Risk and compliance: GDPR and a cookie-less future

Jason Pollock
By Jason Pollock | 13 December 2022

This is the third article in a miniseries about risk and compliance. Read the first article here, along with perspectives from DoubleVerify, Scope3, Quantcast and The Australian Data and Insights Association about what risk and compliance means to them.

AdNews spoke with Richard Knott, GM for Australia and New Zealand at InfoSum, about the opportunities in the cookie-less future, the shifting public perception of privacy breaches and what GDPR means for the Australoan regulatory landscape.

What are the risks to brands if they don’t prioritise data privacy and compliance?

"In Australia, the privacy landscape is set for significant regulatory changes. Whilst there are already a number of legislations to be mindful of, Attorney-General Mark Dreyfus recently stated that there will be sweeping reforms to data privacy laws in Australia in the life of this current parliament, and the recent Optus data breach will have surely only solidified that resolve.

"It is highly likely that previously compliant technologies that worked through current regulatory loopholes will not be able to operate in this new post-reform world, similarly to what happened with a number of technologies in Europe after GDPR. However, even without legislation, we have seen the effect of recent high-profile data breaches on customer trust.

"Brands should therefore review all of their current customer data usage processes and how they are protecting its privacy - even before the new legislation is implemented - in order to protect their own brand reputation and customer trust."

What challenges and opportunities does a cookie-less future present?

"There are many opportunities in the cookie-less future and one of the most exciting ones is the opportunity to make the entire digital audience addressable. Currently, the web is estimated to be already over 50% third-party cookie-less, and app environments have always been cookie-less. So if you are still using third-party cookies as your principal pseudo-identifier, then you are competing in an ever-decreasing subset of digital.

"Furthermore, there is a greater opportunity to unlock huge volumes of previously unutilised, addressable first-party identifiers if those IDs can be made entirely privacy-safe. This is the opportunity presented by the newest generation of data clean rooms powered by non-movement of data which will enable you to enrich your data and expand your audience insights at scale and safely, without the need of cookies and whilst maintaining complete ownership of the data."

How have you seen the attitudes change towards compliance and risk over your time in the industry?

"From the general public perspective, the attitude has significantly shifted. Ten years ago, it was common to be met with a careless attitude on how their data was stored or shared. But now, after a number of high-profile data breaches, and both dramatised and factual depictions of what nefarious actors can do with your personal data trails to understand behaviours, build profiles and even manipulate actions through curated narratives (echo-chambers), customers’ concern has certainly shifted.

"A recent survey found 84% of Australians now consider privacy extremely important when considering a digital service. This has driven an (understandably) significant response from many organisations to have a zero-tolerance policy towards customer data risk, which, working within traditional digital advertising workflows, has significantly reduced potential effectiveness.

"Fortunately, we now have a way of unlocking that latent effectiveness, whilst still operating within a zero-trust framework, with decentralised data clean rooms where customers’ data ‘remains’ within the brand’s own infrastructure without being exposed to risks."

What sort of compliance and risk issues should be front of mind now for organisations?

"Ultimately, it will be specific to your organisation and the role customer data plays within your company. However, outside of the obvious fundamental data security needs, you can start looking internationally to see the kind of compliance requirements needed overseas to give you an idea of where things may be going here. Whilst it is unlikely Australia will wholesale copy another legislation like GDPR or CCPA, there are some common themes that will potentially translate here.

"Questions like - “where is your customer's data?; which companies have access and how do they handle it?; which companies have copies (encrypted or otherwise)?; where are they geographically located?” - will need to be addressed and considered to allow for transparency and to meet compliance needs.

"Under GDPR, encrypted PII is still considered PII and if we adopt similar "controller" and "processor" data roles to GDPR, then you, as the data collector and controller, will be liable for any accidental loss or unauthorised processing, even if you had nothing to do with it.  

"You should also think about whether individuals can be exposed through accidental mishandling or deliberate data manipulation. Even if the exposure of an 'individual' is anonymous or pseudo-anonymous, this is typically of concern to these types of legislation. 

"Finally, consent is critical - “Has the customer 'reasonably consented' to their data being used in whatever fashion it is being used?”. "Reasonable use", whilst currently undefined, looks set to be a big piece of any future Australian privacy legislation."

What role can CMOs play in mitigating risk and ensuring compliance?

"The role of the CMO is changing so much that they now have to concern themselves with what has traditionally been non-core topics to their role like privacy, data compliance and data management.

"CMOs need to constantly strike a balance between the security requirements enforced by internal Infosec teams and still be able to use data to drive marketing performance in a meaningful way.

"It is therefore critical that this doesn't turn into a battle and instead, the CMO is seen as an extension of a company’sInfosec standards through their approach to market, the pro-active introduction of privacy-increasing vendors, and the ruthless understanding of the what, where, when and how of customer data usage as it relates to their customers."

What solutions can organisations roll out to ensure they’re compliant?

"Compliance today is very different to what compliance will probably look like in the future. The opportunity to use data in ways that would not be compliant in other geographies still exists, and goes on, in Australia. Therefore, a decent yardstick of what the future might reflect is whether your current solution providers operate under more advanced legislation, like those in Europe under GDPR.

"As mentioned, there will be no wholesale adoption of GDPR-type rules in Australia, but this can be a decent benchmark to base your strategy on. Data clean rooms, born out of Europe, were designed to solve  many of these new operating requirements.

"If you leverage significant amounts of customer data for various use cases then investing in a CDP could make sense. Similarly, if you wish to collaborate on data and activate that data, data clean rooms are clearly the best way forward from a compliance perspective.

Have something to say on this? Share your views in the comments section below. Or if you have a news story or tip-off, drop us a line at adnews@yaffa.com.au

Sign up to the AdNews newsletter, like us on Facebook or follow us on Twitter for breaking stories and campaigns throughout the day.

comments powered by Disqus