GroupM’s Statement: GDPR Readiness and our Data Addendum

On Monday, Digiday published a story about GroupM’s preparation for the European Union’s General Data Protection Regulation which may contribute to confusion about our position and goals. We would like to clarify.

The first line of the story reads, “GroupM wants publishers to sign a new data protection contract that could force them to share control of their audience data with the agency group, letting the agency continue targeting ads after the General Data Protection Regulation kicks in on May 25.”

This is not what our Data Addendum seeks to do, and GroupM is not the only party with an interest in delivering targeted consumer advertising after the law takes effect. Clearly, publishers share this interest, as do our shared clients. We all have a common goal and it is simply a fact that the future success of publishers is inextricably tied to their ability to offer access to audience data — properly collected.

The GDPR spreads the responsibility for protecting consumer privacy across all industry players — including publishers, exchanges, agencies and clients – and anyone in the value chain who handles “personal data,” as defined by the GDPR. Naturally, on behalf of our clients, GroupM has connected to all media partners, as well as data and technology vendors to ensure their compliance with the requirements of the GDPR.

GroupM’s goal in contracting with vendors under the terms of our Data Addendum is simply to help our clients achieve their marketing objectives in a way that is privacy-compliant per the terms of the GDPR. Where publishers have already agreed to let us collect data or are providing us with their own audience data, we want to be sure that all the right disclosures and mechanisms for compliance with the GDPR are in place.

Digiday’s story also states, “Some publishers fear GroupM is pushing them to cover its own GDPR compliance needs, while leaving liability for fines firmly with the publisher.” While some publishers may think this, it is simply not true. GroupM can neither assign to nor absolve publishers from the responsibility they have for the proper handling of the data they collect from consumers.

With the Data Addendum, GroupM is simply asking publishers to commit, by contract, to practices compliant with the GDPR on their own platform, as GroupM will likewise do for our own network which connects to thousands of publishers and other vendors worldwide. The Data Addendum holds GroupM’s own statement of commitment (required by law) to practices compliant with the GDPR by our parent company, affiliates, clients and through our supply chain.

We’ve taken the view that regardless of whether we are a processor or a controller, we will invest to perform the same due diligence on compliance with privacy regulations as we do with other critical quality factors such as anti-fraud, brand safety and viewability. This includes asking for our suppliers’ commitments to the GDPR privacy principles by means of our Data Addendum.

The story also references a long list of terms and conditions concerning the placement of tags and data collection which are necessary for third party verification of viewability through to other important campaign metrics. Yes, the list is long, but digital advertising is nothing if not complicated. And in fact, the list is not taken from the Data Protection Addendum itself, but rather from the GroupM Publisher Terms which have been in place since 2016. These are simply the requirements that our mutual advertising clients expect.

What the story does get right is that this boils down to a very important question: who is best placed to communicate with consumers (with whom they have a direct relationship) about the collection and use of their personal data – and to get consent when required?

We don’t underestimate the challenge.

This is why we’ve endorsed the IAB Europe’s plan to build an industry framework for securing consumer transparency and consent. It will attempt to address the difficult issue of communicating in a lawful basis through the supply chain. We believe the best path forward is collaboration in the development of standard approaches, and we are fully leaning into these efforts to build an industry-wide solution that may work best for all.

It is reported that five publishers expressed concerns to Digiday, but in fact over twelve hundred suppliers (including publishers and other ad tech vendors) have already signed our Data Addendum. We understand why the five publishers that Digiday spoke with may feel “rattled.” The whole industry is grappling with a significant challenge to ready for the May 25th deadline for the GDPR going into effect.

We remain ready to collaborate with all of our partners to ensure that we can continue to work together in support of advertisers. It is essential that there be a rich, accountable ecosystem of digital media publishers (with successful businesses). We need them delivering engaging content to consumers so that our advertisers can reach those same consumers with their commercial messages.

Clearly it would be short-sighted of us to develop a GDPR compliance program that is untenable for our partners. This is not our goal, regardless of what Digiday’s story might suggest, which is why we felt compelled to respond.