Leading up to the year 2000, there were dire predictions circulating about a potential end to the digital world because of a software issue, known as the Y2K bug, that would kick in at the stroke of midnight on January 1.
As it turned out, the world didn’t end. Computers still worked and digital calendars displayed the correct date, apart from a few somewhat-minor incidents.
In the lead up to the GDPR’s enforcement date on May 25, 2018, the online advertising world experienced a similar hysteria.
Just like the Y2K bug, however, the AdTech world didn’t collapse, companies didn’t file for bankruptcy, and ads were still being bought and sold programmatically or otherwise.
In fact, it almost seems the opposite is true when you consider some of the news that’s come out of the digital advertising industry since the GDPR came into force almost a year ago.
Stock Prices Are Up and Advertising Activity Is in Full Swing
One impact of the GDPR that nobody predicted was an increase in stock prices of some of AdTech’s largest publicly traded companies.
The Trade Desk has seen its share price climb from $82.99 on May 24, 2018, to $202.09 at the time of publishing this post, as well as healthy growth in terms of revenue.
Similarly, Rubicon Project’s stock price was $2.34 on the day the GDPR kicked in, and now sits at $5.76 a share (again, at the time of writing).
There was also AT&T’s monster purchase of AppNexus for close to $2 billion, with similar acquisitions likely to occur as large telecommunications companies look to compete with the duopoly of Google and Facebook.
On the outside, it certainly looks as if the AdTech industry is in a pretty healthy state.
However, the above companies are based in the US, with TTD experiencing significant growth in non-display areas, like connected TV and audio.
When you look at AdTech companies in Europe operating mainly on display advertising, it’s a different story. Criteo, for example, has seen its share price fall from $25.35 on May 24, 2018, to $19.07 on May 29, 2019.
Unlike Y2K, the potential negative effects of the GDPR aren’t immediate, and the worst could still be yet to come, meaning the positive stock growth and large acquisitions likely won’t last in the long term.
Incorrectly Collecting User Consent
Although the GDPR doesn’t spell out in black and white what consent must look like, it certainly provides enough details for companies to understand what their user-consent mechanisms should and shouldn’t include.
For example, the regulation clearly states that consent must be freely given and data controllers (like publishers) can’t deny service or access to users if they refuse to provide consent or if they don’t state their preferences.
Despite this, many publishers are denying access to users if they don’t agree to hand over their data. Some have adopted “assumed consent,” meaning anything other than a direct “no” (closing the consent form and continuing to use the site without selecting their preferences) constitutes consent.
These are in addition to the widespread practice of firing third-party tags when a user rejects to their data being processed. While there’s a need to collect and store a user’s consent decisions, and therefore must be passed along to a publisher’s AdTech partners, there’s a big chance the user’s data will still be passed (or “leaked”) to various AdTech platforms.
Considering these non-compliant tactics, it’s no surprise that we’ve seen companies boast opt-in rates of 90%.
These methods of obtaining user consent are not GDPR-compliant and go against one of the main purposes of the regulation—to give data subjects more control over their information.
Legitimate Interest Incorrectly Used as Legal Basis for Data Processing
Even before the GDPR rolled into existence, parties from all sides of the AdTech ecosystem had placed all their chips on legitimate interest as their legal basis for processing personal data.
While it doesn’t state in so many terms that data processing for advertising and marketing isn’t an example of legitimate consent, this argument will likely crumble if put before an EU court.
It seems that the only way companies can collect and process personal data is by obtaining user consent, which, as mentioned above, still isn’t happening correctly.
Companies Still Operating as ‘Business as Usual’
Apart from the recent increase in some AdTech stocks, another surprise to come out of the AdTech world was news that retargeting had actually grown in the months following the GDPR’s implementation.
It seems that many advertisers are moving away from prospecting, which heavily relies on third-party data collected from a multitude of sources, and are moving towards retargeting, as it’s considered a safer option.
While certain areas of online advertising, such as the size of available audiences, has been impacted for the most part, it looks like it’s business as usual for a majority of the folks out there—with legitimate interest and non-compliant user-consent mechanisms helping keep the entrance doors open.
The Full Impact Hasn’t Arrived… Yet
As we approach the one year anniversary of the GDPR, it still seems that it hasn’t impacted the AdTech industry the way many expected, but it’s still in the early days.
Google received a $57 million fine from the French data protection agency, CNIL, for its lack of GDPR compliance. We also saw CNIL investigate Vectaury, a French mobile ad location DSP, for its non-compliant collection of user data. However, CNIL later withdrew the investigation in February 2019, stating that the AdTech vendor no collects valid consent.
These stories have no doubt made a lot of AdTech players take notice, but haven’t been enough to bring about any significant change in the way user data is collected.
Privacy groups and advocates are helping bring to light many of these non-compliant practices, which is causing various data protection agencies to act.
My prediction is that the move towards true GDPR compliance will be a slow one that will take a few years, spurred on by public awareness and legal proceedings.
We avoided the Y2K disaster because companies invested heavily in preparing for its arrival. Most companies haven’t made the same investment with the GDPR. The AdTech doomsday that many thought would happen never materialized, but it’s still too early to rule it out.