A lot has happened since the European Union’s General Data Protection Regulation (GDPR) came into force on May 25, 2018, and it can be hard keeping up with all the news stories.
At Clearcode, we’ve been keeping an internal record of the most important news stories and opinions even before the GDPR was introduced.
Now, we are making this list available to everyone.
Below you’ll find the main GDPR-related events in the AdTech and MarTech industries in chronological order.
If you feel there’s a story we are missing, get in touch and let us know.
The most popular news stories
April 14, 2016
The European Union’s General Data Protection Regulation (GDPR) was formally adopted by the European Parliament and started a 2-year countdown to its enforcement data of May 25, 2018.
July 7, 2016
EU businesses have resigned themselves to the fact that they will have to start complying with the long-awaited EU General Data Protection Regulation and are preparing themselves for 2018. How is the GDPR perceived from the outside looking in?
September 12, 2017
A 2017 survey conducted by the adblocking analytics firm PageFair (now Blockthrough) found that 79% of respondents would not give a publisher consent to share their browsing habits with its analytics partner.
December 06, 2017
“Chances are, one likely change this will bring forward is yet another dimension of consolidation.”
January 10, 2018
For all the talk of revolution, the GDPR will end up a blip for most rather than a world made new. But that will be after the new regulation causes its share of confusion.
January 26, 2018
“…GDPR is likely to wipe out cookies, and their ability to follow users across devices, constantly serving ads at them.”
February 9, 2018
“…the Tech Lab debuted an openRTB feature to convey user consent through the digital supply chain and unveiled plans to launch a GDPR Technical Working Group tasked with helping programmatic advertisers deal with GDPR and the coming ePrivacy regulation.
April 4, 2018
As brands, agencies and publishers scramble to get their data collection, usage and storage situations in line with European regulations, few have gotten their email newsletter subscriber operations into a GDPR-compliant state, either by securing affirmative consent for use of subscribers’ data or by updating their email onboarding process so people give consent when they subscribe.
April 16, 2018
Many of these car manufacturers had to change the way their engines worked to comply with the CAA. For the most part, this meant making cars produce less pollution and become more environmentally friendly.
Ad tech vendors are now faced with the same situation, as they will have to change the way their technology works to comply with the European Union’s GDPR.
April 19, 2018
In the last two months, a pair of U.S.-based ad tech firms — cross-device targeter Drawbridge and location data firm Verve — said they would wind down European operations due to the looming General Data Protection Regulation.
April 25, 2018
“The GDPR will shake out a lot of sub-standard actors, clean up the supply chain, lead to consolidation of vendors, and allow consumers to better own and control their data,” says Gareth Davies, entrepreneur in residence at Digital Capital Advisors.
May 1, 2018
Ready or not, GDPR is (almost) here, bringing about many changes that will unfold immediately and will have an instant impact, on those both directly in the industry, as well as on those who are further removed.
May 2, 2018
On 22 March, 2018, a mere two months before the GDPR is enforced, Google announced on its blog that it would be updating its EU consent policy, requiring publishers to take extra steps in achieving consent from their users.
As part of its commitment to comply, Google has designated itself as a data controller under GDPR, rather than a data processor, as many in the industry would have expected, based on their understanding of the GDPR, and Google’s role within the advertising ecosystem.
May 11, 2018
When legislators in the EU came up with the GDPR legislation, I know they had the best intentions to protect the rights of users.
For too long digital media, marketing, and advertising technology platforms have been harvesting and monetising data (albeit cookie data, for the most part) without the knowledge of the user.
May 17, 2018
Only 48% of people surveyed said their company’s AdTech/MarTech platforms will be GDPR-compliant by May 25, 2018.
May 18, 2018
Deutsche Telekom and e-commerce business Otto Group are among some of Europe’s biggest advertisers set to cut programmatic budgets after the General Data Protection Regulation takes effect on May 25.
Advertisers are well aware of the challenges with programmatic, but the regulation has prompted discussion about audience targeting and the quality of the data underpinning it.
May 18, 2018
The central issue seems to center around whether ad tech can continue to operate as it has before the EU shifted its legal landscape on data protection and privacy, or if it will have to shift to a new model in order to be compliant.
