Site SSP Ad Exchange DSP DMP serve page request page request segment deliver segment Brand $ store data “Demand side”“Supply side”
  11. 11. /// Visitor Site SSP Ad Exchange DSP DMP serve page request page request segment deliver segment Ad request Brand $ store data “Demand side”“Supply side”
  12. 12. /// Visitor Site SSP Ad Exchange DSP DMP serve page request page request segment cookie to SSP deliver segment Ad request Brand $ store data “Demand side”“Supply side”
  13. 13. /// Visitor Site SSP Ad Exchange DSP DMP serve page request page request segment ad request cookie to SSP deliver segment Ad request Brand $ store data “Demand side”“Supply side”
  14. 14. /// Visitor Site SSP Ad Exchange DSP DMP serve page request page request bid request segment ad request cookie to SSP deliver segment Ad request Brand $ store data “Demand side”“Supply side”
  15. 15. /// Visitor Site SSP Ad Exchange DSP DMP serve page request page request bid request segment ad request cookie to SSP deliver ad deliver segment Ad request Brand $ store data “Demand side”“Supply side”
  16. 16. /// Visitor Site SSP Ad Exchange DSP DMP serve page request page request bid request segment ad request cookie to SSP deliver ad deliver segment sync Ad request Brand $ store data “Demand side”“Supply side”
  17. 17. /// Visitor Site SSP Ad Exchange DSP DMP serve page request page request bid request segment ad request cookie to SSP deliver ad sync deliver segment sync Ad request Brand $ store data “Demand side”“Supply side”
  18. 18. The Daily Bugle ExchangeExchange Exchange Exchange DSP DMP DSP DMP DSP DMP DSP DMP DSPDMP DSPDMP DSPDMP DMP DSP DSPDSP DSP DSP DSP
  19. 19. The Daily Bugle ExchangeExchange Exchange Exchange DSP DMP DSP DMP DSP DMP DSP DMP DSPDMP DSPDMP DSPDMP DMP DSP DSPDSP DSP DSP DSP ? ? ? ? ? ? ? ADVERTISEMENT
  20. 20. Ad server SSP Step 2. Ad server selects an SSP Step 3. SSP selects an exchange Step 7. DSP serves agency creative Step 8. Assets load from CDN Step 9. Agency ad server loads verification vendor ADVERTISERS website.com AD DMP DMP DMP DMP DMP DMP DMP DMP DMP DMP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP W inningbid DSP Ad server javascript SSP javascript DMP DMP DMP DMP DSP DSP DSP DSP DSP DSP javascript Ad server javascript Step 6. Exchange serves winning bid Verification javascript Agency ad server Verification vendor Winning DSP Step 1. User requests webpage Ad exchange Channel of data leakage Personal data Legend Step 4. Exchange sends bid requests to hundreds of partners Step 5. Exchange lets some DMPs/ DSPs to refresh cookie sync CDN Money This is the current process of real-time bidding that is used in online behavioural advertising. DATA LEAKAGE IN ONLINE ADVERTISING Risk
  21. 21. Any one of the hundreds of parties receiving personal data from ad exchanges can share with unauthorized parties; and ad unit can contain JavaScript that summons unauthorized trackers. The Daily Bugle ADVERTISEMENT
  22. 22. CONSENT
  23. 23. • It must be specific and informed. 
 Can not be buried in “Terms & Conditions”. • Consent can not be disruptive. Must be obtained freely, without detriment. (Consent Walls may or may not be permissible) •Who or what type of party is receiving the data •What are the purposes of processing, and legal basis for that •How long are the data stored (or what criteria determine duration) •If this giving that data is part of a contract what are the consequences of not providing data •If the data are being transferred to a third country, what safeguards or binding corporate rules are in place? •In cases of automated decision-making, including profiling, what logic is applied and what is the significance of the outcomes. You must tell the user: Consent GDPR & ePrivacy Regulation: Businesses must obtain consent to use personal data.
