Jan 30, 2020

Cross-Industry Group Proposes GDPR-Grounded Model for Compliant AdTech

GDPR Recommended Technology Safeguards Enable Democratized Digital Marketing

Anonos, the leading data privacy and enablement technology provider, Acxiom, the data and technology foundation for the world’s best marketers; and the Information Accountability Foundation (IAF), the preeminent global information policy think tank, announced the formation of a ‘5th Cookie’ working group that supports exploration of using GDPR recommended technical and organisational safeguards to enforce greater accountability and ethics across the AdTech real-time bidding (RTB) ecosystem.

The ICO issued a June 2019 report highlighting shortcomings of the RTB industry in complying with data protection requirements under the GDPR. In follow up to the ICO report, two principal alternatives have evolved to solve the AdTech problem:

  • Closed Platform (often termed a ‘Walled Garden’) approach proposed by Google
  • An Internet Advertising Bureau (IAB) UK led proposal primarily involving improvements to and tightening-up of contractual terms and conditions

While these alternatives have merit, the founding participants in the 5th Cookie working group believe that a third alternative, supporting a democratized cooperative model, should also be evaluated. If a decision is made to go one of the other directions outlined above, members of the 5th Cookie working group believe it should be a conscious decision after evaluating the merits of all alternatives, including consideration and evaluation of a GDPR influenced model.

Gary LaFever, CEO and General Counsel at Anonos, said: “The GDPR highlights pseudonymisation as a recommended technical safeguard. Pseudonymisation – legally defined for the first time at the EU level in the GDPR, with a heightened standard relative to past practices – is a new state-of-the-art process that substantially improves privacy protections, that when coupled with proper legitimate interest assessments, could expand the potential uses of personal data beyond those relying on consent alone. In more than a dozen places, the GDPR links pseudonymisation to express statutory benefits. Under the GDPR, pseudonymisation is an established legal standard that allows all sides to ‘win’ by balancing data protection and innovation. The 5th Cookie model embraces GDPR compliant pseudonymisation and data protection by design and by default to support GDPR compliant Legitimate Interest processing as a complement to consent.”

Dr. Sachiko Scheuing, European Privacy Officer for Acxiom, said: “Augmenting the options of so-called walled gardens and contract-focused solutions with GDPR pseudonymisation-enabled micro segmentation techniques is consistent with the principles embodied in Acxiom’s Data Ethics by Design framework. The 5th Cookie model could provide consumers with enhanced privacy while allowing effective marketing for brands.  Acxiom is committed to helping ensure data flows around the AdTech space in a way that complies with legislation and achieves ethical use, enabling data to be used to provide both maximum value for brands and privacy for consumers.”

Martin Abrams, Chief Strategist at the Information Accountability Foundation (IAF), said: “There is a growing sense that observation, while necessary for many applications to work, is out of control, creating new dangers for individuals and society. The 5th Cookie model provides a metaphor for policymakers to differentiate between the underpinnings required for lawful targeted marketing of products and services and improper persuasive communications that can become potentially toxic. In today’s data-driven world, new technical measures are necessary, working hand-in-glove with clear policies, to balance data innovation and the assurance of the full range of individual rights. Consent by itself is no longer enough. This can be achieved by delivering ‘demonstrable accountability’ leveraging auditable and documented technical safeguards that regulators can use to verify compliance.”

The 5th Cookie model provides strong support that Legitimate Interest based AdTech processing is possible. As a result, everyone committed to ethical data stewardship, from the smallest players to the largest brands, can participate in digital marketing. Data subjects could be reached by advertisers as members of small, dynamically changing groups called micro-segments. Each micro-segment would represent the individuals included within the group, and based on individual characteristics, data subjects could be included in multiple micro-segments. The composition of micro-segments would change dynamically to reflect the individuals, corresponding to the specified characteristics associated with the micro-segment.

Advertisers could reach groups of people representing the segments in which they are interested. However, data subjects would be approached as members of groups and not as individuals. It would be up to each data subject to ‘raise their hand’ and identify themselves if they want to respond to an advertisement. Crucially, at any time, they could opt out of being included in further micro-segments-based marketing and outreach.

Three Steps or Stages:

  • The first step is consent to Data Collection. There are three different categories of data that a data subject can consent to the processing of:
    • Provided data
    • Inferred data
    • Observed data
  • The second step involves the processing of data using legitimate interest-based processing leveraging GDPR pseudonymisation and data protection by design and by default to create dynamically allocated micro segments
  • The third step involves reaching out to consumers as members of micro segments

This article originally appeared in MARTECHSERIES.  All trademarks are the property of their respective owners. All rights reserved by the respective owners.


Are you facing any of these 4 problems with data?

You need a solution that removes the impediments to achieving speed to insight, lawfully & ethically

to Insight
Are you unable to get desired business outcomes from your data within critical time frames? 53% of CDOs cannot achieve their desired uses of data. Are you one of them?
Lack of
Do you have trouble getting access to the third-party data that you need to maximise the value of your data assets? Are third-parties and partners you work with worried about liability, or disruption of their operations?
Inability to
Are you unable to process data due to limitations imposed by internal or external parties? Do they have concerns about your ability to control data use, sharing or combining?
Are you unable to defend the lawfulness of your current data processing activities, or data processing you have done in the past?
Traditional privacy technologies focus on protecting data by putting it in “cages,” “containers,” or limiting use to centralised processing only. This limitation is done without considering the context of what the desired data use will be, including decentralised data sharing and combining. These approaches are based on decades-old, limited-use perspectives on data protection that severely minimise the kinds of data uses that remain available after controls have been applied. On the other hand, many other new data-use technologies focus on delivering desired business outcomes without considering that roadblocks may exist, such as those noted in the four problems above.
Anonos technology allows data to be accessed and processed in line with desired business outcomes (including sharing and combining data) with full awareness of, and the ability to remove, potential roadblocks.