GDPR one year on – has anything changed?

David Murphy

GDPR came into force one year ago tomorrow. David Murphy looks at the impact it has had on the ad tech business. 

Tomorrow marks the first anniversary of the implementation of GDPR in the EU. The lead up to GDPR saw companies in all sectors scrambling to prove they were compliant with the new rules, with the UK regulator, the ICO (Information Commissioner’s Office) coming in for criticism for a lack of guidance on exactly how to achieve compliance. Meanwhile, the lawyers had never been so busy, as companies sought to ensure that their Privacy Policies and data processing procedures were legally watertight.

But of all the industries that stood to be impacted by GDPR, ad tech was arguably close to the top of the list, with many companies in the space relying on collecting, storing and using consumer data to target consumers through advertising.

Gruesome task
So 12 months on, how hard has the ad tech business really been hit by GDPR? Erik Tammenurm, CEO at NEXD, believes the biggest impact has been on reach and using external ad servers, data providers and data collectors. He says: “With GDPR, ad networks and DSPs (Demand Side Platforms) had to start keeping an eye on what their vendors were up to. This was a gruesome task that still hasn't been worked out. In July 2018, Google decided that they will not participate in the IAB's regulatory framework and they will instead certify vendors themselves, resulting in even more confusion. More broadly, I feel ad tech startups have been hugely impacted.

“GDPR's main consequence is that most startup vendors will not be able to meet the regulations on their infrastructure or be able to pay for all the certifications that are needed. Historically, innovation has been slow in ad tech, and I feel the squeeze on ad tech startups will only worsen that.

"In short, ad tech saw cost for valued impressions (targeted/viewable) increase by about 30% and the business logic for many vendors had to change in a massive way. I believe the best example we had was how Kargo, one of the biggest video ad networks, didn’t want to lose their minds trying to comply and simply handed their GDPR-impacted business to SublimeSkinz. All GDPR impacts could have been foreseen two years prior, but everyone kind of stood around, scratching their heads.”

But Prash Naidu, founder & CEO of Rezonence, questions whether, other than putting privacy at the forefront of a lot more conversations, GDPR has really had much of an impact. “The media sector, and ad-tech in particular, consistently pay homage to GDPR in conversations and official documentation,” he says. “However, apart from consent popups on publisher sites, very little has actually changed from an operational point of view. Users are still added to thousands of segments without their consent and continue to be re-targeted, again without gaining their consent. Until the ICO rules on whether this is legal or not and issues fines, marketers will continue with the status quo.”

And Richard Bird, chief customer information officer at Ping Identity, says very little has changed in the US since the introduction of GDPR. “Rather than seriously addressing the issues of customer privacy and consumer protection, US businesses slapped a message box onto their sites asking users to ‘accept’ or consent to those terms and called it a day,” he says. “In their defence, the US government walked away from the discussion around data privacy, leaving a vacuum of leadership and standards definition. This lack of leadership has resulted in confusion, frustration and very little guidance for companies to successfully craft true consumer protection.

“However, the pendulum is getting ready to swing not just in the direction of dramatic changes in company behaviour related to data privacy, but toward consumer demands. It is time for us to hold companies accountable for protecting their customers’ digital identities as well as their data. Only when we tightly couple the data that GDPR, CCPA [more on that later] and other regulations say ‘belong to the customer’ with the customer's actual identity, will we begin to see any improvements in consumer protection and security.”

Certinaly, when it comes to the large fines comoanies were worried out under GDPR, these have been noteable largely by their absence, save for the €50m (£44.2m) fine handed out to Google in January by the French regulator, CNIL, for failing to provide transparent and easily accessible information on its data consent policies.

Aaron McKee, CTO at Blis, believes the industry is still getting to grips with GDPR. He says: “There are different interpretations of the regulation, and companies struggle to be on the same page. And due to a significant change happening in a short period of time, many companies have been unable to integrate consent management platforms in a way that users are comfortable with. Companies are failing because they don’t know how to work in this new world.

"This is how GDPR can be seen as an opportunity to gain a competitive advantage. Competitors are leaving because they don’t have this advantage, as they have not taken things seriously. For instance, there are only two or three location data specialists left in the UK now. As various versions of GDPR start to emerge all over the world in the years to follow, GDPR savviness will be valuable both to enter new markets as well as to better compete in existing markets. Companies which have responded well to GDPR will be well poised to take market share over those that haven’t.”

