With only a week until the European Union’s General Data-Protection Regulation (GDPR) goes into effect, AdTech and MarTech companies around the world are bracing themselves for the dawn of a new era in digital advertising and marketing.
How prepared are they for the new regulation, and what has their journey towards compliance looked like up until this point?
To find the answers, we ran a seven-question survey asking people at AdTech and MarTech companies, as well as agencies that have their own AdTech and MarTech platforms, how they are preparing their technology for the GDPR.
Out of the 48 participants, we discovered the following results:
- 65% of respondents said they think the GDPR will have a moderate or slight impact on their business.
- 85% of respondentsbelieve that the GDPR will involve making technological changes to their AdTech/MarTech platforms and websites, in addition to legal changes.
- Only 48% of people surveyed said their company’s AdTech/MarTech platforms will be GDPR-compliant by May 25, 2018.
- When asked whether their company was planning on only working with GDPR-compliant supply, demand, or other technology partners in the future, 65% of survey participants said yes.
In this report, we take a close look at how advertising- and marketing-technology vendors have approached the GDPR and the steps they have and have not taken to become compliant.
Table Of Contents
A Brief Recap of How the GDPR Will Impact AdTech and MarTech Vendors
There are a number of key areas of the GDPR that will impact online advertising- and marketing-technology vendors, including:
The GDPR has extended the definition of personal data and now includes cookies, IDs in cookies, device and advertising IDs, IP addresses, location data, and device fingerprints. This means all AdTech and MarTech companies can no longer claim they only collect and use anonymous data; every piece of data collected currently by these vendors is personal data.
The inclusion of these identifiers will impact how AdTech and MarTech companies collect, store, and use data.
User Consent and User Rights
The new rules regarding user consent and user rights are by far the most challenging areas of the GDPR for vendors to overcome.
The GDPR states that if a company or individual—whether that be a publisher or an AdTech or MarTech vendor—wishes to collect, store, and use data collected from citizens and residents within the EU/EEA, then they’ll have to obtain clear and freely given consent.
“The new requirements for obtaining user consent and managing user rights will be the biggest hurdles for AdTech and MarTech vendors to overcome due to various technological challenges, particularly for AdTech companies due to the fragmented nature of the online advertising ecosystem,” said Clearcode CEO Maciej Zawadziński.
With regard to obtaining user consent, the actual collection process is likely to be a popup message of some sort, like the one below:
For marketers and brands, obtaining consent is likely to be much easier than for advertisers due to their use of first-party data, compared to advertisers’ reliance on third-party data.
Also, the path towards GDPR-compliance for MarTech vendors is reasonably straight with a few bumps along the way. For AdTech companies, however, their path contains many more challenges.
As AdTech vendors don’t have a direct relationship with consumers, they’ll need to rely on publishers to obtain consent on their behalf, and the further away they are from the consumer, the harder it will be for them to obtain consent.
However, some AdTech companies may look for different ways of obtaining user consent that don’t rely so much on the publishers. One such example comes from Amsterdam-based AdTech company Chads World, which provides advertisers with interactive, chat-enabled ads.
Chads World has incorporated an opt-in / opt-out toggle into their banner ads to help their clients comply with the GDPR. Apart from providing end-users with an option to start a chat with the advertiser or brand, the ads also allow users to set their consent decisions based on the disclaimer shown to them.
“By collecting user consent via the ads, advertisers can ensure their data collection processes are GDPR compliant should a publisher fail to collect the proper consent themselves, for example, in the event of a technical error” said Jorn Eiting van Liempt, Managing Partner at Chads World.
MarTech vendors will be less affected by this, as their relationship with clients (e.g. publishers and brands) is direct. Brands and publishers will also be more inclined to push for consent to use MarTech platforms (analytics tools, CRM, marketing-automation platforms, etc.) than some unknown AdTech platform located way down the supply chain.
The GDPR also introduces some new rules regarding data breaches.
In the event an AdTech or MarTech vendor becomes aware of a data breach, they’ll need to inform the supervisory authority and their clients within 72 hours.
They’ll also need to inform data subjects (users) about the data breach without undue delay, unless they’ve implemented the appropriate technical and organizational protection measures, such as encryption (provided the keys weren’t collected during the breach).
Due to the GDPR definition of a data breach, AdTech companies could find themselves subject to data breaches on a daily basis due to the nature of real-time bidding (RTB) and programmatic media transactions:
‘Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. — GDPR definition
The way in which most media transactions are currently conducted constitutes a personal-data breach as user data is transferred between an array of advertising-technology platforms without the user’s consent or knowledge (illustrated in the image below).
Come May 25, this type of data-sharing will be classed as unlawful, unless the user has consented to each and every data-collection and processing activity, as well as the companies with whom their data is shared.