  24. 24. Not at all How confident are you that the average user will click ‘OK’ to share data with other companies? 0% 100% 200% To a small degree Moderately Highly Very highly How concerned are you about your online behaviour being tracked? 5% 7% 21% 35% 32% 32% 32% 21% 12% 4%
  25. 25. Purpose of processing, and notification of profiling. Article 13, para 1, c, and para 2, f. Duration Article 13, para 2, a. Text links to tool for withdrawing consent. 
 Article 7, paragraph 3. Text links to tool to complain to supervisory authority, and to access, correct, and transfer data, etc. 
 Article 13, para 2, b, c, and d. Can say no Recital 42. Details of recipients and categories of recipients. Text links to contact details of the controller and their data protection officer. 
 Article 13, para 1, a, b, and e. We would like to share your browsing habits on our site with Brand Name and their analytics partners, to understand what offers may be of interest to you. These data will be deleted after 6 months. You can withdraw permission at any time in My Data. Learn more? Pop-up Dialog OKNo A [probably non-compliant] CONSENT REQUEST Scenario: a website requests consent to share data with a brand for product offers
  26. 26. We would like to share your browsing habits on our site with Brand Name and their analytics partners, to understand what offers may be of interest to you. These data will be deleted after 6 months. You can withdraw permission at any time in My Data. Learn more? Pop-up Dialog OKNo Thinking of yourself as a visitor to websites, what would you select if shown this message?
  27. 27. We would like to share your browsing habits on our site with Brand Name and their analytics partners, to understand what offers may be of interest to you. These data will be deleted after 6 months. You can withdraw permission at any time in My Data. Learn more? Pop-up Dialog OKNo Thinking of yourself as a visitor to websites, what would you select if shown this message? 79% 21%
  28. 28. Please allow your browsing habits on our sites to be shared with We will then be able to identify offers that are more interesting to you, and process business transactions with our partners. (Alternatively, we will use generic ads, which might be less interesting to you.) You can cancel at any time by clicking the icon on any ad. Learn more about your data. Help us keep Example.com profitable OKNo OK 6 months 12 months Might GDPR consent requests look like this? [Consortium] and its participants
  29. 29. Please allow your browsing habits on our sites to be shared with We will then be able to identify offers that are more interesting to you, and process business transactions with our partners. (Alternatively, we will use generic ads, which might be less interesting to you.) You can cancel at any time by clicking the icon on any ad. Learn more about your data. Help us keep Example.com profitable OKNo OK 6 months 12 months Might GDPR consent requests look like this? [Consortium] and its participants duration “Ad choices”?
  30. 30. Please allow your browsing habits on our sites to be shared with Open ID participants We will then be able to identify offers that are more interesting to you, and process business transactions with our partners. (Alternatively, we will use generic ads, which might be less interesting to you.) You can cancel at any time by clicking the icon on any ad. Learn more about your data. Help us keep Example.com profitable OKNo OK 6 months 12 months [Ad exchange] [Ad exchange] [DMP] [DMP] [DSP] [DSP] [Verification vendor] i i i i i i i [Consortium] and its participants Each controller. and the categories of processors. Might GDPR consent requests look like this?