Business models
As McKee and Temmenurm note, GDPR has caused some companies in the ad tech space to fundamentally re-assess how they conduct their business and whether, under GDPR, they could legally continue to do so.

“Data privacy regulation has definitely changed the industry,” says Adam Schenkel, VP of programmatic at GumGum. “Just look at a company like Criteo, which was built around web-based retargeting, but which has increasingly pivoted its focus to email advertising and in-app. Kargo and Drawbridge simply stopped doing business in the UK. And now we're seeing a lot of other companies begin to reposition their identities vis-a-vis data privacy, essentially starting to shrink away from it.”

And Guy Flechter, chief information security officer at AppsFlyer, believes many more changes will be seen as the regulators start to increase their enforcement actions. “One of the main challenges for the ad tech industry is around consent requirements,” says Flechter. “If implied consent was once acceptable, we know that is no longer the case. This has forced some companies to build consent management mechanisms into their products and others to look for other suitable solutions. As the regulators continue to demand compliance with basic principles such as transparency and lawfulness, we believe this will force additional changes in how the ad tech industry works. We have already seen some significant decisions in the space with Vectuary, Singlespot, Teemo and even Google.”

The new oil
Data has often been called the new oil. The more data you have on a consumer, so the argument goes, the more you can target them with offers for things they should be interested in, so that advertising, rather than being intrusive, becomes useful and relevant to them. At its core, GDPR pulls the data targeting rug from under the digital marketer’s feet, so what impact has it had on this aspect of the ad tech business specifically? Once again, opinions differ. NEXD’s Temmenurm says: “We saw a huge closing and M&A at the start of last year in the face of data collectors and verifiers. Almost everyone who did not get acquired and relied on the EU market had to shut their doors. The age of independent DMPs (Data Management Platforms) is over for sure.”

Edward Wale, MD UK & Spain at SpotX, agrees that data-driven advertising has, inevitably, felt the GDPR pinch. “The steps taken by European legislators are setting a precedent in some major global markets for the creation of a more privacy-conscious, transparent online community. Businesses are re-evaluating their ad tech partnerships and whittling these down to a more streamlined set of trusted partners, which is positive. Collaboration will be more important than ever as the industry embraces new iterations and advances in the frameworks we use to manage data and privacy."

But Resonence’s Naidu is more sceptical about the impact of GDPR on the trading of consumer data. “This is THE industry that GDPR was intended to regulate,” he says. “If you look at what can be bought and sold on data exchanges before and after GDPR came to into effect, very little has changed. One might have expected whole swathes of data to have become unavailable or unique user counts to dramatically drop; neither has happened. Apple’s ITP (Intelligent Tracking Prevention) is driving more conversations around data today that GDPR. This is because ITP is having an impact today, whereas GDPR’s impact is currently more theoretical than actual, at least till the ICO starts issuing fines.”

And some, like Stephen Upstone, CEO of LoopMe, argue that the days of data-driven targeting are far from over, as long as the consumer understands the value exchange. He says: “After a year of GDPR, mobile marketers who have embraced transparent data use are beginning to reap the benefits. Mobile first-party data is a goldmine for marketers, and with GDPR requiring advertisers to get full buy-in and consent from their target, mobile data is more valuable than ever. Advertisers are now providing collaborative and higher quality campaigns which get results and build trust with consumers who are prepared to trade their data for better mobile experiences."

Offer Yehudai, president of Fyber, agrees that GDPR has been a force for good in obliging the ad tech industry to change the way it operates. He says: “For advertisers, while the quantity of data sets have diminished, because of the obligatory opt-in, the data that is shared is more accurate and valuable and is from users who, perhaps, are more receptive to receive ads. The regulation has massively helped to increase transparency and control among consumers about who and how their personal data is being used. And, of course, users enjoying a better experience is more beneficial for publishers overall.”

