Can blockchain satisfy GDPR’s user data protection requirements for targeted ads?
New York City-based blockchain ad tech firm MadHive thinks so.
Next spring, GDPR could upset everything in digital marketing.
That’s because, when the European Union’s General Data Protection Regulation (GDPR) goes into effect in May 2018, it will require a variety of new permissions and protections for consumer data. Companies doing business in the EU could face massive fines, but brands elsewhere might also be at risk, since the regulations apply to the use of EU citizens’ data in any country.
Some site- and app-based permission templates for GDPR have emerged, such as from Janrain and Evidon. But what is also needed is a reliable mechanism to manage permissions and privacy across targeted ad campaigns.
That’s where blockchain technology comes in, says Stacy Huggins, co-founder and CMO of the blockchain-based ad tech platform MadHive.
Huggins acknowledged that blockchain technology is not yet ready for prime time, since there are latency issues that MadHive and others are working on. She said her company is currently conducting proof-of-concept development and testing, with the expectation that speed issues will be resolved by the time GDPR’s Zero Day hits.
If latency is solved, blockchain could act as a kind of automatic governor on targeted ad campaigns. A specially-crafted blockchain layer could be called during the regular ad-buying and delivery process of, say, a supply-side platform (SSP), perhaps as a lookup before the ad is served.
For the near future, she said, blockchain can only handle programmatic direct ad sales, manual direct ad sales and private marketplaces, for all kinds of ads. In other words, controlled environments with a fixed number of participants. At present, it can’t handle open programmatic situations.
And that blockchain layer could address three key GDPR requirements affecting targeted ad campaigns: right of access, right to be forgotten and built-from-ground-up privacy.
Access means that users can see targeting data about them via an audit trail. Right to be forgotten — in this case, for ads targeted at a given user or segment — means that a user’s data can be removed for a given campaign. As for privacy, GDPR expects systems to be designed from the beginning with consumer privacy in mind, which again requires audit data.
Blockchains enable auditing of every instance of a consumer data event by recording it to the chain, which becomes available immediately and permanently throughout all nodes. Access to the data can be removed via a trigger in a smart contract. (More on smart contracts below.) And data privacy could be controlled via blockchain’s rigorous security features.
The cyber-currency of bitcoins offered the first wave of blockchain tech, which Huggins described as a kind of “distributed Google spreadsheet.”
A newer version is the open-source Ethereum, which offers “smart contracts.” Smart contracts are coded agreements between parties, with event- or time-based triggers that implement a contract’s terms.
For instance, a smart contract might govern an ad campaign as an agreement between the publishers and advertisers, delivering ads and then escrow-based payment when the contract has received notice that outside events have taken place.
Such a smart contract might prohibit the campaign from displaying ads to User 123 by flagging that user as a trigger, because such user has requested that his data “be forgotten.”
The third main kind of blockchain infrastructure is the open-source Hyperledger, a collection of blockchain technologies. The Fabric application sits on top, and Huggins said the platform is “more sophisticated” than Ethereum, with faster processing, more memory and a greater friendliness to developers’ needs.
‘Just one company’
MadHive is using a private instance of Hyperledger and has built a smart contract generator that automatically creates as many contracts as needed.
One question, of course, is what the User ID is. That’s another issue to work out, Huggins agreed. It might be a deterministic ID connected to a logon, but that would only work for users who have been tagged via logons.
It might be a probabilistic ID, which can be fairly accurate but might require using the very data that the user is nixing. A more universal ID might be needed if a user is to be disconnected from targeted ads across the entire web — such as, say, a blockchain-based identity.
The User ID issue illustrates that, whatever capabilities blockchain can bring to the party, there needs to be system-wide cooperation. Huggins said MadHive believes “GDPR will be the catalyst” for this kind of cooperation.
“When just one company is fined $20 million,” she said, “things will move pretty quickly.”