The hottest trend in German media: cross-industry alliances that prioritize consumer data privacy and aim to compete with the Facebook-Google duopoly.
Axel Springer, owner of titles like national newspapers Bild and Die Welt, is part of one of Germany’s two high-profile alliances, which also includes auto manufacturer Daimler, insurance juggernaut Allianz and Deutsche Bank. German airline Lufthansa, telecommunications company Deutsche Telekom and IT security company Bundesdruckerei signed on this week, bringing the total number of members to nine.
The alliance’s goal: to provide a single login for customers across all partner sites that complies with the new data privacy regulations (General Data Protection Regulation), which will be enforced starting next May. Once users have created personal accounts, they can use the same security settings and passwords across member sites. The partners are calling the login the “master key,” which is what the login will be referred to when it is marketed to consumers.
The sign-in platform will be marketed to consumers as “Verimi” — a mix of the English words “verify” and “me.” A dedicated website explaining the service and how to use it is starting to familiarize people with the initiative before the product’s launch.
Verimi’s prime purpose is to remove lengthy online account management across numerous sites — a process that will become more complex after the rollout of the GDPR and ePrivacy directive. People can manage the data that businesses have on them this way. Once people register, they’re asked to give “express consent” to data being passed on to the alliance’s partner companies, as well as what data they’re OK with passing on. That information will also help ensure any personalized ad targeting that member companies run is GDPR-compliant — useful insight for media companies and advertisers that want to make sure they don’t target advertising to people who’ve stated they don’t want it.
By teaming with non-media companies, Axel Springer has taken a different route than a typical media alliance. This way, it can skirt any disagreements that can arise between competitors and stunt progress, which has hindered other media alliances. But Verimi is open-standard, so although Axel Springer is currently the only media group involved, others can join. The goal is to expand the service to other European markets, starting with those in which the founding partners are already present.
The pledge is to have a working product in market by year-end or the beginning of 2018 at the latest — just over six months since the initial announcement about it in May. Verimi will run as an independent unit, staffed by 30 people with backgrounds ranging from social media and marketing to data privacy. The companies have hired the team from the open market, rather than sharing existing resources.
Google and Facebook will be disrupted by the new European data protection rules that are due to apply in May 2018. This note explains how.
Google and Facebook will be unable to use the personal data they hold for advertising purposes without user permission. This is an acute challenge because, contrary to what some commentators have assumed, they cannot use a “service-wide” opt-in for everything. Nor can they deny access to their services to users who refuse to opt-in to tracking. Some parts of their businesses are likely to be disrupted more than others.
The GDPR Scale
When one uses Google or Facebook.com one willingly discloses personal data. These businesses have the right to process these data to provide their services when one asks them to. However, the application of the GDPR will prevent them from using these personal data for any further purpose unless the user permits. The GDPR applies the principle of “purpose limitation”, under which personal data must only be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.
Google and Facebook cannot confront their users with broad, non-specific, consent requests that cover the entire breadth of their activities. Data protection regulators across the EU have made clear what they expect:
“A purpose that is vague or general, such as for instance ‘Improving users’ experience’, ‘marketing purposes’, or ‘future research’ will – without further detail – usually not meet the criteria of being ‘specific’”.
A business cannot, for example, collect more data for a purpose than it needs and then retroactively ask to use those data for additional purposes.
It will be necessary to ask for consent, or present an opt-out choice, at different times, and for different things. This creates varying levels of risk. We estimate these risks on the “GDPR scale”, shown below.
The scale ranges from zero to five. Five, at the high end of the scale, describes the circumstances that many adtech companies that have no direct relationship with Internet users will find themselves in. They need to get the consent of the people whose data they rely on. But they have no channel of communication through which they can do so.
Four, next highest on the scale, refers to companies that have direct relationships with users, and can use this to ask for consent. However, users have little incentive to “opt-in” to being tracked for advertising. Whereas a user might opt-in to some form of profiling that comes with tangible benefits, such as a loyalty scheme, the same user might not be willing to opt-in to more extensive profiling that yields no benefit. The extensiveness of the profiling is important because, as the note at the bottom of this page shows, users will be aware of the uses of their data when consent is sought. Thus adtech tracking across the web might rank as four, but a loyalty scheme might rank as three on the GDPR scale.
A slightly more attractive prospect, from Google and Facebook’s perspective, is to inform a user about what they want to do with the personal data, and give the user a chance to “opt-out” beforehand. This is two on the scale. This opt-out approach has the benefit – from the company’s perspective – that some users’ inaction may allow their data to be used. The GDPR permits the opt-out approach when the purposes that the companies want to use the data for are “compatible” with the original purpose for which personal data were shared by users. In addition to the opt-out notice, users also have to be told of their right to object at any time to the use of their data for direct marketing.
One on the scale refers to activities that currently involve the processing of personal data, but that do not need to do so. With modification, these activities could be put beyond the scope of the Regulation.
Activities at the zero end of the scale are outside the scope of the Regulation, because they use no personal data.
Our estimate of Google, when applied to this scale, shows a significant range of products at four on the scale, with the proviso that some part of that set of products can be modified, which would lower their score from four to one.