Contextual targeting
Upstone and Yehudai may have a point, but equally, companies in possession of the sort of fully opted-in, consented data they refer to may be in the minority. For most, whether it’s down to GDPR, Apple, or other legislation – more on that later – marketers’ ability to use data to target consumer is under threat. So if data is not the answer what is? Some would argue that if data is the new oil, context is the new, new oil. Contextual targeting relies on targeting a consumer with advertising based on what he or she is doing, the environment they are in. On a simple level, someone reading theatre reviews on a newspaper website would be targeted with an ad for the premiere of a new play, because the bit of the website they are on implies an interest in the theatre.

“Advertising practices such as behavioural and demographic targeting which have been the cow milk of the programmatic industry have been facing challenging times. But contextual targeting doesn’t rely on audience data and is therefore not as directly affected by GDPR,” says Samir Addamine, founder and chairman of  FollowAnalytics. “This type of advertising became more popular within advertising strategies by the fact it creates ad experiences more relevant to the content consumers are actively engaged with, being able to combine better text and visual analysis. Contextual marketing is getting lots of interest from marketers who have been forced to reconsider their email and mobile campaigns.”

GumGum's Adam Schenkel also believes that the focus on consumer rights and data privacy suggests a bright future for contextual targeting. He says: “Now that Apple's focus on privacy has forced Google to start embracing a similar stance, it seems pretty clear that the coffin is closing on the cookie. With Apple and Google getting serious about data privacy, the GDPR, the CCPA, or whatever other privacy regulations come down are not going to matter much. Behavioural targeting simply doesn't have a place in the future. That's good for everyone online and it's good for companies like GumGum that specialize in contextual targeting, because how do you find audiences anonymously online? You place ads in contexts where the audiences are. Contextual targeting was the lifeblood of advertising for a century and now it's poised to become lifeblood of advertising's future.”

California not dreaming
While GDPR has hogged the headlines over the past couple of years – arguably more so in the year leading up to its implementation than in the year since – it’s not the only move by regulators to encourage digital marketers to put their house in order. Regulators around the world are watching how GDPR plays out with interest and making their own moves to protect their citizens, none more so than in the US state of California, where the California Consumer Privacy Act (CCPA), came into force in June last year. It seeks to give residents of the state the right to know what personal data is being collected about them; to access this date; to know whether their personal data is sold or disclosed and to whom; and to block the sale of their personal data.

“There is a lot of overlap between regulations from California and GDPR,” says Kara Alvarez, VP product management at Yes Marketing. “The impact marketers will see may depend on the final nuances of those regulations and how widely the marketer applied GDPR principles within their organization. Each new regulation presents a need to fine-tune or change previous practices which will not be as simple as having an opt-out process that is developed and largely forgotten. Data privacy initiatives will have to become a regular part of marketers’ processes.”

Dave Swarthout, chief legal officer at Monetate, says that CCPA’s major impact to date is that it has US companies thinking about data privacy for the first time, but, he adds, its likely impact is far from clear.

“Unfortunately, so much of the law is still being defined,” says Swarthout. “The California Assembly still has at least eight bills being discussed that will affect how the CCPA will be interpreted (including changes to the definition of “personal information”). Having already prepared for GDPR in May 2018, Monetate already has many processes in place that can be leveraged for CCPA compliance, thus as a business we feel comfortable waiting to see what the law looks like in its final form and what that means for our clients (and their customers).

“We are taking a similar approach to the ePrivacy Regulation; however, that Regulation has been around much, much longer than the CCPA. We started tracking the progress on this Regulation in 2017, back when the thought was it would be enacted simultaneously with GDPR in May 2018. We are still waiting... . In the interim, the draft Regulation has changed a number of times and so you cannot spend a significant amount of time preparing for its passage because each iteration of the Regulation moves the compliance goal posts. It will also likely continue to change after European Parliamentary elections later this year. So adoption is highly unlikely before 2020 (and the current draft of the Regulation states that it will not go into effect until 2 years after it has been adopted  - 2022!).”

And FollowAnalytics’ Addamine notes that there may be more new laws coming down the line to keep digital marketers on their toes. He says: “Europe is working on a coming regulation regarding how people pay for their purchases online, which could have big consequences for companies. Similar to how GDPR impacted handling personal data, Strong Customer Authentication (or SCA) will have implications for how businesses handle online transactions, requiring an extra layer of authentication for online payments. It might inspire some laws to be introduced in the US.”