Data Protection by Design and Default
Very few AdTech and MarTech vendors have taken data protection and user privacy on board when designing their technology, but thanks to the GDPR, these areas will be put at the forefront of all future activities, from building new software and features to running online advertising and marketing campaigns.
For the most part, the GDPR states that companies should:
- Pseudonymize, anonymize, and encrypt data to provide added levels of protection.
- Only process the amount of data needed to complete the given activity, known as data minimization.
- Ensure that data-protection and user-privacy features are turned on by default.
The Path to GDPR Compliance For AdTech and MarTech Vendors So Far
Even though the countdown to the GDPR began when it was adopted on April 27, 2016, most of the news surrounding its impending enforcement has been concentrated to the past few months (as highlighted in the Google Trends graph below).
Although each AdTech and MarTech vendor has approached the GDPR in a different way, most vendors have taken one of the following four actions:
- Deny (or misunderstand) the impact the GDPR will have on AdTech and MarTech
- Cease operating in the EU/EEA
- Take steps to comply
- Adopt a traditional wait-and-see approach
Deny (or Misunderstand) the Impact the GDPR Will Have on AdTech and MarTech
Based on the rhetoric coming from some AdTech vendors, one could conclude that either they’ve misunderstood the GDPR and what it means for companies that collect personal data, or they are denying the impact it will have on their business and the industry as a whole.
With the help of various articles circulating in the media, we’ve been able to get insight into how some AdTech vendors view the GDPR and the path towards compliance.
There seems to be a consensus in the online advertising-technology world that the GDPR will have a moderate impact on the industry. The fact is that the GDPR will have a direct and severe impact on all companies that collect and rely on first-, second-, and third-party data.
One of the main areas most AdTech vendors seem to downplay is the lawfulness of processing. Under the GDPR, if an AdTech company, on behalf of their client, wants to drop a cookie on a user and collect their data, then they’ll have to obtain explicit and clear consent to do so.
However, some vendors are clinging to the notion of legitimate interest and are relying on this as a way to avoid obtaining user consent for data processing.
While the concept of legitimate interest does exist in the GDPR as one of the six legal grounds for processing data, it is not one that will apply to most advertising and marketing companies.
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. – Article 6, 1(f) of the GDPR
Perhaps unsurprisingly, a large majority of MarTech vendors seem to understand the impact the GDPR will have on their business and have taken steps towards compliance (see the sections below for more details).
Cease Operating in the EU/EEA
To their credit, rather than deny the impact or cling on to a false hope, both Drawbridge and Verve acknowledged that the new user-consent requirements in the GDPR would bring huge business challenges as neither company has a direct relationship with consumers—something almost no AdTech or MarTech vendors have.
It’s likely that we’ll see more companies pull out of the European market in coming years as the GDPR takes flight and the true effects of the regulation become known.
Take Steps to Comply
As is the case with most regulations, there is no blueprint or roadmap for companies on how to become GDPR-compliant, and many companies have simply misunderstood its key areas.
This has meant that companies have had to work towards becoming GDPR-compliant based on their own interpretation and understanding of the regulation, meaning one company’s view of GDPR compliance is another’s definition of a lawsuit waiting to happen.
There has also been a number of new tools introduced to help make compliance easier for publishers and vendors, including tools from existing MarTech companies and from organizations like the Interactive Advertising Bureau.
Adopt a Traditional Wait-and-See Approach
Unfortunately, the GDPR doesn’t allow for this wait-and-see approach, and once May 25 comes around, if an AdTech company isn’t GDPR-compliant, it could face legal action and hefty fines.
MarTech vendors, on the other hand, are a little more receptive to changes in the industry and have largely taken action towards becoming compliant—granted, their journey towards compliance is slightly easier to follow than most AdTech companies.
Results from Clearcode’s GDPR Survey
We recently conducted a survey whereby we asked 44 people working at AdTech and MarTech companies, as well as at agencies and publishers that have their own technology, about how their company was approaching the GDPR.
Below are the results of the survey.
1: Which region of the world is your company’s headquarters located in?
2: What type of business is your company?
3: What impact do you think the GDPR will have on your business?
When asked about the impact the GDPR would have on their business, 63% of respondents said they think the GDPR will have a moderate or slight impact on their business.
The above chart represents the breakdown of respondents based on their type of business and their answers to the question.
4. To which degree do you agree with this statement: The GDPR will involve making technological changes to AdTech/MarTech platforms and websites, not only legal changes (e.g. policies and contracts with partners).
88% of respondents believe that the GDPR will involve making technological changes to their AdTech/MarTech platforms and websites, not only legal changes.
