Following months of anticipation and preparation, GDPR is now in force across Europe, and its impact is being felt globally. Marketers, publishers and tech firms have all raced to ensure they meet the legislation’s strict guidelines, but now the deadline has come and gone, what really is the impact of GDPR? Tim Maytom attempts to find out.

Ever since it was adopted by the European Union way back on 14 April 2016, the General Data Protection Regulation (or GDPR to use its snappier acronym) has been hovering over the head of the marketing world, moving inexorably closer like the asteroid that wiped out the dinosaurs. Some said that it could spell the end of digital marketing as we knew it, while others claimed that barely anything would change. On 25 May 2018, the legislation came into force, and almost four months later, it’s still not entirely clear who was right.

A legal challenge
As the May deadline grew closer, ad-tech operations the world over scrambled into action, and in the weeks leading up to the cut-off date, consumers’ email inboxes began to overflow with emails begging them to remain on marketing lists. Databases were cleansed of old contacts, personal information of dubious provenance was purged from CRM systems, and landing pages were redesigned to comply with the new directives. While there were plenty of technical challenges to contend with in the build-up to GDPR coming into force, the primary challenge for marketers was initially a legal one.

“It took many months to study the issue and prepare for GDPR,” says Gil Becker, CEO of video brand safety solution AnyClip. “In our complex industry and technological ecosystem, nobody should ever feel that they are 100 per cent compliant. We have done our best to meet GDPR but continue to monitor and test ourselves daily to ensure that we are fully compliant.”

Indeed, a whole sub-industry bloomed around the lead-up to GDPR’s deadline, with companies both old and new offering to help guide clients through the complexity of compliance. However, even those who were in charge of ensuring that all of GDPR’s rules were met found that, for such an impactful piece of legislation, there were considerable areas where GDPR wasn’t entirely clear.

“Like the rest of the digital publishing industry, leading up to its implementation, we had to do our due diligence with our legal teams,” says Alexian Chiavegato, vice president of marketing at Marfeel. “GDPR can be quite ambiguous in certain key areas. We had to make a big effort in terms of time with our legal team to ensure that we were compliant and had the technical mechanisms in place for our publishing partners to be compliant on mobile.

That ambiguity is likely to remain for the time being, as privacy activists, legislators, watchdogs and lawyers all weigh up the various challenges that were launched the instant GDPR came into effect. Despite scaling back their ad targeting businesses significantly in the lead-up to GDPR, both Facebook and Google were (coincidentally) hit with lawsuits the same day that the law came into force.

Both the UK’s Information Commisioner’s Office (ICO) and CNIL, the French data protection regulator, have reported seeing a rise in data protection complaints following 25 May, and in Austria, as many filings were made in the first month following GDPR as the Data Protection Authority normally receives in eight months. At least 29 cases are under investigation at the European level, and when judgements (and potentially fines) are made for these, tech firms are likely to be watching like hawks to see the precedents that are set.

“It’s early days and we will collate, analyse and publish official statistics in due course,” says an ICO spokesperson. “But generally, as anticipated, we have seen a rise in personal data breach reports from organisations. Complaints relating to data protection issues are also up and, as more people become aware of their individual rights, we are expecting the number of complaints to the ICO to increase too.”

If GDPR is to have a truly lasting and wide-ranging impact, it will doubtless be in a court of law that it is established, but it could take many months or even years before we can accurately judge just how the legislation has changed industry practices. Thankfully, because no company wants to be the first to be taken to court and lose, most firms have already taken plenty of action to protect themselves against GDPR breaches, something that’s already having a tangible effect on the marketing world.

Radioactive data
At its heart, GDPR is concerned with data, and while data impacts every level of digital marketing and beyond, programmatic is the area most directly concerned with consumers’ personal data. Every second, millions of campaigns make calculations about where to serve ads, and to whom. In the wake of GDPR, the data that sat at the centre of programmatic and made it so powerful suddenly became radioactive. Naturally, everyone took a step back to see if it would explode.

In the days following 25 May, several media buyers report clients cutting programmatic spend by anywhere between 20 and 50 per cent. That drastic fall in ad spend has since recovered slightly, although even a month after GDPR came into force, spending on programmatic exchanges was down by as much as 30 per cent, according to some.

The problem with programmatic is two-fold. Firstly, GDPR demands consent, and some publishers, despite having over a year’s worth of notice, still lacked the technology to ensure visitors granted consent to targeted advertising. Secondly, the oft-criticised ‘black boxes’ of ad tech meant that advertisers often had little guarantee that their supply chain was fully GDPR-compliant, and many were sensibly cautious about purchasing ads that could end up costing them millions in fines.

