Smartpipe looks to solve GDPR-compliant ad targeting by treating identifiers as ‘snowflakes’
Within mobile networks, Smartpipe finds targeted users and then swaps out their identifying phone number for a single-use token.
A London-based company has come up with a way to target ads that can satisfy both marketers and GDPR.
The central problem is that marketers target ads at specific individuals or groups of individuals, as consistently identified by cookies, mobile device IDs, digital fingerprinting or other techniques.
But the upcoming General Data Protection Regulation (GDPR) prohibits marketers from employing unique persistent identifiers for any citizen in the European Union (EU), unless explicit user consent is granted for each use. And that’s impractical for current ad targeting and retargeting, since it would involve the user giving permission every time an advertiser wanted to show them a specific ad.
Smartpipe attempts to solve that problem for users inside a mobile network by creating a temporary identifying token that is tied to the event — such as the targeting of a single ad — and not to the individual.
Here’s how it works:
The mobile subscriber profile is stored in the mobile network’s customer relationship management (CRM) database, and the user’s phone number acts as the network’s persistent identifier.
When a user in that mobile network comes to a mobile web page or app screen that accepts an ad bid, the Smartpipe system reaches out the mobile network CRM and asks: Is this the kind of user this advertiser is looking for?
If the CRM determines it is the kind of user sought, Smartpipe generates a single-use token and substitutes it for the phone number ID. It then returns the temporary token to the advertiser’s demand side platform (DSP) as a user with the desired attributes, and the ad is served to that user.
The evaporating token
After the ad is served, the single-use token evaporates and the user is again ID’d internally as a phone number. All of this, of course, happens in milliseconds.
In other words, let’s say the advertiser wants to show an ad to users aged 18 to 34 on the West Coast who are sports fans. The mobile network’s CRM has that info in its profiles, and it selects 10,000 subscribers that meet the criteria.
Suppose 755 of those 10,000 users show up at the mobile web page. Smartpipe swaps out their phone number IDs for temporary identifying tokens, and sends those tokens to the DSP. The ad server sends the ad — about a sports event on the West Coast — to those users.
And then the token vanishes because the event is over, and the persistent phone number once again identifies that user. The token isn’t linked to the profile, but is used only to designate that this user belongs in the targeted segment. DSPs can’t connect the temporary token to a profile or a phone number.
Because the mobile network’s CRM stores all ad activity for its users, advertisers can frequency-cap their ads or even retarget. The CRM knows if this phone number has been shown that ad in the last 24 hours, and it can retarget that user with a new, temporary token.
This arrangement means that a user’s private data cannot be employed outside the walled garden of the mobile network, which has already received consent from the user during signup.
CEO and co-founder Tobin Ireland, a former executive at Vodafone, noted that mobile networks can have special periods to acquire user consent for ad targeting within their networks, perhaps offering discounts or rewards as incentives. He added that targeting of ads within the network is one use case, requiring one consent per user.
About 80 percent of subscribers typically give their consent, he said. Of course, this approach means that the mobile network’s CRM data is all the more valuable, because it offers the only way to target those subscribers.
Smartpipe’s approach can also work with cooperating WiFi networks, but only if it is similarly installed within that network. Of course, a mobile user might employ a variety of WiFi networks, not all of which are Smartpipe-enabled. And the system isn’t designed for desktop use. The technology is based on Smartpipe’s acquisition of a company called 5th Tier in January of 2014, the year Smartpipe was founded.
One of GDPR’s key goals is to end the distribution of private consumer data among third parties, but the use within the mobile network is first-party. Any secondary use requires another consent.
The whole idea of this walled garden approach, Ireland said, is that the identifier and the user data stays within the mobile network and is never made available to outside parties.
Smartpipe is cautious about whether this approach actually satisfies GDPR compliance. In an email, it said:
Smartpipe believes that the token — which is not personal data — does conform to a very strict definition of anonymity, but while the GDPR defines anonymity in terms of an inability to “singling out” Smartpipe does not feel able to make that claim.
The company noted that it is “engaging with the necessary authorities” to see if this approach satisfies GDPR requirements.
Ireland said that the Smartpipe system is currently live in one mobile carrier in each of five countries — Egypt, Indonesia, the Czech Republic, Russia and India — and it is being deployed in the UK, Turkey and Hong Kong. As for competitors, he said a few companies have tried a similar approach, but outside of a closed network.
“GDPR is requiring the ecosystem to change its behavior,” he told me, adding that his company’s concept “is so transformative” because users can be personally targeted for ads even though their personal data is not made available to the advertiser.
“No one thought that an identifier could be like a snowflake,” he said.