May 25, 2018 — The GDPR comes into effect
When the GDPR was coming into force:
- Over one-third of respondents from the survey were unsure if their company will be compliant with GDPR come May 25.
- Thirty-six percent of respondents said their company hasn’t hired anyone to help prepare for GDPR.
- Eighty-six percent of companies are renegotiating contracts in the run-up to GDPR.
- In a separate online survey of 29 Digiday+ subscribers, 52 percent said their companies held their first GDPR compliance meetings after the start of 2018.
- In a different online poll of 25 Digiday+ subscribers, 40 percent said regulators are most concerned with companies complying with the spirit of GDPR.
Since the early hours of May 25, ad exchanges have seen European ad demand volumes plummet between 25 and 40 percent in some cases, according to sources. Ad tech vendors scrambled to inform clients that they predict steep drops in demand coming through their platforms from Google.
Some U.S. publishers have halted all programmatic ads on their European sites.
After two years coming down the pipe at tech giants, Europe’s new privacy framework, the General Data Protection Regulation (GDPR), is now being applied — and long time Facebook privacy critic, Max Schrems, has wasted no time in filing four complaints relating to (certain) companies’ ‘take it or leave it’ stance when it comes to consent.
The complaints have been filed on behalf of (unnamed) individual users — with one filed against Facebook; one against Facebook-owned Instagram; one against Facebook-owned WhatsApp; and one against Google’s Android.
June 7, 2018
After months of speculation about how GDPR will change programmatic, the deadline for compliance has finally come (and gone).
The Media and Marketing Privacy summit, which took place just before the deadline (22 May) made a few final predictions about the how the regulation will affect the buy- and sell-side, how to build a consenting audience, and how programmatic businesses will have to adapt in a GDPR world.
July 2, 2018
Amid the earlier looming specter of its introduction, adtech vendors faced three key issues over gaining opt-in consent from consumers; as third-party companies, they have no direct relationship with a user, and due to the nature of real-time programmatic, do not always know which sites their ads are appearing on.
August 7, 2018
In a May survey of 300 US marketers conducted by Advertiser Perceptions and Trusted Media Brands, 55% of respondents agreed that recent data protection issues make them more inclined to move ad dollars from open exchanges to programmatic guaranteed and private marketplace (PMP) deals.
- The average use of third-party cookies per page across Europe has dropped 22 percent, according to a report from Reuters Institute for the Study of Journalism.
- Only 20 percent of 255 brand marketers recently surveyed by marketing tech vendors Demand Metric and Demand Base are confident that their mar-tech vendors won’t expose them to legal risks if they’re not GDPR compliant.
- Just under 80 percent of 500 decision-making brand marketers across Europe and the U.S. believe GDPR will make targeting audiences using third-party data more difficult, according to research from ad tech firm Sizmek.
- Facebook’s presence across news pages examined by RISJ has dropped from 75 to 70 percent between April and July.
- Two months after the law’s enforcement, more than 1,000 news publishers chose to block European visitors from their sites.
September 11, 2018
On 2nd September, GDPR legislation passed the 100-day mark. You’d be forgiven for missing the occasion; nestled surreptitiously amongst the noise of ‘Back to School’, the first three months of compliance have passed largely without note.
September 12, 2018
Brave, a privacy-focused web browser set up by Silicon Valley engineering guru Brendan Eich, filed privacy complaints in Britain and Ireland against search company Google and other digital advertising firms.
The complaint argues that when a person visits a website, intimate personal data that describe them and what they are doing online is broadcast to tens or hundreds of companies without their knowledge in order to auction and place ads.
December 14, 2018
ExchangeWire have invited hundreds of thought leaders to share their thoughts on what next year will hold, across a range of topics. GDPR hasn’t caused the Armageddon the industry expected, but is it still too early, or are many challenges brought about as a direct result of GDPR being swept under the carpet? Our experts share their views.
January 24, 2019
Once the data leaves their pages, publishers really have no control over what happens to it. So ads.txt and GDPR have had a positive effect on that.
January 25, 2019
Google-owned YouTube is also the target of a GDPR complaint filed by NOYB for “right to access” violations described in GDPR’s Article 15, with a possible maximum penalty that could reach €3.87 Billion according to the NGO, with Amazon, Apple, DAZN, Spotify, SoundCloud, Flimmit, and Netflix also being targeted by GDPR complaints related to the same reasons.
