Lotame’s prep for GDPR highlights big changes in data management
There’s tracking consent, providing data access and minimizing liability. Plus there’s the pending ePrivacy Regulation.
As data management platform (DMP) Lotame gears up for compliance with the upcoming General Data Protection Regulation (GDPR), some of the far-reaching changes are coming into focus.
First, there’s the matter of tracking consent by users across what General Counsel and VP of Global Privacy Tiffany Morris calls “the chain of custody.” This reaches from the time the user’s data is generated or collected at, say, a publisher’s website, through the various ways in which the data is used.
“Without attaching five million pieces of paper,” she said, “how do you pass consent across the chain?”
She noted that Lotame collects, categorizes, shares, combines and exports data for its clients, more than half of whom are first-party publishers. Others, like agencies, are third parties.
Under GDPR, which goes into effect on May 25 of next year, Lotame will need to track and record user consent for specific use cases of the data.
A visitor to a magazine site, for instance, might be presented with a pop-up screen that has checkboxes to grant consent for use of their data for a specific list of purposes, like targeting website content or sending the data to a third-party provider like Lotame for advertising.
In the current world, she told me, consent to use the data is usually done through a contract. That is, the ability for Lotame to handle user data from a magazine publisher has been handled by a contract between the two companies.
But now, that user consent has to be explicit.
“The biggest change,” Morris said, “is that, in our current world, [user consent] is opt-out,” where it’s assumed you grant consent unless you specify otherwise.
In the post-GDPR world, she said, “it’s opt-in.” It’s assumed that the publisher — and therefore Lotame — doesn’t have a right to the personal data unless the user gives explicit consent.
One technical solution for attaching the various levels of each user’s content to a set of personal data is a new universal consent standard that is being spearheaded by the Interactive Advertising Bureau (IAB) Europe, among others.
It creates a format that vendors can follow for attaching the different kinds of consent to a given set of personal data. Morris noted that Evidon, which launched what it described as the “first commercial-grade GDPR solution” this past July, is one of the vendors that is expected to offer services meeting this standard.
In addition to tracking consent, Lotame will also need to set up processes so that users can readily access their own data or opt out at a later time if they so choose.
Then there’s the issue of making sure that other providers and vendors in the data chain are in compliance with GDPR, so they don’t increase Lotame’s liability for GDPR’s considerable fines.
“You’ll see a lot of contracts,” Morris said, between vendors, clients, suppliers and partners involving indemnification, good faith efforts, transparency and similar efforts to avoid additional legal exposure because of another organization’s sloppiness.
While GDPR protects European Union customers anywhere in the world, Morris said Lotame will not make a distinction between markets but will apply the same GDPR-compliant processes for all data.
And there’s also the matter of the ePrivacy Regulation.
It covers different areas of data privacy than the GDPR, and a final version probably won’t be approved until the end of next year at the earliest. But it is intended as a complementary regulation to GDPR.
The ePrivacy Regulation “is very problematic,” Morris told me. While GDPR is focused on each site or app, she said, ePrivacy is focused on browsers having a default state of opt-out for personal data use and collection.
She pointed out that, among other things, the pending ePrivacy Regulation says that publishers can’t make access to user data a condition for getting access to content — which could mean the end of targeted ads unless consent has been given.
The conversion to the new privacy regulations “is going to be challenging,” Morris noted.