Of course, it was in the interest of the ad tech industry to make sure both publishers and marketers felt confident that their supply chain was beyond reproach, and most major firms doubtless put in the necessary legal and technical work required to ensure data privacy and protection.

“We proactively communicated to clients the changes GDPR was going to impart on mobile digital publishers before it was rolled out,” says Marfeel’s Chiavegato. “This included webinars as well that explained key areas of the legislation, how it might affect them, and what Marfeel was doing on our end to ensure compliance. It has, of course, changed the way digital publishers ask for data in the European economic area. The implicit cookie pop-up was replaced with a CMP that requires explicit consent to be given. The way publishers use data, however, has not changed. Data is still used to provide users with an enhanced, personalised experience and provide the ability to serve relevant ads that keep content free.”

Transparency along the supply chain is one of the industry’s bugbears at the moment, and it’s a concern that GDPR was bound to bring to the fore, but the power of programmatic means that most publishers and marketers were unlikely to stay away for too long. Major publishers saw opt-in consent rates reach around 75 per cent within a few weeks of GDPR coming into force, more than enough to justify advertisers returning to programmatic, but programmatic comes in many flavours, and while ad spending levels may be returning to normal, their pattern has shifted.

“GDPR has actually created an opportunity for the industry to make some much-needed reforms,” says Ed Preedy, managing director for Europe at computer vision and marketing firm GumGum. “It has forced us to develop innovative and more accurate ways of reaching people, and has encouraged greater respect for consumer’s online experiences. This will have a positive impact on the development of future AI tools, which will now be designed with these considerations in mind.

“We feel that GDPR can signal a correction in the priorities of marketers – particularly when it comes to digital display. There has been far too much reliance on audience profiling in the past, which led to lazy targeting.”

Shifting spending
One of the areas most impacted by GDPR is third-party data. Previously, it was a central pillar in the programmatic ecosystem, powering targeting on a scale that individual publishers and brands outside the digital duopoly could never hope for. After GDPR, every piece of third-party data comes with an asterisk, begging the question of where it was gleaned from, and whether the consumer it is connected to has consented to marketing.

If third-party data can no longer be relied on as compliant and safe for use, programmatic spending has to move to other areas, with programmatic guaranteed seeing a spike in interest. This method, where advertisers can use automation to match their first-party data with publisher audience data, but prices and terms are pre-fixed, was initially not as popular as the full-blown programmatic waterfall. Now, advertisers who feel uncertain about dealing with the vast ad-tech lumascape are flocking to it.

A similar shift is happening with contextual targeting, which serves ads based on the page users are looking at, rather than any demographic or behavioural data on the user themselves. Some agencies have shifted their budget away from highly personal audience-based targeting and towards contextual, and publishers have even said that some of the large media agencies have ended all audience-based targeting and are relying entirely on contextual targeting for some campaigns.

“When European users opt out due to GDPR, advertisers cannot store and use their data for any purpose,” says AnyClip’s Becker. “However, when user data is lacking, a good way to get users is by analysing and understanding the content they consume, and contextually targeting the right content.”

“GDPR was a direct response to the annoying, low-quality ads that interfered with the user’s online experiences,” says GumGum’s Preedy. “There should rightly be a swing back towards creating customised, highly creative and contextually relevant advertising in order to restore both marketers’ and consumers’ needs for digital display. Rather than seeing the regulations as a hindrance, marketers should actually see them as an opportunity to enhance their capabilities.”

The move towards contextual targeting is a good one for publishers, who have long championed its strengths in providing effective targeting in a brand safe environment. After YouTube’s brand safety scandals in 2017, publishers pushed harder than ever for advertisers and agencies to adopt the more reliable solution of contextual targeting, but it seems that it is GDPR that has finally made it an essential part of the digital marketer’s arsenal.

As with so much of the digital marketing world, many of these changes are happening outside of Facebook and Google’s digital duopoly. With a wealth of first-party data available to them and a massive advertising operation that most marketers are already heavily invested in, the two giants of internet advertising always seem to set their own rules – but GDPR has forced even them to adjust their practices.

Raising the garden wall
In the wake of GDPR, many marketers who relied on the platforms for ad targeting are reporting issues and difficulties. In April, Google stopped letting buyers export impression files out of its DoubleClick Campaign Manager to their own data management platforms, and Facebook made a similar move in May just before the GDPR deadline, citing a need to protect people’s privacy.