Acxiom, Oracle, Criteo, Quantcast, Tapad, Equifax, and Experian were also subjects of a GDPR complaint filed by user rights group Privacy International because they were collecting the data of millions to create user profiles.
January 27, 2019
EUROPEAN PRIVACY ADVOCATES say the complex bidding process behind online behavioral advertising threatens consumers’ privacy.
New documents filed Monday with regulators in Poland, the UK, and Ireland claim that the way personal data is handled during the process of matching advertisements to ad slots does not comply with the GDPR.
The documents focus on the categories that key players in the ad-tech industry have adopted to instantly match advertisers with appropriate users or content.
January 28, 2019
Panoptykon Foundation filed a new complaint with the Polish Data Protection Authority today, joining the ad auction complaints already being examined in the UK and in Ireland.
New evidence submitted to UK, Ireland, and Polish data Protection Authorities today reveals how ad auction companies, including Google, unlawfully profile Internet users’ religious beliefs, ethnicities, diseases, disabilities, and sexual orientation.
January 30, 2019
“As with previous submissions made by Brave et al, we believe that: the complaints are fundamentally misdirected at IAB Europe or the IAB Tech Lab; and they fail to demonstrate any breach of EU data protection law,” the organization said.
March 1, 2019
In its annual report for 2018, the DPC disclosed 15 total GDPR investigations into technology companies in Ireland, seven into Facebook Inc. and Facebook Ireland Limited, two into messaging platform WhatsApp, one into photo-sharing service Instagram, two apiece into Apple and Twitter, and one into LinkedIn.
In 2018, the DPC opened inquiries into data-processing activities of Facebook, Apple, Twitter, LinkedIn, WhatsApp and Instagram, looking at issues ranging from large-scale data breaches to legal bases for processing to transparent presentation to users.
A PR agency-backed survey of 2,000 UK consumers showed 83% support for government regulation of Facebook. A clear majority of respondents also believed Facebook was damaging to its users’ mental health, and that fake news was damaging to democracy.
March 8, 2019
Cookie walls that demand a website visitor agrees to their internet browsing being tracked for ad-targeting as the “price” of entry to the site are not compliant with European data protection law, the Dutch data protection agency clarified.
The DPA said it has received dozens of complaints from internet users who had had their access to websites blocked after refusing to accept tracking cookies — so it has taken the step of publishing clear guidance on the issue.
April 3, 2019
IAB Europe – the body tasked with setting industry-wide privacy standards – has been hit with another complaint alleging it is violating General Data Protection Regulation (GDPR).
Brave Software, the maker of adblocking web browser Brave, has lodged a complaint with the Irish Data Protection Commissioner over IAB Europe’s ‘cookie wall’.
April 26, 2019
Consent management platforms (CMPs) are ad tech’s response to Europe’s General Data Protection Regulation (GDPR).
These platforms provide tools for collecting user consent for data processing and ad targeting and passing that info to downstream ad partners. CMPs theoretically bring transparency and accountability to the ad supply chain, helping publishers feel confident they are staying above board when displaying programmatic ads.
The only problem is, many CMPs may not actually be GDPR-compliant.
May 2, 2019
The Irish Data Protection Commission (DPC), which is the lead data protection regulator for most multinational tech giants in Europe, has opened a formal probe into Quantcast’s business — adding +1 to the 17 investigations it already had up and running into Facebook, WhatsApp, Instagram, Apple, Twitter and LinkedIn.
The purpose of the inquiry is to establish whether the company’s processing and aggregating of personal data for the purposes of profiling and utilising the profiles generated for targeted advertising is in compliance with the relevant provisions of the GDPR. The GDPR principle of transparency and retention practices will also be examined.
May 20, 2019
It’s a year since Europe’s General Data Protection Regulation (GDPR) came into force and leaky adtech is now facing privacy complaints in four more European Union markets.
The first RTB complaints were filed in the UK and Ireland, last fall, by Dr Johnny Ryan of private browser Brave; Jim Killock, director of the Open Rights Group; and Michael Veale, a data and policy researcher at University College London.
A third complaint went into Poland’s DPA in January, filed by anti-surveillance NGO, the Panoptykon Foundation.
