For the GDPR curious: WTF is non-personal ad data?

This article originally appeared on digiday.com

The media and advertising industries are racing to get compliant in time for when the General Data Protection Regulation kicks in May 25 — and that means the emergence of a new set of vocabulary, from the unwieldy list of types of consent to the newfangled definitions “data controller” and “data processor.”

For the GDPR-curious, the term “nonpersonalized ads” will have cropped up a few times in the last week or so, since Google announced plans to introduce them as part of its ad service. It will offer these to publishers that wish to show only ads that are not personalized to consumers who opt out of data collection for targeting.

Some industry observers view this form of ad, which use non-personal data, as the start of a coming trend — a method of targeting for businesses to fall back on for users who haven’t consented to tracking. These ads can still be “personalized,” just without using personal data.


Why are ads which don’t use personal data being introduced?


Once the GDPR is enforced, companies like Google and Facebook as well as publishers must have what the law describes as “unambiguous” consent from users to use their data. If the information they’re using is particularly sensitive, such as ethnicity or sexual orientation, then “explicit” consent is needed. The likelihood of every single consumer giving this is slim, so most publishers and platforms expect the amount of data they have to shrink somewhat. That’s not necessarily a bad thing, as it means communicating with a highly engaged audience that has opted in to use your service. But Google wants to offer an alternative. Hence the proposed introduction of nonpersonalized ads.


For advertisers, are these better or worse than ads that use personal data for targeting?


It’s not that they’re better or worse — it’s more that they are a useful option for any business looking for risk-free options under GDPR law. They will minimize advertiser risk because the ads won’t be targeted using any personal user information.


You mean PII, aka personally identifiable information?


No, at least not under European law. In European law, personal data is much broader than the U.S. definition of PII. In the U.S., PII includes things like names, addresses and telephone numbers. In the European Union countries, personal data includes cookies and IP addresses.


Do nonpersonalized ads signal a return to the old spray-and-pray approach?


Not necessarily. Believe it or not, there are ways to target ads without using this kind of personal data, some of which are already being developed. There are ways that advertisers could target contextually using URL, page keywords or cohorts of users who share common interests, for example. That way, no one is liable, but ads are still being targeted at people they’d be relevant to — that’s the theory, at least.


Is this just a Google thing?


Probably not. Where Google leads, others follow. Some industry observers believe Facebook will also have to follow suit and introduce this kind of ad offering in the future. Google moving to implement nonpersonalized ads has signaled to advertisers that buying targeted advertising without personalization will be a feasible and risk-free way of running ads post-GDPR.