  31. 31. Please allow your browsing habits on our sites to be shared with Open ID participants We will then be able to identify offers that are more interesting to you, and process business transactions with our partners. (Alternatively, we will use generic ads, which might be less interesting to you.) You can cancel at any time by clicking the icon on any ad. Learn more about your data. Help us keep Example.com profitable [Consortium] and its participants probably should look more like this Axciom GmbH Martin Behaim Strasse 12, 63263 Neu-Isenburg, Germany Learn more Place a cookie in your browser to track what you are doing on this website and other websites around the internet. Receive information from website operators about you, such as your name, address, email address, age, gender. Combine information about you from different websites. [learn more] Use your name, email address and other OFF Google Ltd. Gordon House, Barrow St, Dublin 4 Ireland Learn more Store a unique tracking cookie so Google can recognise you as you move between websites. [learn more] Analyze content you read to better understand you. [learn more] Count the number of times you see each ad. [learn OFF Granular consent Viewing 2 of 251 partners Long list
  32. 32. Help us keep Example.com profitable Axciom GmbH Martin Behaim Strasse 12, 63263 Neu-Isenburg, Germany Learn more Place a cookie in your browser to track what you are doing on this website and other websites around the internet. Receive information from website operators about you, such as your name, address, email address, age, gender. Combine information about you from different websites. [learn more] Use your name, email address and other information to combine your online data with offline records, such as warranty cards, online competitions, court records, DMV records, banking records, retailer transactions. [learn more] Use information about you to sell marketing segments to advertisers that are based on your personal data. [learn OFF Viewing 2 of 251 partners Proceed to website Google Ltd Gordon House, Barrow St, Dublin 4 Ireland Learn more Store a unique tracking cookie so Google can recognise you as you move between websites. [learn more] Analyze content you read to better understand you. [learn more] Count the number of times you see each ad. [learn more] Analyse your web browser, mouse movements and browsing history to determine the likelihood you are human. Monitor your activities on this website to measure out what ads you view. [learn more] Synchronise Google’s tracking cookie with partners, so we can OFF Please consider providing consent to the following companies to use your personal data probably should look more like this
  33. 33. ePrivacy Regulation
  34. 34. MUST BE ASKED AT INSTALLATION based on the e-Privacy Regulation draft text amended by the European Parliament LIBE Committee’s Rapporteur’s draft report, June 2017 Amended Recital 23 makes rejection of third party trackers and cookies the default. Accept all tracking Reject all tracking OK Reject tracking unless strictly necessary for services I request Accept only first party tracking Tracking Preferences this is proposed in recital 23 as amended, but recital 21 says that consent is not required for “technical storage or access which is strictly necessary and proportionate for … the use of a specific service explicitly requested by the user”.
  35. 35. Accept all tracking Reject all tracking OK Reject tracking unless strictly necessary for services I request Accept only first party tracking Tracking Preferences 56% 20%19% 5% Thinking of yourself as a visitor to websites, what would you select if shown this message?
  36. 36. 51% 64%13% Do you believe that users will opt-in to tracking for the purposes of advertising? No YesYes, if denied access to the site otherwise 1st party tracking on a website 23% 0% 100% 200% Can not deny access Article 7(2) prohibits conditionality.
  37. 37. 3% 3%32%65% 46% 51% 64%13% Do you believe that users will opt-in to tracking for the purposes of advertising? No Yes, if denied access to the site otherwise Yes 1st party tracking on a website 3rd party tracking on a website Tracking by any party, anywhere on the web 23% 0% 100% 200%
  38. 38. USERS PUBLISHERS Outlook for Publishers Now: Agencies and adtech take 50% or more of brand spend. Publishers get what's left. BRANDS
  39. 39. USERS PUBLISHERS Outlook for Publishers After 25 May: Publishers take control, and agencies and adtech must rely on them. BRANDS slide 24
  40. 40. Needs “opt-in” consent, but user has little incentive to agree 4 Needs “opt-in” consent, and may get it 3 Can show an “opt-out” before using data 2 Out of scope of Regulation if business is modified 1 Already out of scope of the Regulation 0 GDPR scale (digital advertising) 5 Needs “opt-in” consent, but are unable to communicate with users
  41. 41. 5 Needs “opt-in” consent, but is unable to communicate with users 4 Needs “opt-in” consent, but user has little incentive to agree • Facebook Audience Network • WhatsApp advertising (see assumption 1) 3 Needs “opt-in” consent, and may get it 2 Can show an “opt-out” before using data • NewsFeed ads (based only on personal data with no “special” personal data (e.g. ethnicity, political opinion, religious or philosophical beliefs, sexual orientation), unless marked “public” or visible to “friends of friends” (see assumptions 1 and 2) • Instagram ads (see assumption 1) 1 Out of scope of the regulation, if business is modified. 0 Already out of scope of the regulation. Assumption 2. GDPR Article 6, paragraph 4, c, indicates a higher bar for “special categories of personal data” that reveal race, ethnicity, political opinion, religious or philosophical beliefs, trade union membership, or related to a data subject’s sex life or sexual orientation. However, this does not apply if the data have been “manifestly made public by the data subject” (GDPR, Article 9, paragraph 2, (e)). This may mean that the publicity settings that a user places on their post will prevent or enable those posts to be mined for advertising. GDPR scale: FACEBOOK Assumption 1. That the use of personal data to target advertising will be accepted as a “compatible” purpose with the original purpose for which personal data were shared by users, under GDPR Article 6, paragraph 4. GDPR Recital 61 says that if the further processing is compatible then the company must alert the data subject that it is using their data for this further purpose before it starts processing. GDPR Article 21, paragraph 2 and 3 say that the data subject must be alerted about their right to object to their data being used for direct marketing, and can do so at any time. GDPR Recital 70 says this alert should be presented clearly and separately from any other information. However, the Article 29 Working Party’s opinion on purpose limitation notes that among the various things that the compatibility assessment must consider are “the impact of the further processing on the data subjects”.
