Why Bombora customers shouldn’t fear GDPR, ITP, and the impending cookieless future
- 1 A (very) brief summary of data privacy laws and restrictions
- 2 What is third-party data, and why does its source matter?
- 3 What happens if you violate a user privacy law?
- 4 How can you be sure the third-party data you use is compliant?
- 5 How can marketers be sure Bombora’s Intent data will continue to be available, effective, and compliant despite these regulations and the cookieless future?
Since the General Data Protection Regulation (GDPR) went live in 2018, there has been a flurry of legislation aimed at protecting internet users by regulating the collection, use, and processing of personal data on the internet.
While these laws, regulations, and restrictions were created with good intentions, the lack of consistency and seemingly continuous changes, as well as the potential ramifications that could result from breaking these laws, have made marketing very difficult over the past several years and will undoubtedly mean challenges in the months and years to come.
How can Bombora users be confident they will get safe, relevant, and useful data despite this rapidly changing landscape?
A (very) brief summary of data privacy laws and restrictions
As mentioned, aside from smaller and more localized predecessors, GDPR was the first major broadly sweeping law around internet user data privacy that applied to a much larger population (individuals in the European Union and European Economic Area).
Closely following GDPR, Apple introduced Intelligent Tracking Protection 2.1 (ITP 2.1) in 2019, in which Safari (the second largest browser at 19.16% of the global internet traffic with more than 1 billion users worldwide) would purge most first-party cookies after seven days and block all third-party cookies by default.
(Apple announced the first version of ITP in 2017, but this version was much less strict about cookie handling.)
Sprinkled in between and around these laws are several other, more location-specific regulations, such as the California Consumer Privacy Act (CCPA) in 2020. There are additional, more specific requirements in Canada, Australia, and several other countries.
Seeing as how users from anywhere can access your site, this puts marketers in a very tricky situation when it comes to handling user information, even when it comes to first-party data, where you typically have more control.
(For context, ITP was revised an additional two times in the first 15 months since version 2.1 was introduced, and the subsequent versions featured stricter measures on how first-party data was to be handled and stored.)
In addition to the rapidly changing laws over how user data can be handled, marketers are dealing with rapidly changing announcements from companies like Google, which says they’ll be phasing out third-party cookies in their Chrome browser (which handles 65% of the web traffic in the US).
Google has delayed the scrapping of third-party cookies a few times, but is currently set for 2024.
…or possibly later.
Well, whenever the decision is made, third-party tracking may require an architecture change on the side of the publisher and advertiser. It could greatly impact your ability to reach your target prospects.
Not surprisingly, with so much concern, uncertainty, and confusion over the regulations for first-party data, third-party data (which businesses typically have even less control over) has faced even higher scrutiny.
What is third-party data, and why does its source matter?
Aside from the uncertainty around browser support, third-party data comes with its own unique challenges.
As we lightly covered above, first-party data — such as an individual’s name, email address, and phone number (as well as automatically collected data like IP addresses and browsing history) — is collected directly from an individual by a business they interact with, for that business’s own use.
When that business then sells or passes the individual’s data on to another party, it becomes classified as third-party data.
Third-party data is inherently less ‘safe’ than first-party data because the recipient of the data cannot be completely certain of how the data is collected (without substantial effort).
Bidstream data: Welcome to the jungle
The bidstream is a very common source of third-party data. Its information generated by an advertising network when someone visits a page containing ads, and it includes information about the website visited, the ad displayed, and individually identifiable information collected from the user.
Similarly, bidstream vendors can often share user data with businesses that didn’t even win the bid for an ad — a clear violation of the terms of the Interactive Advertising Bureau (IAB).
In fact, the UK ICO and Belgian APD have issued guidance that the collection and use of bidstream data is not compliant with GDPR. Congress has asked the FTC to investigate privacy violations in the bidstream.
To be clear, using third-party data sourced from the bidstream puts your business at risk for violating user privacy laws.
What happens if you violate a user privacy law?
The risks of violating user privacy laws vary depending on the severity of the violation and the specific law or regulation broken.
Using GDPR as an example, a more minor violation (such as failing to properly obtain consent before collecting an individual’s data) can result in fines up to €10 million or 2% of your global annual revenue, whichever is higher.
More severe violations can cost you upwards of €20 million or 4% of your global annual revenue, in addition to further regulations and penalties.
How can you be sure the third-party data you use is compliant?
Answer: It’s really hard.
Basically, to make sure your data is compliant, you need to ensure it was collected properly and with proper user consent.
This means asking your third-party data provider questions like:
- Where was the data sourced?
- Do you collect this data as a first party?
- How do you manage consent?
- If you don’t directly collect this data yourself, how do you make sure it’s collected appropriately?
- Is this data collected from ad targeting or the bidstream?
And the answer to each of these questions needs to be appropriately scrutinized, evaluated, and possibly investigated.
The easiest way to ensure the data you’re using is compliant is to partner with a data provider that can answer these questions logically, confidently, and proactively.
A couple of reasons:
Bombora’s Data Co-op uses compliant data-collection methods
When it comes to data collection, all our data comes from our unique privacy-compliant Data Co-op of 5,000+ of the most highly trafficked the top publishers and websites in the B2B space.
Co-op members are responsible for collecting data and passing along the applicable content.
In this way, Bombora has formal agreements with the brands and publishers, and we are transparent with our data collection policies with the entities.
Bombora removes user-identifiable information from the data we collect
After we obtain the data, it is aggregated and anonymized then associated with a domain.
The value of Bombora has always been understanding where a business is in the purchase cycle, and that insight comes from how a business interacts with a topic over time. As buying committees continue to grow, we see regular and predictable consumption patterns from businesses that reliably indicate the business’s position in the purchase consideration process.
While the number of individuals from a business consuming content on a particular topic contributes to that insight, we don’t need to maintain information that specifically identifies each user.
By aggregating and anonymizing the data collected from the Bombora Tag to a company, we can share and maintain this data to provide the same level of results and insights our customers expect.
…if you’re not using Bombora data.
But Bombora customers know their data is not scraped from ads but sourced compliantly from a close-knit network of the best, most trusted B2B publishers and websites on the internet.
And they can also be confident that the efficacy of Bombora’s Company Surge® will continue to produce the superior results our customers expect.
We aren’t about finding loopholes and workarounds.
We’re about treating users with respect and delivering results for our customers.
That’s what sustainable marketing is all about.
Read more data privacy resources
Why does it matter: Intent data vs. the BidstreamWhat's the difference
10 questions to ask when evaluating B2B Intent data providersSee the questions
What privacy rights do you have?What are your rights