As things stand, we are in a situation where the immensely valuable commodity of personal data is being collected by businesses either for free, or for a fraction of its true worth.

What’s more, data is being acquired via non-transparent means, used for undisclosed purposes, and sold without legal obligation to reveal its provenance.

Why anyone whose business relies on personal data would be ungrateful for the GDPR (General Data Protection Regulation) is a mystery to me: it is a huge step in the right direction, designed to benefit data holders and consumers alike. There are costs to becoming ready, and the potential risk of being fined for non-compliance – but these are short-term problems, which will soon be forgotten in the wake of a more transparent, efficient data economy.

gdpr report banner

In relation to digital advertising, the new regulation will have a positive impact on the quality of the data used for targeting, the relevance of ads, and the attitude towards those ads on behalf of the consumer. Ultimately, GDPR will greatly enhance the performance of any digital marketing campaign.

Creepy vs. Relevant

Online advertising treads a fine line between being creepy and relevant. An oft-cited example comes from the US clothing store, Target, which epitomises the current issue with targeted advertising. Using an algorithm to analyse the purchasing habits of its customers (based on data obtained from loyalty cards), Target was able to predict, amongst other things, when one of its shoppers became pregnant and adapt its marketing accordingly.

On one occasion, Target sent a bundle of soon-to-be-a-mom-related coupons to a 16-year-old customer; her father sent an irate complaint, only to discover that Target, before even the daughter had realised it, was right.

This is an extreme case of creepiness, yet this feeling and a number of other synonymous attitudes, are prevalent amongst recipients of targeted advertising. And underlying this sense of creepiness, is ultimately a lack of trust. According to the largest European consumer survey to date, the Special Eurobarometer 359 report (2010), ‘70% of Europeans are concerned that their personal data held by companies may be used for a purpose other than that for which it was collected.’

Furthermore, ‘Just over a quarter of social network users (26%) and even fewer online shoppers (18%) feel in complete control.’ The Symantec State of Privacy Report (2015) reports similar findings: ‘only 22% trusted "tech companies" to keep data completely secure and only 10% trusted social media organisations’. And, considering current practices, it’s not really that surprising that this is the case.

As a result of this lack of trust, many consumers are resorting to either not sharing their data, or falsifying it. A report by the Pew Research Center (2013), found that ‘an estimated 86% of consumers in the US had falsified or misrepresented their personal information online’.

Further stats from Pew Research

In a report published earlier this month in the Journal of Marketing Management, Girish Punj warns that ‘the trend towards the falsification of online information could be particularly detrimental for mobile commerce firms because they require accurate location-aware, real-time information on consumers for personalising communications and customising product offers’.

In simple terms, the current relationship between advertisers and consumers is damaging to both parties. GDPR presents a massive step forward to repairing this relationship, and improving personal data quality.

Data transparency

Greater media transparency has become the number one priority of advertisers over the last couple of years, especially since the publication of the ANA K2 report in 2016. What about transparency between advertiser and consumer?

At the moment, internet users are heavily deterred from making an informed decision about whether to share their data, the potential consequences of such sharing, and what exactly is happening to their data once it has been submitted.  

In the previously mentioned research by Symantec, ‘59% of respondents said that they only skim read the terms and conditions when buying products or services online’ and ‘14% said they never read the terms and conditions’.

The Eurobarometer research found that ‘58% of respondents who use the internet usually read privacy statements’, but ‘24% of those who read them said that they did not fully understand what they are reading.’

A study by the ICO (2015) found that a focus group’s ‘awareness of privacy notices was extremely limited’, and number of studies have criticised the lack of granularity in options, leading to consumers needing to make compromises, e.g. opting to share data in exchange for valuable information.

The positive impact of GDPR

If GDPR is able to achieve what it sets out to – ensuring data transparency, increasing individual control – then advertisers can expect a much improved relationship with their audience. A study by the Thurgau Institute of Economics (2015) concludes that ‘transparency leads to an increase in the individual’s willingness to share personal information as the individual is able to see and assess the collected information and the possible use of it’.

Part of transparency is understanding the benefits of data sharing. A study by Sciencewise, a UK government-funded programme, found ‘personal benefit to be the strongest incentive’ for those in favour of sharing personal information, yet, according to a study by Deloitte (2012), ‘62% of consumers are not confident that sharing their data with companies or public sector bodies will result in better services or more relevant products’.