However GDPR, CCPA, SCA et al play out, some in the industry believe a global approach is needed. “There needs to be a global rule, not Canada, California, the EU, etc.” says “Randy Apuzzo, CEO and CTO at Zesty.io. “Each government entity is chasing fines to protect their people, but really, to collect their new form of parking tickets. This should be a centralized entity that uses fine donations to support workers in the organizations and give back the excess to improving the internet.”

Mike Herrick, SVP of technology at Airship, agrees. He says: “Each new state-level bill and piece of international legislation that has been introduced over the past year shows just how little control there is over customer data. What we need, more than anything else, is a semblance of regulatory uniformity because it makes very little economic sense to have different policies for different countries.”

The post-GDPR world
So what does the future look like for ad tech and digital marketing in the post-GDPR world? “The importance of data practice hygiene is only growing,” says Monetate’s Swarthout. “GDPR got many people’s attention, and incidents like the Cambridge Analytica-Facebook disclosure really accelerated the consumer rights drive in the US as it relates to PII. There are currently at least 12 new privacy-related state laws in the US being debated. This does not count the recent data privacy law that was being considered in the State of Washington that was modelled significantly off of GDPR, but did not come up for a vote before the legislative session ended. Similar attention to data privacy laws are being seen throughout the world.

“With the privacy spotlight shining in the US, we are now seeing more clients focusing on the privacy-related components of the products they are purchasing and the privacy practices of the vendors they are using. This will only continue to grow. The onus is on vendors to evidence to prospective customers that they are not only great business partners, but also trustworthy compliance partners.”

NEXD’s Tammenurm would like to see more accountability. “We still have a long way to go to make data collection and processing transparent,” he says. “I believe the industry has taken the right approach. The main things that I want to see is that our data collectors do not entertain the idea that they are able to profile the users by ads only. That they don't see the only way to retarget effectively is by tracking the user everywhere. And that, ultimately, we all take more responsibility and accountability over the data we are kindly processing on the users' behalf. More people in our industry should be asking themselves: ‘Can I use this data right now?’. If the answer is no, don’t collect it.”

Yes Marketing’s Alvarez cautions marketers not to set too much store by GDPR, CCPA and other regulations to follow. “New regulations will continue to be created, but it remains unclear when we will see a truly meaningful change,” she says. “There is a surprising amount of confusion about how data is used within the tech community itself with endless vendors coming onto the scene. This confusion plays into the hands of those that want to continue to use data without burdensome restrictions, therefore there’s no real incentive to make things clearer.

“For example, telephone fines and regulation have been in place for a long time, yet most people still get targeted with undesired calls. Given that this is merely a single piece of data to control, the idea that any one regulation, or even a combination of regulations, can stop unintended use of much broader set of data is hard to fathom. It will, however, continue to be a never-ending game of cat and mouse in order to provide some measure of protection.”

Mike Shaw, vice president, international at dataxu, believes the key to success in a post-GDPR world is transparency. “GDPR brought critical questions surrounding consumer trust, ethical behaviour, and digital transparency to the fore,” he says. “Reflecting on the year gone by, it is great to see just how much the ad tech industry combined its efforts and collaborated to push towards a more transparent digital future. We must ensure we carry on in this vein and keep our priorities consumer-focused, and there remains significant room for improvement. Our latest research conducted with London-based Sapio Research revealed that only half of consumers in the UK understand what GDPR actually means. Clearly, it is critical for businesses to provide their consumers with sufficient education on how their data is used because only then can we be confident that our efforts towards transparency are meeting their core objective.”

And Rezonence’s Naidu will strike a chord with many when he says that, whatever the legislators throw at the industry, there are reasons to remain positive. “If there’s one industry that is capable of rapid change, it’s ad tech,” says Naidu. “Even if a variety of technologies and vendors come under pressure due to GDPR, I believe alternative solutions will arise that will ensure that advertisers will still be able to put rich and varied digital ads in front of the right audience in a GDPR compliant manner.”

In an industry that, for as long as I’ve been covering it, has been characterised by pivots and the notion of survival of the nimblest, you could argue that never a truer word was said.

GDPR Explained - Watch the Video