Why your Intent Data is Becoming Illegal and what to do about it
Please note that this blog was originally posted on LinkedIn.
The promise of Intent data is well known - identify your potential buyers before they enter the funnel by tracking their consumption of content, engagement with ads or specific web-sites. Since buyers are tracked without their consent, this conflicts with the general direction of new regulations (GDPR and CCPA) in both Europe and the US. For consumers of Intent data, it is important to understand the short and long-term implications of the choices they make, since the exposure to legal, compliance and financial risk can be substantial. To answer this question posed above, let's start with the basics of how Intent providers (e.g., Aberdeen, Bombora, 6Sense, TechTarget, Prelytix) source their data and gather consent.
There are four common sourcing strategies in use today:
- Add-This: Data exhaust from free tools for social-sharing. No consent is gathered from end-user.
- Bidstream: Bidstream data is collected from ad-exchanges which typically target secondary and tertiary pages of content web-sites. This is the source of the majority of Intent data available in the market today. No consent is gathered from end-user.
- Standalone Publisher : Several publishers of B2B content track visitors to their web properties. Standalone publishers have accurate data but lack broad coverage. Publishers can gather consent on sign-up.
- Co-operative of Publishers or other Web-sites : Co-ops are a collective of Publishers that pool data into a common repository. The pooling of data avoids the coverage problem of standalone publishers. Publishers can gather consent on sign-up.
Each of these has a very different profile with respect to GDPR compliance. For example a recent AdExchanger article announced Oracle's decision to kill off the AddThis business in Europe. As the article states - "Under the General Data Protection Regulation, unconsented third-party data – the lifeblood of the AddThis audience asset – is a form of kryptonite that Oracle Data Cloud (ODC) wants nothing to do with anymore". If you care about GDPR compliance, make sure your Intent provider is not using AddThis as their primary data-source.
What about bidstream data? In a recent review of bidstream data and its uses, James Hercher of AdExchanger points out that "companies that ... don’t own the data and risk crippling penalties from regulators and clients if they were to use bidstream data beyond setting a bid for an impression". Moreover, he points out that the standard way of deriving Intent data from bidstream is problematic - "The way to get the most value out of bidstream data is, unfortunately, to misuse it. An unscrupulous DSP could monitor the bidstream for sites with valuable audiences, pull cookies or IP addresses, which can be retargeted, and then find the same users on cheaper sites."
Bidstream has also come into recent focus for its potential non-compliance with GDPR. Johnny Ryan of Brave Insights has pointed out that real-time bidding would be incompatible with consent under GDPR. From a compliance perspective, Intent providers relying on bidstream stand on very weak ground. Some of them have tried to get around this limitation by relying on IP addresses as an identifier of Account level activity, however, this kind of Intent tends to be noisy and less accurate.
That leaves Standalone Publishers (e.g., TechTarget) and the Co-operatives (e.g., Bombora). Standalone Publishers tend to ask for consent from their visitors on first contact. Co-operatives are using the same approach to gain consent across the entire network. Both of these categories have an easier time with GDPR and CCPA compliance, and should be the favored approach for organizations that want to follow the rules.
To summarize, the best way to ensure that your Intent data is legal is to ask your vendor about how they source their data. Here are a five questions to ask:
- Do you use AddThis data to derive Intent signals?
- Do you use bidstream data (data from real-time-bidding systems) to derive Intent signals?
- If the answer to 2 is yes, do you have the explicit permission to use aggregated data for deriving Intent signals?
- Do you run a Co-op or a Publication to derive Intent data? Can you name every publication that you have partnered with to create your Co-op?
- How do you gather consent for Intent purposes across different sources of data?
In conclusion, the compliance and legality of most Intent data will be of serious concern going forward. Even companies not operating in Europe are exposed to GDPR regulations, e.g., lack of compliance can stop an M&A transaction with a larger company that has global presence. If you want to play it safe, you should work directly with Publishers and Co-ops, and ensure that they gather consent correctly. While providers based on bidstream and AddThis can promise higher volume of Intent data, they can't deliver on compliance with consent requirements.