Global Privacy Director, Criteo
Recently, Criteo released its GDPR Checklist for the upcoming disruption that is seen as one of the biggest challenges for data marketers in 2018. To understand the deeper aspects of GDPR and its impact on the ‘Sensitive’ and ‘Non-sensitive’ data, we spoke to Criteo’s Global Privacy Director, Guillaume Marcerou.
Tell us about your role in Criteo and the team you handle.
My role is to manage the risks and business impact of privacy laws and regulation, thus protecting users’ privacy. I lead Criteo’s Privacy Team, which implements and oversees privacy practices and policies. We employ Privacy-by-Design, a long-standing practice that promotes transparency and user choice to ensure an industry-leading level of privacy, security, and safety for consumers and marketers.
How would GDPR modernize the legal system to protect personal data in an era of globalization and technological innovation?
GDPR will modernize the current regulatory environment by harmonizing the various data privacy laws across all 28 EU member states, including the UK. Once GDPR goes into effect, all EU member states must treat cookies and other technical identifiers as “personal data.” This will hopefully meet the challenges resulting from globalization and the new use of technologies. It will also bring more coherence and clarity to the EU rules for personal data protection across Europe, which is very important for companies like Criteo that are active in more than 80 countries.
Apart from helping to evolve the legal framework, the new regulation will also strengthen and reinforce an individual’s right and will reduce administrative formalities to ensure a free flow of personal data. We anticipate that overall GDPR will have a positive, trickle-down effect: it will re-establish confidence and trust among consumers, which in turn will benefit businesses that value and prioritize transparency and consumer choice.
What are the differences between ‘Sensitive’ and ‘Non-sensitive’ data that GDPR intends to target? Are these terms related to unambiguous consent at the time of sign-in?
Sensitive data is any data that reveals the following: race or ethnic origin, religious or philosophical beliefs, sexual orientation, political affiliation or opinions, health status, genetic or biometric data and trade union membership. Data controllers must obtain explicit consent, meaning the user must opt-in, in order for the data to become accessible.
Non-sensitive personal data refers notably to online identifiers, such as cookies, and other pseudonymized information that does not allow data controllers to directly identify individuals’ personal data. The use of non-sensitive personal data is incentivized by the GDPR, as the GDPR considers it is an efficient way for data controllers to meet their legal obligations. In this case, an explicit opt-in from the user is not required.
The distinction between sensitive and non-sensitive data is important. In the era of GDPR, brand and agency marketers will need to differentiate between unambiguous and explicit consent. The GDPR requires companies to obtain unambiguous consent from users. This includes a user continuing to browse a website. As online identifiers (e.g., cookies) alone are categorized as non-sensitive personal data, explicit content (i.e., opt-in) is not required.
What would be the biggest impact of GDPR on the tech industry, especially the ones dealing with B2B Marketing and Advertising?
When it comes to e-commerce and online advertising, protecting consumers’ privacy and being forthright with them about business practices is a matter of respect. When customers understand exactly how their information is being used, and when they are given control over their personal browsing information, it strengthens their trust in a company. The more a customer trusts a brand, the fiercer their loyalty will be to that brand long-term. Because of this premise, Criteo has historically demonstrated a strong track record of being transparent on the data we collect, and giving consumers control; this business practice pre-dates GDPR-era regulations.
Furthermore, since 2008, we have made it easy for consumers to immediately opt-out from our services. As a result, Criteo is well-positioned for GDPR compliance; we already have a strong foundation and legacy of following several industry best practices, standards and regulations – including but not limited to GDPR – and applying the highest levels of security and data privacy across our portfolio of products, technologies, and services.
At the end of the day, my hope is GDPR will help bring back trust in our industry by making transparency and choice table stakes for any business.
Would GDPR negatively impact customer experience? How does Criteo plan to solve these challenges?
Quite the opposite, in fact. GDPR will likely enhance the customer experience, as it will give them more control over what ads they are or aren’t being served. This includes an opt-out choice that is easy to use and access to language that explains how it will affect a browser’s ad exposure. Consequently, marketers should theoretically have much better data and targeting capabilities.
Since our inception in 2005, Criteo has been chiefly concerned with customer privacy. Before the greater industry began talking about GDPR, Criteo established itself as an early thought leader by clearly stating the rights that consumers have to access their data, what data is collected, how it is used and how they can opt-out.
Beginning in 2008, we committed to the Ad Choices program which allows consumers to see exactly where Criteo is using their data, and how we protect their privacy in a single click. When a consumer chooses to opt-out, we immediately stop tracking and retargeting and remove all identifiers from their browser, making it impossible to target them in the future.
Additionally, we’ve also created an internal program that I oversee, Privacy-by-Design, that is our own long-standing practice and commitment to ensuring industry-leading privacy, security, and safety for both consumers and marketers.
How does Criteo intend to leverage data science and AI/ML capabilities to better leverage data management within the GDPR boundaries?
Criteo’s Commerce Marketing Ecosystem (CME) is a network of tens of thousands of retailers, brands, publishers, centered on integrated marketing technology, powered by machine learning, built and optimized to drive commerce results, i.e., sales and profits.
We expect a very limited impact, if any, on our clients’ and partners’ ability to work with us in the wake of GDPR. We expect we will continue to work together to harness commerce data at scale in order to drive commerce results, i.e., profitable sales.
Criteo is already in compliance with key elements of GDPR and we are well-positioned to rapidly implement any additional requirements throughout Criteo’s entire CME.
Thanks for chatting with us, Guillaume.
Stay tuned for more insights on marketing technologies. To participate in our Tech Bytes program, email us at firstname.lastname@example.org