May 21, 2019
Back in November 2018, Privacy International filed a breach of privacy complaint with the European data protection authorities, calling to their attention the practices of 7 major companies (Quantcast, Acxiom, Oracle, Citreo, Tapad, Equifax, Experian) that work together in the online advertising sector in order to build intricate profiles of users.
The privacy breaches concern the way adtech company – Quantcast process and aggregate personal data about users and the fact that the company may not obtain consumer consent properly.
Quantcast, based on your online activity, can make very accurate guesses about your age, gender, income level, and educational level.
May 22, 2019
Mobile app audiences are up by nearly 17% on average compared with a year ago when GDPR took effect. Marketers and publishers are sending more notifications globally, on average 36 per month.
Google is the subject of its first GDPR probe from Ireland’s Data Protection Commissioner (DCP). It’s the first major standoff between the company and its lead privacy regulator in Europe, raising difficult questions about how the ad giant handles personal data across the internet.
The probe will investigate how Google treats personal data at each stage of its ad-tracking system. Those questions originate in part from a complaint filed by the browser company Brave in September, which alleged that Google’s ad auction system constituted a data breach under GDPR rules.
Regulators have numerous investigations ongoing. The Irish data protection authority is pursuing 52 complaints: 11 concern Facebook, WhatsApp and Instagram, three concern Twitter, two for Apple, one for LinkedIn and one for Quantcast. Google still faces a €50 million ($57 million) fine from French regulator CNIL.
May 23, 2019
Location-based tech business GroundTruth has confirmed the closure of its UK presence in the wake of the introduction of GDPR over a year ago in Europe.
May 28, 2019
- Since being enacted in May 2018, the data protection and privacy platform has received 6,624 complaints, according to Ireland’s Data Protection Commission (DPC).
- The GDPR was alerted to 5,818 data-security breaches, while more than 48,000 contacts were received through the DPC’s Information and Assessment Unit.
- Plus, 54 investigations were opened — 35 of which are non-cross-border investigations, and 19 of which are cross-border investigations into multinational technology companies and their compliance with the GDPR.
- A number of these investigations are targeting U.S. tech giants, such as Facebook, Twitter, and LinkedIn, BBC News reports.
- Regulators in Ireland are also investigating whether Google’s real-time bidding platform violates Europe’s privacy laws, officials recently revealed.
- The DPC told the BBC it has launched 19 statutory investigations — 11 of which target Facebook, and its top properties, including WhatsApp and Instagram.
May 31, 2019
June 20, 2019
On June 20, the ICO released a report that specifically focuses on how the ad tech sector should comply with GDPR — an area that would be hard for it to ignore given the multiple privacy complaints made against the use of RTB in programmatic advertising by privacy activists.
September 6, 2019
This new data debate, which fired up the ad tech industry, was sparked Wednesday when ad browser Brave’s chief policy officer, Johnny Ryan, asserted that Google’s consent data architecture could allow partners to sync cookies with unauthorized third-party companies.
September 19, 2019
Speaking at ExchangeWire’s ATS event in London on Sept. 9, the ICO’s head of technology and policy, Ali Shah, encouraged ad tech businesses still relying on a legitimate interest to come forward and engage with the regulator. Shah promised those that do so won’t face financial penalties — as long as they come forward within the next four months.
September 22, 2019
The Data Protection Commission (DPC) is simultaneously investigating Google, Facebook, Twitter and Quantcast for GDPR compliance.
Google’s ad stack broadcasts personal data to multiple parties in the ad-tech ecosystem, with a workaround that runs contrary to its own publicly stated GDPR safeguards, according to Brave, which has submitted its findings to the DPC.
The Irish DPC has launched a statutory investigation into suspected infringement by Google’s RTB [real-time bidding] system.
October 7, 2019
The General Data Protection Regulation (GDPR) and its impact on Real Time Bidding (RTB) in Europe has been a hot topic and will continue to be as the ecosystem evolves under the lens of recently invigorated market regulators.
October 31, 2019
When publishers reduce the number of ad tech, audience measurement and other web technology vendors they work with, Google and Facebook win, according to new academic research examining the unintended consequences of the General Data Protection Regulation (GDPR).
November 20, 2019
The ICO held an “ad tech fact-finding forum” in London in November. It discussed the data protection watchdog’s latest findings since it released a report in June taking the ad tech and real-time bidding marketplace to task on GDPR compliance and giving the industry six months to clean up its act.
