When it comes to the General Data Protection Regulation, it's a dog-eat-dog world.
For many in digital media, that will mean a giant game of hot potato, as clients want agencies to assume risks, while agencies insist publishers assume them, and publishers then do the same to tech vendors. It's hard to blame everyone from running away from responsibility: Maximum fines of €20 million ($24 million) are at stake.
In an effort to dodge the GDPR-fine hot potato, agency groups are tweaking contracts to ensure any risk gets passed back down the supply chain to the data source, putting ad tech vendors and publishers closer to the line of fire. Publishers themselves aren't standing still either, calling their biggest ad tech suppliers and demanding they agree to compensate them if the publisher is fined for something that happens on the ad tech vendor's watch.
Under the GDPR, businesses that are defined as "data controllers" are most liable for fines, as they are the source of the consumer data. That means publishers in particular are in the line of fire, as are advertisers that operate websites with first-party customer data.
Ad tech vendors can be a mix of data controllers and data processors, but either way, they'll also be expected to gain consumer consent for using both publishers' and advertisers' data. Publishers on either side of the Atlantic are renegotiating contracts with ad tech vendors that guarantee the publisher will get compensation should it be fined for something the vendor has caused, while also demanding the vendor prove they're GDPR-ready. They'd be crazy not to.
"Ad tech vendors can't hide in the herd anymore but must get their houses in GDPR order fast," said Todd Ruback, chief privacy officer and vp of legal affairs at marketing analytics company Evidon.