PrivacyGDPRSo far, many players in online marketing have benefited in Wild West style from the lack of a clear regulation for the setting of cookies or the collection of personal data. To get to know the website visitor better, incredible amounts of data were collected, triggering a littering of the digital channels with ads, spam, bots, and cookies.

The European Union enacted for that reason in 2016 the General Data Protection Regulation (GDPR), as an attempt to limit this hustle and bustle, demanding from companies to list all files with personal data. But only scandals made the broader public aware of how carelessly or even criminally data is often handled.

To be on the safe side, every website operator should deal with this topic and, as a first step, acquire a suitable consent management platform (CMP) that prevents the setting of cookies without user consent and that clearly documents opt-ins. An active, explicit, and informed opt-in is required before cookies are set, making marketing with conventional, cookie-based methods very difficult.

According to the law, consent must be active, informed, explicit, concrete, voluntary and documented. Changing and deleting given consent must also be as easy for the user as giving consent. Anyway, the consequences of the European Court of Justice (ECJ) ruling are extremely diverse for online marketing managers:

Performance marketing managers are challenged in particular: they are the ones who must deal with personal data in real-time. They are sitting on a huge treasure trove of data that they can no longer use in the future if they do not take countermeasures now. In addition, there are the performance algorithms, for e.g. real-time bidding or AdWords, which are based on cookies. This means that if the user opts out, the data basis for many targeting strategies does not apply or is at least severely restricted. Enriching your own first-party data with third-party information (such as buying behavior on other sites or interactions with certain content) is made very difficult by the consent requirement in advance. In performance marketing however, most actions are based on precisely this data, which makes it difficult to link different data pools. All data subject rights have an impact on the IT architecture, whereby opt-outs (especially tracking opt-outs) and deletion requests are time-critical. The shorter the response time, the closer the data must be on the tool side available and changeable in real time.

There are systems that work with data over the long term, especially in the areas of business intelligence, data warehouse, and machine learning. In many cases, large periods of time allow for better comparisons, scorings, and the like, since historical data is evaluated to be able to draw conclusions for the future. In marketing this is, for example, the interaction with campaigns and channels, purchase histories, user interests, customer status, or cross-device information. All of this requires the storage of personally identifiable data over a long period of time. Online retailers, insurance companies and banks in particular are heavily dependent on such data. Companies that do not properly record user consent today may have to delete all data records that are related to user data that have been stored without prior consent since the GDPR came into force on May 28, 2018. You might think you can obtain user consent for this data retrospectively, right? Well, if users refuse to give their consent, it can also have very negative consequences for the business. On the other hand, there is the (still manageable) increasing risk of a GDPR penalty.

The explicit consent requirement can tear big holes in the tracking, as only a small percentage of users are willing to give an active, explicit opt-in. In individual cases, it can even happen that more than 90% of users decide to opt out. Then perhaps only algorithms or projections can help to fill these holes in the data sets to some extent. For the marketing manager, this means additional work and very inaccurate data. The dream of a 360-degree view of the customer for the personalized, individual control of campaigns and content as well as AI-based campaign control is then quickly over.

No cross-channel personalization without consent: in most cases, personal data, such as cookies and email addresses, are essential for personalized user approach. Marketing uses different communication channels to get in touch with or stay in contact with a customer. This is exactly where another problem lies: it is not just about the collection of data, but also about their exchange between the various solutions and the corresponding interdependencies of the data and databases with one another. Often personal data is also stored on servers of third parties. For this too, the marketing employee must evidently obtain the consent of the user and introduce processes for the deletion.

DoNotTrack functions in the browser and ad blockers make life even more difficult for online advertisers. Google wants to equip the new version of its Chrome browser with special functions to protect against cookies and trackers. The browser already has an extension that allows users to set an expiration date for their personal data. With Intelligent Tracking Prevention (ITP) in the Safari browser, Apple has implemented an anti-cookie strategy that almost nipped targeted advertising in the bud and limited the duration of tracking cookies to 24 hours. Many CMP providers rely on local storage, i.e., on the possibility of storing data on the user's computer, but with ITP 2.4 this will also be prevented soon.

If all goes in like this, online marketing in its previous form will lose its importance. If performance marketers don't deal with consent management and collect user data properly, they lose digital access to their customers. Or they will have to rely more and more on data from large providers such as Google and Facebook. This will cause prices to rise, with more uncertain ROI and less target accuracy. Companies that do not position themselves correctly here in time will be catapulted back into the digital stone age by the GDPR.

By Daniela La Marca