This summer the ICO said the industry’s current real-time bidding protocols violate GDPR. At the time, the ICO outlined “key areas of concern” including issues such as companies’ treatment of sensitive, “special category” data and the often substandard contractual agreements to protect how bid-request data is shared between vendors.
December 16, 2019
“Both advertisers and publishers have been hit hard by this, particularly by the privacy settings in web browsers like Safari and Firefox, which have wiped out 40% of third-party cookies. With Google Chrome’s changes to third-party cookies set to be introduced in February 2020, this will only exacerbate the problem.”
“The industry won’t be able to continue in this unaddressable world, something has got to change.”
December 17, 2019
Consumer groups from across the BEUC network  are today urging their data protection authorities to open an investigation into practices by online advertising tech companies and bring them in compliance with the General Data Protection Regulation (GDPR).
Based on a comprehensive report on the matter, the Norwegian consumer organization Forbrukerrådet has filed several GDPR complaints against the dating app Grindr and five online advertising technology companies.
January 17, 2020
The UK’s data protection regulator is braced to do battle with the country’s £13bn online advertising industry, saying it will start investigating individual companies that are in breach of European data protection law and enforcing it against them.
According to the ICO, whenever a person visits a website, their computer can send out personal data including their location, device type, hobbies, previous purchases, gender, inferred race, and financial means to “thousands” of adtech companies.
January 16, 2020
According to a report called “Out of Control: How Consumers Are Exploited by the Online Advertising Industry,” app developers are sharing highly personal information with adtech firms as part of their business model, despite the risk of violating tough privacy rules.
The NCC, a government-funded consumer rights champion, commissioned cyber-security company Mnemonic to perform a technical analysis of the data traffic from 10 popular mobile apps. It found—between them—they were transmitting user data to at least 135 different third parties involved in advertising and/or behavioral profiling.
January 30, 2020
The European Commission’s competition regulator is launching an investigation into Google Inc., this time concerning its data collection practices.
According to Reuters, the commission has sent out questionnaires to companies working with Google, requesting information about the agreements they have in place to share data with the search engine.
February 5, 2020
Ireland’s data regulator has announced new investigations into Google and MTCH Technology Services—the company behind dating app Tinder—over complaints users’ personal data is being misused in violation of the General Data Protection Regulation (GDPR).
The Irish Data Protection Commission now has 23 active investigations into Big Tech firms (out of a total of 63 complaints)—two of which center on Google.
Other firms being probed include Whatsapp, Twitter, Apple, Instagram, and LinkedIn.
March 10, 2020
In November 2018, Privacy International filed complaints against companies operating in the ad space such as Criteo, Quantcast, and Tapad.
Criteo is investigated by French CNIL based on a complaint of processing the Internet’s users data on no lawful basis and breaching GDPR requirements for consent or legitimate interest.
Second version of IAB Europe’s Transparency and Consent Framework (TFC) for GDPR compliance will integrate with Google on June 30, when the previous version of TFC is deprecated.
IAB Europe had around 600 vendors signed up for TCF 1.0. Roughly 300 of those have already registered for the new version, which demonstrates an eagerness among vendors to be seen as compliant by their publisher partners.
Mar 16, 2020
Brave has filed a formal GDPR complaint against Google for infringing the GDPR “purpose limitation” principle. Enforcement would be tantamount to a functional separation of Google’s business.
This morning, Brave filed a formal GDPR complaint against Google for infringing Article 5(1)b of the GDPR, which sets forth the “purpose limitation” principle.
April 27, 2020
Brave, a maker of a pro-privacy browser, has lodged complaints with the European Commission against 27 EU Member States for under resourcing their national data protection watchdogs.
The provider of privacy sensitive adtech is asking the European Union’s executive body to launch an infringement procedure against Member State governments, and even refer them to the bloc’s top court, the European Court of Justice, if necessary.
May 6, 2020
You can’t make access to your website’s content dependent on a visitor agreeing that you can process their data — aka a ‘consent cookie wall’. Not if you need to be compliant with European data protection law.
That’s the unambiguous message from the European Data Protection Board (EDPB), which has published updated guidelines on the rules around online consent to process people’s data.