Gary LaFever | April 9, 2020

Ensuring a Privacy-Respectful Future for Direct Marketing and AdTech

As many countries around the world enforce “stay at home” orders and lockdown decrees due to the coronavirus (COVID-19) pandemic, our attention is rightly focused on the health and safety of citizens, medical care providers and other essential personnel. However, in addition to healthcare, concerns are also understandably being raised around how the global economy will recover from the impact of COVID-19.

In response to social distancing rules, large numbers of people are buying groceries and other essential items online. At the same time, the ongoing availability of electronic direct marketing (and accompanying AdTech) required to satisfy customer demand is at risk.

Regulators are naturally concerned with privacy issues, but when consumers are already overwhelmed with other priorities, quickly finding relevant deals and core products is perhaps more important than one might think. Those in the direct marketing and AdTech industry are seeing a regulatory challenge coming at exactly the wrong time.

The fear of this regulatory threat is real, and it will have far-reaching repercussions. Many in the industry fear that overzealous regulatory initiatives will have broader negative impacts, including dampening industry innovation and ultimately affecting consumers. A recent webinar involving over 700 senior privacy and data innovation professionals from around the globe brought up several key takeaways that illustrate these industry concerns:

  • SOS Alert: Direct marketing to customers is being challenged, and innovative data uses are at risk
  • Consent, contract and anonymisation are no longer reliable for legally processing personal data under the GDPR. This makes it hard for personal data to be processed with complex algorithms, such as those in the AdTech space used to present relevant products to particular consumer groups
  • Instead of consent, contract and anonymisation, companies must consider Legitimate Interests as a lawful basis for processing. This requires new technical controls that protect data when in use
  • No one wants to be left behind: immediate action is required

The challenge for regulators is that advancements in tracking and profiling individuals for direct marketing purposes have outpaced the establishment of measures enabling electronic commerce to be conducted in a privacy-respectful and lawful manner.

Many companies do not yet have these appropriate technical controls implemented – and regulators are often skeptical as to whether these controls currently exist. Meanwhile, in the UK, the direct marketing and AdTech industries are particularly concerned that the Information Commissioner’s Office (ICO) is trying to do away with Legitimate Interests as a lawful basis for direct marketing in its Draft Code for Direct Marketing.

However, there is a solution that can help the industry achieve compliance, supporting wider economic growth, while also protecting consumers’ privacy: Pseudonymisation. GDPR-compliant Pseudonymisation embeds privacy policies in use-case-specific, privacy-enhanced versions of data to satisfy statutory and contractual requirements necessary for lawful commerce to continue.

The GDPR itself sets out that “[the] right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.”

This means that the balance can constantly shift. While regulators may have been skeptical in the past about the AdTech industry’s ability to protect privacy, with new technologies come new considerations. The reality is that new Pseudonymisation technology can now support privacy-respectful and lawful direct marketing, allowing the protection of individual privacy rights to co-exist alongside business and industry interests.

Now is the time for organisations to implement technical and organisational safeguards such as GDPR-compliant Pseudonymisation to ensure demonstrable, technically enforced, accountability, so that lawful commerce through direct marketing and AdTech remains possible.

By Gary LaFever, CEO & General Counsel, Anonos

This article originally appeared in Data Protection Magazine.  All trademarks are the property of their respective owners. All rights reserved by the respective owners.

CLICK TO VIEW CURRENT NEWS

Are you facing any of these 4 problems with data?

You need a solution that removes the impediments to achieving speed to insight, lawfully & ethically

Roadblocks
to Insight
Are you unable to get desired business outcomes from your data within critical time frames? 53% of CDOs cannot achieve their desired uses of data. Are you one of them?
Lack of
Access
Do you have trouble getting access to the third-party data that you need to maximise the value of your data assets? Are third-parties and partners you work with worried about liability, or disruption of their operations?
Inability to
Process
Are you unable to process data due to limitations imposed by internal or external parties? Do they have concerns about your ability to control data use, sharing or combining?
Unlawful
Activity
Are you unable to defend the lawfulness of your current data processing activities, or data processing you have done in the past?
THE PROBLEM
Traditional privacy technologies focus on protecting data by putting it in “cages,” “containers,” or limiting use to centralised processing only. This limitation is done without considering the context of what the desired data use will be, including decentralised data sharing and combining. These approaches are based on decades-old, limited-use perspectives on data protection that severely minimise the kinds of data uses that remain available after controls have been applied. On the other hand, many other new data-use technologies focus on delivering desired business outcomes without considering that roadblocks may exist, such as those noted in the four problems above.
THE SOLUTION
Anonos technology allows data to be accessed and processed in line with desired business outcomes (including sharing and combining data) with full awareness of, and the ability to remove, potential roadblocks.