Marketers scramble to dodge GDPR liability.

The arrival of the General Data Protection Regulation has advertisers worried they’ll be on the hook for violations of their agencies, tech vendors, and publishing partners. Under GDPR, advertisers will often operate as the controller given they own the data that’s being processed by agencies or ad tech firms to target ads. It is, however, getting harder for advertisers to know what companies — whether directly or indirectly — are processing that data due to revisions to data processing agreements. Without that knowledge, it leaves brands open to fines if there’s a GDPR screw-up even if it isn’t their fault.“Advertisers are concerned that the data-processing agreements they’re being asked to sign don’t give them enough protection as the data controller,” said Matt Green, global lead for media and digital at the World Federation of Advertisers. In the weeks leading up to and then immediately after the arrival of GDPR, advertisers were flooded with DPAs, created to comply with the regulation — from agencies and ad tech vendors they struggled to understand. Nissan, for example, is currently working with its agencies to assess the privacy policies of ad tech firms it uses.