  42. 42. 5 Needs “opt-in” consent, but is unable to communicate with users 4 Needs “opt-in” consent, but user has little incentive to agree • Most personalized AdWords ads on Google properties including Search, Youtube, Maps, and the Google Network (including “remarketing”,“affinity audiences” , “in-market audiences”, “demographic targeting”, "similar audiences”, “Floodlight” cross-device tracking), “customer match”, “remarketing” (see assumption 1) • Gmail ads • Programmatic services (DoubleClick) 3 Needs “opt-in” consent, and may get it 2 Can show an “opt-out” before using data • Location targeting in Maps (see assumption 2) 1 Out of scope of the regulation, if business is modified. • AdWords (if all personalized features are removed) on Google properties including Search, Youtube, Maps 0 Already out of scope of the regulation. • “Placement-targeted” ads on Google properties. Assumption 1. That the average user does not “sign in” to Google Search or Chrome. If, however, users did sign in then Google may be able to further process their data for other purposes. GDPR scale: GOOGLE Assumption 2. That the use of personal data to target advertising will be accepted as a “compatible” purpose with the original purpose for which personal data were shared by users, under GDPR Article 6, paragraph 4. GDPR Recital 61 says that if the further processing is compatible then the company must alert the data subject that it is using their data for this further purpose before it starts processing. GDPR Article 21, paragraph 2 and 3 say that the data subject must be alerted about their right to object to their data being used for direct marketing, and can do so at any time. GDPR Recital 70 says this alert should be presented clearly and separately from any other information. However, the Article 29 Working Party’s opinion on purpose limitation notes that among the various things that the compatibility assessment must consider are “the impact of the further processing on the data subjects”.
  43. 43. WHAT SHOULD ONLNE PUBLISHERS & ADTECH COMPANIES DO?
  44. 44. Consent is meaningless, unless it is enforceable STOP ALL DATA LEAKAGE //
  45. 45. Fossil Fuel Renewable Energy N20 C02 Regulatory disincentive OLD INDUSTRY Regulatory incentive NEW CLEAN INDUSTRY
  46. 46. Ads (Ethical Data)Ads (Conventional Data) Personal data Non-personal data Regulatory disincentive OLD INDUSTRY Regulatory incentive NEW CLEAN INDUSTRY Fossil Fuel Renewable Energy N20 C02
  47. 47. Ads (Ethical Data)Ads (Conventional Data) Personal data Ads (Conventional Data) Personal data with consent and enforceable protection Non-personal data HYPER PREMIUM, SMALL MARKET // Regulatory disincentive OLD INDUSTRY Regulatory incentive NEW CLEAN INDUSTRY + Fossil Fuel Fossil Fuel Classic Cars Renewable Energy N20 C02 +
  48. 48. 1. Today, websites leak personal data to unwarranted parties. 2. Consenting audience will be tiny. 3. Transition to non-personal data is the answer. Summary
  49. 49. johnny@pagefair.com @johnnyryan

×