The EU standard for consumer data may shield users from tracking and privacy violations, but it could also become a usability nightmare.
About a year from now, we could be watching the Ad Tech Apocalypse.
That’s when the European Union’s GDPR (General Data Protection Regulation) goes into effect.
It requires that consumers provide explicit consent for the use of their personal data, which includes their online behavior. It applies to marketing directed at EU citizens, wherever they may be, and it provides for significant penalties.
If it’s enforced, brands and consumers in Europe are likely to be profoundly affected. But, since GDPR applies to EU citizens wherever they are, it could also seriously impact brands and consumers in the US and elsewhere.
“GDPR will blow things up,” marketing researcher and writer Doc Searls told me.
“I’m scratching my head [as to] why people aren’t more panicked,” Gigya SVP Jason Rose said.
GDPR could “kill some parts of marketing” such as retargeting, IDC analyst Gerald Murray predicted.
And it’s not just that GDPR could change the key foundations of modern digital marketing. In a post-GDPR landscape, the user experience could be a nightmare.
Take at look at a new offering from Gigya competitor Janrain. It is one of the first GDPR-specific informational products, and is designed for the immediate needs of that social login provider’s clients.
A portable identity wallet
Janrain Director of Product Marketing Sven Dummer told me that, at the moment, the clients’ key need is for some centralized GDPR-compliant way to handle user permissioning of data on their sites or apps. But it might not be a one-time consent. GDPR indicates that specific user consent is needed for different uses of personal data.
Now, imagine the experience from the user’s point of view. It could involve endless checking of boxes on endless forms, for each time an advertiser, data management platform, website, mobile app or other entity wants to use your personal or behavioral data. Although Janrain is pioneering an initial solution, the actual use cases could complicate a user’s life immensely.
And that doesn’t include interaction with, say, voice-based agents like Amazon’s Alexa or a text-based chatbot.
Which is why Janrain is also one of a growing number of identity providers who are beginning to think of an automated alternative, such as a portable identity wallet of permissions. Dummer told me that such a product is on Janrain’s 2019 roadmap.
“The only way we solve [the problem posed by GDPR, ad blocking and related issues],” Searls said, “is not by better behavior by adtech operators, but by equipping individuals. A wallet is a nice simple thing.”
In Europe, a secure cloud identity wallet called the Credential project has arisen in direct response to GDPR. It was started in 2015 as a three-year research project.
He envisions, for instance, that the heading could stipulate that there be no stalking of this user, and that only non-targeted ads be shown, such as brand awareness ads. Such a header, of course, could also include many other terms.
One problem: Only some user interaction these days is through a browser, so a “permissions header” would need to be abstracted for use with, say, mobile apps or voice agents like Alexa. In other words, portability of your data permissions across platforms would be required, including the ability to attach your data permissions to the intelligent agent you’re using.
Searls points to such emerging possible solutions as a communication and transaction blockchain-based platform called Pikcio from MatchUpBox.
And he notes that JLincLabs is offering a non-blockchain, open-standards platform for data rights management — or “data contracts” — that utilize public-private key cryptography.
In fact, Searls sees GDPR as a key driver of a new relationship between consumers and advertisers that more closely resembles a contractual relationship. Consumers have data that brands want, so brands have to enter into an agreement to use it. Essentially, it’s extending intellectual property coverage to the data your actions and life generate.
Gigya’s Rose points out that the user’s identity will have to be worked out in this new relationship, since GDPR requires that you assert your identity in order to grant permission, as any contract would.
But Rose suggests that digital fingerprints — such as your IP address and other unique aspects of your online self, not including your actual name – could constitute a unique enough identity, as they often do now for many data aggregators. This could provide an alternative to your having to share your real identity throughout the online world.
The major benefit of this new kind of contractual relationship, Searls says, would be what he calls “intent-casting.”
Your data permissions could include, for instance, your purchasing interests at the moment. For example, Searls said, his identity wraparound could broadcast to marketers that he’s currently interested “in the best deal on renting a car for a week.”
That prequalifies him as a car renter without a marketer having to do anything but pick up his signal. Or, he pointed out, you could automatically tell zillions of marketers that you’ve just moved — which means you’re interested in buying lots of things and local services.
Consumers “want the same privileges that B2B has always had,” Searls told me. Businesses don’t expect to be continuously spammed, he said, but they do expect to get offers when they’re genuinely in the market for something.
IDC’s Murray told me that brands will miss an opportunity if they just look at GDPR as a compliance requirement.
“What is GDPR,” he said, but “a defense mechanism against bad practice, [so best to] turn it into a filter?”
In other words, GDPR is an incentive for online users to have their own personal interface. And, like so many other user-friendly interfaces that hide complicated interactions underneath, it could become the front door for a new way to operate.