GDPR in AdTech 1 Year On: What’s Changed?

The lead up to the European Union’s General Data Protection Regulation (GDPR) on May 25, 2018, was akin to previous looming deadlines like the Y2k bug. The anxious anticipation and speculations set the industry on fire: GDPR-themed blog posts, articles, analyses, predictions started spreading like wildfire.

In the weeks and months leading up to the enforcement date, there were theories that the GDPR would end targeted online advertising, companies were scrambling to ensure their contact lists were GDPR compliant (remember all those opt-in emails?), and AdTech was bracing for the unknown.

Now that the GDPR has been enforced for a year, we have the benefit of hindsight. Was the hysteria justified? Did the GDPR impact AdTech the way everyone thought it would?

To answer these questions, we’ve compiled a list of the most popular news stories that circulated before the GDPR, on the day of enforcement, and life since then. This gives an idea of how much stir the GDPR caused when it was finally introduced – but also how much was speculated about it way before the (G)D-Day.

The Leadup To the GDPR

Before GDPR kicked in, the excitement was building up, although little was known about what was actually round the corner for AdTech.

• An increasing number of posts started appearing which described the assumptions (the “what”) of the GDPR, but not explaining much about the means to get there (the “how”).

Then, the general sentiment around the web was that companies were not prepared for the new law. One of the reasons for that was that the GDPR was intended to affect all non-EU based businesses processing EU residents’ data in the same way as it would affect EU-based companies.

• From an American perspective, for example, GDPR was difficult to fully comprehend – a bulky regulation sprawling 99 articles and 173 recitals that wasn’t even conceived by their legislative bodies. What seemed completely ridiculous at the time was the obligation to comply even if a US company processed the data of a single person based in the European Union.
• Because many brands had little idea about how GDPR would play out, some of them decided to put their programmatic activity completely on halt before the enforcement day. This allowed them to wait for a move from the industry leaders like Facebook and Google.
• GDPR was definitely going to impact Google, but because most of the AdTech industry depends on Google in some way, companies waited for their move first. Unfortunately, Google didn’t make a decision until the very last moment. They restricted marketers from data from the DoubleClick ad server for cross-platform reporting and measurement, which caused a stir in the industry, and further reinforced the walls of its ecosystem.
• Other US-based companies like Drawbridge, instead of working on means to ensure their compliance, exited Europe and planned not to continue buying media in Europe.
• Such behavior showed misunderstanding of how GDPR works. Companies did not realise that closing down European operations does not eliminate the need for compliance. All AdTech companies have to adhere sooner or later if they’re planning on marketing to audiences based in Europe.
• Various bleak scenarios were passed around, most of which turned out to be vastly exaggerated — e.g. AdTech would fall apart, it would be doomsday event, etc.
• There was a general feeling that the GDPR would bring about big change to AdTech, but alongside dark scenarios there were also positive voices showing that the GDPR would empower users and tame the wild west of online advertising.
• Clearcode’s own Maciej Zawadzinski shared his insights in a MediaPost article listing all the positive aspects of the GDPR and detailing how both publishers, advertisers and consumers could benefit.
• GDPR was also recognized as something that would re-write the rules for online advertising, but not necessarily damage all AdTech. It would force AdTech away from bottom-of-the-funnel retargeting through ad exchanges, and make the industry focus more on contextual advertising and first-party, consent-driven, uses of data. Such views were popular in the industry and resonated from many expert opinions.
• There was a general feeling that post GDPR brands would no longer be able to use customer data as commodity and trade it so freely on the open market (i.e. so-called third party data).

As the GDPR was slowly looming into view and the enforcement date was mere weeks away, there was clearly a better understanding of the regulation in the industry, and more specific analyses started surfacing around the web.

• There was a general consensus that, among other requirements, compliance with the GDPR would not be possible without respect for user data, consent management, transparency concerning leaks and breaches and de-identification of data.
• The quality of third-party data has always been known to be questionable – it is estimated that only 50% of this data can be considered accurate. Despite this, the use of third-party data is still the foundation of online marketing. While inaccurate, this data is still better than nothing for AdTech companies that don’t have access to first-party consumer data. The fact that GDPR took aim at this kind of data, if anything, definitely raised awareness of privacy issues and helped educate people how the industry works.
• An increasing number of writers stressed the financial consequences of non-compliance with the GDPR. Businesses failing to comply with the GDPR risked getting fined €20 million, or up to 4% of their worldwide turnover (depending which is higher) for the more serious breaches.

