What’s the Problem?
While GDPR covers a range of rights for citizens and responsibilities for data handlers, the main point of contention for RTB is consent. Unlike some other data regulations, companies affected by GDPR must gain meaningful consent before collecting personal data. Implied consent is no longer sufficient.
Prior consent is also needed for changing the way companies handle data, such as passing it on to third parties. That raised the issue of whether it’s technically viable to do this in the context of real-time bidding.
We Can Work It Out
IAB Europe’s Transparency and Consent Framework is designed to address a range of GDPR issues and its CEO Townsend Feehan told AdExchanger that a solution is possible. He thinks there’s a way to do so without breaching consent rules, though he hasn’t detailed exactly how that would work.
One suggestion floating around is to have bidding on a “bucket” of users rather than an individual, thus avoiding the classification of personal data. The big problem there is that to be attractive to bidders, the “bucket” needs to be made up of people with common defined characteristics. That leaves very little wiggle room before simply being included in a bucket would reveal enough about an individual to constitute personal data.
RTB Fighting A Losing Battle
The other side of the argument is that trying to thread the needle to make RTB work with consent rules is a flawed premise because the real challenge comes with the data protection. GDPR includes several principles such as collecting the minimum data necessary for the defined task, keeping it secure, and data controllers having responsibility for the way third-party processors handle the data.
The debate here is whether it’s even possible to meet the specific wording of the rules while still using RTB, or whether the practice is inherently unsuited to the intended purpose of GDPR.
The GDPR Waiting Game
As with most large-scale regulation, particularly in the tech sector, it’s not just the wording of GDPR that matters, but the enforcement and interpretation. That’s why it may take time and a few test cases before we really know if RTB can continue to work within GDPR’s confines.
It could also be an inconsistent picture. Unlike the more common directives that EU member states must enable through domestic law, GDPR is an EU regulation that automatically has legal effect across the member states. That doesn’t necessarily mean every country’s data regulators will enforce it in exactly the same way. For example, the UK’s Information Commissioner’s Office has already labelled RTB as intrusive and unfair, suggesting it will take a hardline approach to interpreting GDPR.
It could be a matter of years before a clear picture emerges, but at the very least any companies using RTB in Europe need to be thinking carefully about their options. There’s no immediate threat to RTB as a technology, but it’s not out of the question that complying with GDPR could limit its effectiveness. Whether that still leaves it as the best tool for the job remains to be seen.