The majority of internet users don’t believe in the benefits of an open data economy, but GDPR will help to make these benefits clearer. In terms of advertising, the main advantage will always be greater personalisation, along with the more indirect, general reward of a more efficient ad industry driving economic growth. Beyond this, there is the potential of data to be used for improving services, and generating a global network of information with incalculable social benefits.

We need to make GDPR work

GDPR, for all of the praise within this article, is imperfect. There are a number of foreseeable loopholes that may be exploited by data holders, potential limitations to the efficacy of the regulations in terms of empowering individuals to exercise their new rights, and a number of ambiguities that may lead to confusion when the law becomes implemented next year.

A number of commentators are also questioning to what extent data holders/processors will fulfil the ‘privacy by design’ principle that is so important to the success of the EU’s ambition. And, so long as businesses are convinced that non-transparent data practices are to their advantage, there is plenty of reason to be pessimistic about GDPR: perhaps, despite all this anticipation, it will actually have very little impact?

The answer depends on all of us. Not since AdWords has there been a better opportunity for improving the transparency of advertising, and for aligning the interests of consumers with the objectives of businesses. It is up to all of us on the other side of the screen to use GDPR to make advertising better, and rejuvenate the digital world.

For more resources on this topic, check out Econsultancy's GDPR hub page or sign up to our GDPR & Data-Driven Marketing Training.

gdpr course

Daniel Gilbert

Published 13 September, 2017 by Daniel Gilbert

Daniel Gilbert is CEO at Brainlabs Digital and a contributor to Econsultancy. You can connect with Daniel on LinkedIn

10 more posts from this author

You might be interested in

Comments (4)

Maurice BigMo Flynn

Maurice BigMo Flynn, GDPR &Digital Trainer Course Events at GDPR Training Course Events:

Good summary re GDPR prep - GDPR is a good thing and there are tools now to help with the prep process most cost effectively.

10 months ago

Pete Austin

Pete Austin, Founder and Author at Fresh Relevance

Here's a full version of that Target "mom to be" story.

This is a great story, but it's mostly about data mining, not data collection.

And I don't think the GDPR would have made any difference.

(1) Note that Target DID NOT determine that the woman was pregnant, they just sent her marketing about baby products.
(2) As a retailer, Target would have a Legitimate Interest in collecting purchase data.
(3) They did data mining on the totality of their customer data and discovered buying patterns that indicated when women were quite likely to be pregnant. This can still be done legally under the GDPR providing the data is first anonymised, because as the GDPR says, "The principles of data protection should therefore not apply to anonymous information ... This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes".
(4) This gave Target a "filter" for women likely to want to buy baby products and they sent out mass marketing to the selected group, including the "mom to be". There's no problem with sending out targeted marketing, which a Legitimate Interests Assessment (LIA) would show is allowed, because it's more efficient and therefore in the interest of individuals, retailers and society in general.

10 months ago

Martin Poole

Martin Poole, Head of Security Practice at InfoSaaS Limited

We need to remember that GDPR is an enhancement of what we should already have been doing under the existing UK Data Protection Act. It's interesting that many commentators are focusing on the significant fines, penalties and reputational damage that may arrive from non-compliance, but we should instead be focused on doing what's right by the data subject (which includes each of us, individually).

It's true that more robust technical controls and commercial frameworks are required, but these alone will not deliver. In our increasingly digital world, citizens will expect that their personal data will be properly processed and protected, and from properly designed and operated processing activities privacy will be demonstrated, which in turn will slowly lead to trust. Trust cannot be purchased .... it will need to be earned the hard way.

Article 35 of GDPR talks about "Privacy by Design" and the production of Data Protection Impact Assessments. These also form the material which data subjects may expect to see before deciding to use an organisation's services - they should provide the transparency needed before a customer makes an informed decision whether to use your services. As previous commentators have noted above, this will also help to identify the legal basis upon which data processing is carried out.

We've been helping customers to implement "UtopiaR" solutions for some time now, and from this we've concluded that companies who are attempting to implement GDPR requirements without having completed an impact assessment are generally doing more work than they need to.

Remember - you're a data subject too. Whatever you would reasonably expect from your bank, insurer, supermarket or gym is probably no different from what your customers will expect from your organisation.

10 months ago


Martyn Kember-smith,

It was the father who was unaware of his daughter's pregnancy - Target could tell by her purchasing habits that she was pregnant.

10 months ago

Save or Cancel

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.