5. Will your company’s AdTech/MarTech platforms be GDPR-compliant by May 25, 2018?
When asked whether their company’s AdTech/MarTech platforms will be GDPR-compliant by May 25, 2018, only 45% of people surveyed said yes. Furthermore, 36% said that while their platforms won’t be compliant by May 25, they were in the process of making them compliant.
The above chart represents the breakdown of respondents based on their type of business and their answers to the question.
6. Have any of the supply, demand, or other technology partners you work with told you they will only work with GDPR-compliant partners in the future?
7. Is your company planning on only working with GDPR-compliant supply, demand, or other technology partners in the future?
When asked whether their company was planning on only working with GDPR-compliant supply, demand, or other technology partners in the future, 66% of survey participants said yes.
What the Future Holds for the Online Advertising and Marketing Industries in a Post-GDPR world
Some believe that the GDPR will improve digital advertising and marketing, while others see it as a possible end for programmatic advertising. While opinions may differ, there’s no denying that the online advertising and marketing industries will look a whole lot different after May 25, 2018.
Below is a glimpse of what the GDPR could mean for digital advertising and marketing.
Consent-Based Advertising and Marketing
The strict new rules surrounding user consent have many advertisers and marketers worried, and results from a PageFair survey don’t do anything to ease their concerns.
For years, online visitors have had little or no control over how their data is collected, used, and shared. The GDPR now puts power back into their hands and puts the onus on advertisers and marketers to prove to consumers that a true value exchange exists when they provide their consent for data collection and processing.
It’s highly likely that both online advertisers and marketers will see a significant drop in their web-analytics data and campaigns due to the low volume of users that will provide their consent.
Therefore, the challenges facing advertisers and marketers are coming up with ways to highlight the benefits of providing consent and making the most of the small percentage of users that actually provide consent.
Less Reliance on Third-Party Data and a Bigger Focus on First-Party Data
Third-party data has long been the oil that keeps online-advertising engines running. However, in a post-GDPR world, getting users to agree to sharing their data with unknown companies with whom they have no direct relationship will be incredibly challenging.
Because of these challenges, first-party data will reign supreme after May 25. For marketers, first-party data has always been the main fuel source of their campaigns, so they’ll face fewer challenges compared to advertisers, but they still won’t be immune to the GDPR’s rules regarding consent and data protection.
The future of both online advertising and marketing campaigns lies in first-party data—granted its collection will be more difficult for some than others.
More Power for Publishers
The strict rules regarding consent mean that publishers will become the gatekeepers for consent, meaning if AdTech and MarTech companies want to collect user data, they’ll be relying on publishers to collect it on their behalf.
Publishers will also have more control over which vendors are allowed on their website. In the eyes of the GDPR and ePrivacy regulation, data controllers (e.g. publishers) are liable for all first-party and third-party scripts, tags, and pixels on their websites. This means publishers will be evaluating their partners’ GDPR-compliance status and will likely refuse to work with vendors that don’t pass the test, as they won’t want to risk violating the GDPR and face hefty administration fines imposed by the EU.
These two areas give publishers more power and control than they have currently, and may even push the price of inventory higher due to the basic concept of supply and demand—i.e. the lower volume of inventory available, the more valuable it will be.
What Does a Post-GDPR World Mean for AdTech and MarTech Vendors?
GDPR Compliance is a Must
With so much attention on the GDPR from advertisers right through to publishers, AdTech and MarTech vendors that don’t comply with the GDPR will find themselves losing business and being replaced by those that do.
Also, due to the substantial fines for not complying with the GDPR and the general public’s growing awareness of data-protection and user-privacy issues, few companies will be willing to work with an non-compliant AdTech or MarTech vendor.
Look for New Ways of Advertising
As the size of available audiences to target will be significantly lower than they are currently, advertisers and AdTech companies especially should focus on advertising that doesn’t rely on personal and third-party data.
A prime example is contextual targeting, which mainly uses non-personal data, such as the context of the page, the page’s URL, and the keywords on the page to determine which ads to serve. There are few companies out there that offer this type of targeting, so there are plenty of opportunities for AdTech companies to capitalize on this area of the market.
Innovate for the Future
Regulations typically spur innovation, as companies need to look for new ways to conduct business in accordance with the new rules—the innovation in green technology as a result of the US Clean Air Act being one example—and the GDPR is no different. Successful AdTech and MarTech companies of the future will be the ones that see the GDPR as an opportunity to innovate.
Clearcode is a full-service software-development company that specializes in AdTech, MarTech, and analytics platform development. We also help AdTech and MarTech vendors comply with the EU’s General Data Protection Regulation (GDPR) and ePrivacy regulation though our development services.