Consent “isn’t going to work” for programmatic or direct-sold advertising under the General Data Protection Regulation (GDPR).

That’s the conclusion of Johnny Ryan, head of ecosystem at anti-ad-blocking solutions provider PageFair. His firm has spent the last two years trying to figure out how GDPR is supposed to work, given the current digital ad environment.

With a few exceptions, he pointed out, GDPR specifies that publishers and advertisers need to get consent from each user to employ their personal data to target ads.

The personal data includes any info that can be used to help pinpoint an individual; for GDPR, that includes IP addresses and browsing trails, as well as email addresses. And the consent needs to itemize each use, which PageFair says is at least 10 different opt-ins for digital ads, including showing relevant ads, creating a profile based on your browsing habits, seeing if you interacted with an ad and so on.

“Consent is the only possible basis [for targeted digital advertising],” Ryan told me, “but it’s unworkable.”

I’ve asked lots of interviewees, “Doesn’t GDPR, if enforced, mean the end of programmatically targeted ads?” Almost everyone I’ve asked has basically indicated that some fix would happen, or that “Legitimate Interest” might allow exceptions. According to GDPR, Legitimate Interest allows for personal data processing if it is a benefit to the processing company, such as anti-fraud efforts or if the user is already a client, but it cannot conflict with users’ personal data rights.

But Ryan told me there is no fix, and legitimate interest doesn’t apply for advertising except in a few situations.

GDPR compliance for ads based on personal data is all about user consent, he says, but consent isn’t a solution.

Two reasons

His reasoning is twofold. First, research by PageFair and various European organizations indicates that the percentage of users who would grant consent to requests such as “allowing third parties to track your online behavior for targeting of relevant ads” is very low, ranging from 5 to 20 percent.

In a recent post on its blog, PageFair even envisioned how to bundle various kinds of specific use cases in one consent field, such as:

But, regardless of how the consents are packaged, Ryan says research — and common sense — suggests that the vast majority of users will decline to allow the tracking of behavior or use of other personal data for targeted ads.

Second, every website or app with ads has dozens if not hundreds of third-party vendors collecting data or depositing cookies, including tag management systems, ad platforms, content management systems, user analytics vendors and the like.

That means user data is collected and passed around. Even if there are contractual agreements to comply with GDPR, Ryan said, it’s inevitable there is “data leakage,” where your personal data gets shared or employed by some third-party vendor — or by a vendor working with that third-party vendor — in some way the user didn’t approve.

And, Ryan notes, “everyone involved in a [GDPR] breach is liable,” even if vendors indemnify other vendors or the publisher.

“You can’t be indemnified against law-breaking,” he said.

But don’t despair, publishers and advertisers. Ryan advises: “The solution is simple.”

Don’t use personal data

“Personal data is no longer viable for [targeted] ads,” he said, because you can’t get enough people to give consent, it’s very complex to grant consent for all the use cases and you can’t control for data leakage.

So, don’t use personal data for ad targeting.

Instead, he said, use targeting segments that group users in ways that can’t be employed to find an individual.

You could, for instance, create a targeted group of users whose site visits and other data indicate they are dog owners or lovers, go to hockey games and live in the Philadelphia area, because there are thousands if not hundreds of thousands of users who match that description.

But if you added that they also owned a Honda CRV, lived in a specific ZIP code and graduated from a specific small college, that could be used to find a specific individual — and therefore is a no-no for GDPR.

How does one know if a segment’s data is getting too personal?

Ryan said that could be determined statistically so that data targeting would flag when the likelihood of personal targeting is too great for a given segment.

The other route: Develop “Trusted Partner” status for specific publishers and advertisers, as in a new PageFair offering by that name.

These publishers and advertisers would essentially “purify” themselves of personal data collection and data leakage, certifying that they do not collect this kind of info and removing any vendors who might leak data to third parties. That is, become GDPR-safe, small “walled gardens.”

Then, any visitors to those properties will be asked their consent for a very limited number of publisher- or advertiser-based uses, without danger of data leakage.

‘Like fossil fuel’

A user who browsed webpages showing tents and backpacks might be shown an ad about guided camping trips, for instance, but only on that site. PageFair is offering a new service, called Perimeter, that can help publishers set up this kind of non-leaking environment.

“The object,” Ryan said, “is allowing direct and programmatic sales to work in a market where there is no personal data [targeting].”

Ryan acknowledged this vision of post-GDPR advertising would probably mean an end to retargeting, but he said that such practices as frequency capping might still be possible. Instead of employing a personal identifier and counter to limit the number of times a given user saw a specific ad campaign, he said, advertisers could instead deposit a campaign identifier and a counter on the user’s browser. No personal data involved.

“CMOs are not happy with the status quo,” he said, adding that he didn’t think the effectiveness of ad targeting would greatly change with these new approaches.

Ryan told me when he presented these ideas to the World Federation of Advertising this past December, “I didn’t see much anguish.”

“Personal data is like fossil fuel,” he said, comparing the new GDPR regulations to environmental regulations that compelled “clean tech for an industry that refused to change.” Ryan said that the new advertisers and publishers who act as Tesla-equivalents will take advantage of this new era, and will eventually change the direction of the older, GM-equivalent advertisers and publishers.

Don’t look at this as the “end of programmatic advertising using personal data,” he told me, although he thinks that will be the result of GDPR.

“Think of it as the start of programmatic advertising using non-personal data.”