With a mission of showcasing golf’s greatest players to a global audience, the PGA TOUR has been proactive in their GDPR compliance efforts to ensure the privacy needs of their international audience are met. We sat down with Nick Potvin, Advertising Technology Manager at the PGA TOUR and an active member of the IAB Tech Lab GDPR Technical Working Group, to better understand how the PGA TOUR has sliced through the General Data Protection Regulation’s (GDPR) complexity and kept on par with industry best practices.
How has GDPR impacted PGA TOUR?
PGA TOUR has a global audience with international athletes and fans, so GDPR has forced us to take a deeper look at our data processing activities across the organization to ensure compliance. We are treating the GDPR as the gold standard and preparing for the potential of similar state side regulations. Our stance has been to prepare for the regulation as though it’s impact is enforceable for all our fans.
GDPR implementation is a cross-functional effort. How has PGA TOUR addressed the challenge of bringing a diverse set of people together to tackle compliance?
We have a GDPR working group which consists of Revenue Operations, Legal, Records Management, IS Security and Internal Audit. Typically, people don’t associate revenue or ad ops with InfoSec and data regulations, but digital advertising teams have a unique vantage point into the site’s audience data flows. To get as many groups involved as possible, we rolled out data impact assessments which has helped socialize the regulation and has opened cross department collaboration.
Do you see any benefits of GDPR for the advertising business?
GDPR gives the industry, and more specifically publishers, the opportunity to scrutinize and ask questions around third-party pixels. These site audits should result in cleaner data sets from consenting users which in turn provides a more valuable audience for advertisers. There have been concerns from the publisher side regarding unauthorized third-party pixels. Similarly, the buy side has uncertainly regarding first party data. The GDPR forces candid conversations on these topics due to the liabilities, which is a step in the right direction. It will force buyers to think strategically about audience segments and direct publisher relationships. Post GDPR it will be difficult to justify programmatic buying solely on third-party data segments which may or may not truly have the target audience or the legal basis to continue data collection to build that segment. Brands will be more inclined to think about what premium publishers contextually have the target audience and layer data on top to run more impactful campaigns.
Where do you go for more information about GDPR?
The International Association of Privacy Professionals (IAPP) does a great job of curating articles specific to the regulatory landscape. For more digital advertising focused articles regarding impacts of GDPR: Ad Monsters, Ad Exchanger and IAB News.
How did you learn about the Transparency and Consent Framework?
PGA TOUR is a member of the IAB so when the working group was announced I joined and had the opportunity to be involved with its development.
What was the process that PGA TOUR took to implement a CMP?
We had TrustArc implemented as a cookie consent mechanism prior to the IAB framework. When the CMP specs came out we worked with them to understand how their platform would address the IAB framework.
How do you work with your partners/vendors to make sure they are GDPR compliant and/or also implementing the Transparency and Consent Framework?
We’ve been fortunate in that our partners have been proactive with regards to GDPR compliance. They know it is an important topic for us, so the conversations have been reasonably candid and solution oriented. For me, seeing a partner or potential partner’s approach to the GDPR is very telling. You get a better understanding of how they view ownership of the audience, what value they place on securing the data and if there is a data retention plan.
How would you advise a publisher who is considering joining the framework?
I would suggest looking at your full tech stack and determining the best consent management provider (CMP) to implement. Some are more advertising industry focused, others take a broader approach to cookie consent. I think it’s important to take a step back and think about it from a holistic privacy perspective. Then decide to what degree you want to join the framework. For some it will be an easy decision to join, others will go the route of non-personalized ads. I think we’ll see a wide variation of approaches based on the organization’s risk tolerance.