These changes mean that marketers and agencies can no longer track whether an ad has reached someone on Google but not on Facebook and vice versa, as well as complicating the ability to measure if the ads have already been seen elsewhere outside the duopoly. In the face of these difficulties, some marketers have been forced to bring in third-party measurement partners, while others are simply risking bombarding users with the same ads across multiple platforms.

“This evolution is creating issues for marketers and agencies alike,” said one agency executive who preferred to remain anonymous. “Walled gardens want to make their walls taller because it benefits them and protects them against GDPR, but it makes achieving what all brands want to achieve – one view of the customer, one view of the journey, a comprehensive understanding of how effective their marketing is – more challenging.”

In addition, Google has asked publishers and ad tech firms to assume broad liability for any GDPR breaches that might arise from its ad-buying platform. Prior to the GDPR deadline, ad exchanges and supply-side platforms were asked to guarantee that any publishers whose inventory they sell had got consent for each of the almost 200 vendors on Google’s most commonly used vendor list. By signing, the exchanges and SSPs (Supply Side Platforms), as well as the publishers involved, all assume liability for any GDPR violations that Google’s ad-buying platform is charged with.

Without an agreement, exchanges and SSPs are limited to only selling non-personalised advertising through Google’s platform, resulting in less engagement and lower revenues. According to the Wall Street Journal, AppNexus and Teads have struck deals with Google guaranteeing consent, while Reuters has reported that Rubicon Project has also agreed to ensuring broad consent.

At least one ad tech firm, Sovrn, has declined to sign the agreement, saying that “due to the strict requirements around consent in the Google agreement, Sovrn has elected to wait until Google joins the IAB consent framework, which will make it easier for publishers to comply”. Other ad tech executives have called the prospect of getting consent for each of Google’s vendors from every user “impossible”, and say it goes against the spirit of GDPR, which is designed to allow people to withhold consent from individual vendors if they wish.

A new world?
That individual control of personal information and consent was where GDPR began, and by pushing for broad agreements, Google seems intent on forcing the post-GDPR world to fit its existing systems, rather than adapting to the changes. While the search giant may have attempted to insulate itself from the legal ramifications, GDPR doesn’t just exist as a piece of legislation. It’s also as a watershed moment that attempts to give agency back to consumers when it comes to managing their own online life. Given the swirl of controversies surrounding big tech firms, can companies like Google afford to swat aside the desires of users?

“In the wake of events like Cambridge Analytica, data privacy has definitely changed for the average user and become a hot button topic,” says Marfeel’s Chiavegato. “The virtues of GDPR, such as transparency and explicit communication for data usage and processing, are a very positive step and may serve to improve this perception.

“For the average marketer, it changes how they work with their databases of target audiences. But for marketers, data privacy should always be a core principle that is treated ethically and with best practices in mind. GDPR has reinforced that and ensured that a marketer’s target audience continues to want to hear about new products or services with re-opt-ins. Personally, I’ve re-opted-in to all the newsletters that I subscribe to, because they’re relevant to me.”

The idea of an online population that is informed and engaged when it comes to data rights and privacy is a noble goal, but it might be beyond the scope of GDPR or any other piece of legislation. The internet age has been in part defined by the push towards convenience and speed, and the notion that every consumer is slowing down browsing long enough to read each terms and conditions page is ridiculous.

“Many consumers say and believe they care about data privacy but, when push comes to shove, they prefer the convenience of having their data harvested and used for better content, more relevant ads, and an overall better user experience,” says AnyClip’s Becker. “Most marketers are forced now to care much more than they did just several months ago about data privacy. They are in a bind and trying to find quick ways to maintain the precision of user targeting in a world where user data is not as readily available.”

That desire to maintain the same level of targeting and measurement seems to be the resounding sentiment among most marketers. Whether its through switching spending to alternative solutions or shuffling accountability around through a web of agreements, nobody seems keen to accept a step backwards when it comes to the power of digital marketing.

GDPR may have made everyone a little gun-shy, but technology moves fast and the law moves slowly. Until judgements start to be handed down and the scope of GDPR is clarified, the marketing world seems to be treating it as simply another hurdle to jump through with the minimum possible fuss. Whether that’s a wise approach remains to be seen. For now, the ad tech world is watching to see who is first to be hit with a sizeable fine for non-compliance and just how big a fine it is.

This article first appeared in the September 2018 print edition of Mobile Marketing. You can read the whole issue here.