The closer the enforcement day, the more specific were the ideas as to how a GDPR-compliant consent collection should look and how consents should be managed

The GDPR fever spurred speculations about what getting, storing and managing user consent would look like from the technical perspective before a single consent box saw the light of day.

• PageFair offered a detailed glimpse into the proper design of a consent box – their article contained lots of examples as well as downloadable wireframes of the content box designs.
• Alongside the design of the consent box came more talk of how, under the European Union’s General Data Protection Regulation, the consents would be transmitted from vendor to vendor.
• AdTech vendors started looking at each other’s hands, trying to figure out how the others are gearing up for the big day.
• Early pre-GDPR articles showed that brands and agencies were in a “holding pattern” – knowing they would need to abide sometime in the future, but waiting for further clarification.
• For publishers, there came a need to verify their adtech partners’ GDPR readiness – Pagefair even developed Perimeter – a regulatory firewall that whitelisted or blacklisted 3rd parties, or put them on the greylist for sanitization.
• ExchangeWire asked AdTech companies dataxu, Rubicon Project, Sizmek, Adform, Quantcast, and AppNexus to share how they were preparing for the GDPR.
• With the enforcement date looming, research conducted by Clearcode showed the lack of readiness by some AdTech and MarTech vendors.

Enforcement Day, May 25, 2018

Here are a few stories that the AdTech industry saw when the day (May 25, 2018) finally arrived:

• Facebook and Google were immediately hit with lawsuits from Non Of Your Business (NYOB), a privacy group led by Max Schrems, over their forced consent tactics.
• Ad demand in Europe plummeted between 25 and 40 percent among some ad exchanges.
• Many US news sites are made unavailable to EU visitors.

AdTech In a Post-GDPR World

In the days, weeks, and months after the enforcement date, there were a number of news stories about topics we all expected to read about, and some that we didn’t:

• AdTech vendors experience teething problems with the IAB Transparency and Consent Framework (TCP).
• Reports circulated that ad retargeting was growing. However, this was likely connected to the ‘business as usual’ approach that many businesses adopted, which involved not implementing the proper consent mechanisms, relying on the legitimate interest argument, and running with implied consent.
• For those AdTech companies that were obtaining consent, they found themselves victim to consent-string fraud, which is caused by a lack of interoperability between Google’s CMP and the IAB TCP.
• Vectaury, a mobile demand-side platform (DSP), was investigated by the French data protection authority, CNIL, for its improper collection of user consent.
• Some premium publishers, such as the Financial Times, cut off open exchanges. The New York Times also turned off open exchanges in Europe and reverted to contextual targeting and direct deals, and saw a growth in ad revenues.
• Google got hit with a €50 million fine from the French DPA, CNIL, for its invalid consent collection mechanisms and lack of transparency surrounding data usage.
• Brave, a web browser, and various privacy advocates including Panoptykon Foundation, filed several complaints to European data protection authorities over the course of many months. The complaints related to various GDPR infringements from Google and the IAB.
• The Irish DPA opens an investigation into Quantcast over its consent collection practices. Quantcast joins a list of other large tech companies that the Irish DPA is investigating, including Facebook, Instagram, WhatsApp, Apple, Twitter and LinkedIn.

What the future holds of AdTech in a post-GDPR world?

While the enforcement of the GDPR didn’t result in the doomsday scenario like many clickworthy headlines prophesied, there’s certainly been many investigations by various European DPAs. We already seen Google receive their first GDPR-related fine and we’ll likely see other companies face a similar fate.

But the GDPR is only one area that AdTech companies, agencies, brands, and publishers have to worry about. The introduction of Apple’s ITP in Safari and Google Chrome’s changes to third-party cookies will likely have a bigger impact on AdTech companies as these are technical changes with immediate and direct impact, rather than policies that should be implemented, but can be easily ignored.