GDPR: Where are we now?

The team from Nexd looks at how GDPR has changed the industry almost a year on from its implementation

CCTV camerasIt’s pretty much impossible to talk about 2018 without bringing up GDPR. Introduced in May, the General Data Protection Regulation expanded on existing regulations, with the intention of giving EU-based consumers more control over how their data is handled and managed.

In the run up to May the whole digital advertising industry felt like it was going through some sort of Y2K moment.

Or maybe it was like the seven stages of grief?

First came the shock and denial (‘No, there’s no way this is going to impact us, right?’). Then it moved onto pain and guilt (‘Have we really been doing something wrong all along?’). Next up, anger and bargaining (‘No, we’re not doing anything wrong, it’s the EU’s fault. But maybe we can keep doing a little bit if we do it differently?’).

Then came depression (‘Shut it all down, what’s the point anyway?’).

After this we kind of reach the position we’re in at the moment: the upward turn.

Starting with reconstruction, where we have an industry that is trying to work through these new regulations. Finally, there is acceptance and hope.

And this part is crucial because what it all comes down to is that these regulations aren’t going away and they were introduced to make not just the advertising industry more accountable, but anyone who handles consumer data.

And this is the key point here. Again and again, we hear about lazy security implementation resulting in mountains of private data falling into the wrong hands. We’ve almost started to tune it out. But there are often real consequences every time this happens.

We can’t all have the level of security Santa Claus has for his naughty and nice list (I have it on good authority that he definitely doesn’t keep his passwords in his desk drawer), but we can all do a little bit more to keep our customers’ data secure.

But let’s bring things back to our industry for a moment: advertising technology.

In many respects, GDPR has had a very real impact on how things should be done, particularly when it comes to consumer tracking in the programmatic space.

Why was everyone collecting so much data about users in the first place? Surely, we know that the majority of DMPs (data management platforms) were not able to make 100 per cent correct conclusions on all of the user data in the first place. Did we just let them play around with our privacy and test it as they want? Bob Hoffman took it together in a great way in an article as “The ‘metrics’ you get from social networks, the ‘data’ you get from consultants and the reports you get from your agency are all unreliable at best and bullshit at worst”.

If we have a look at USAToday example, then you can see how far the advertising industry brought the whole tracking world:

Courtesy of Paul Calvano

Scary right? Who has the control over what you are reading and who actually ‘knows’ you. GDPR came to solve the issue of obtaining the user’s data without any reason and we should be happy about that.

How is the industry regulating this, the programmatic is supposed to be open, you ask? This comes down to heavy consensus system that is managed by for example IAB’s published TCF (Transparency & Consent Framework). All vendors have to certify themselves with IAB and state what kind of data they are using and what the user has to consent to. Minimal tracking means bigger reach.

Users have now the full ability to choose which vendors or which data can these vendors use.

Image from TechCrunch Cookie Policy

This has now resulted in a lot of platforms not achieving the reach as they did before because platforms are rejecting their content. Rich media that is notorious on having massive tracking capabilities to enable Dynamic Creative Optimisation or are just outright hungry to know who you are and why you are or aren’t interacting with the content presented to you are blocked.

But you thought that it was only limited for Europe? Think again, because there’s the CCPA or ‘GDPR of United States’. Hence there’s a lot to learn based on Europe’s experience. For your information, California Consumer Privacy Act will take effect on 1 January 2020.

The CCPA is said to be a model of the GDPR. And, with the recent passage of the CCPA, we should be already talking about this and taking action. Both regulations (CCPA & GDPR) give individuals certain rights to how their personal information is collected and used, which means that from that time on the businesses have to be more transparent. Companies have to give consumers the ability to delete and download their data or opt-out of the sale of their information. However, there are several important contrasts to be aware of.

This time companies have to spend a lot of money again to create complex tools that will help them identify the data they collect, organise it and give consumers the opportunity to delete it. So, you better start saving now because the California’s new law could impose penalties up to $7,500 per infraction for businesses that fail to comply. A potential malicious data collection can result in $7.5bn fine for 1m users. Wouldn’t want that to happen to your company, right?

According to the text of the consumer privacy act, which is also known as AB-375, the law gives Californians the right to:

  1. Know what personal information is being collected about them.
  2. Know whether their personal information is sold or disclosed and to whom.
  3. Say no to the sale of personal information.
  4. Access their personal information.
  5. Equal service and price, even if they exercise their privacy rights.

Do you feel that one of these descriptions fit into your company? If yes, you are in for a lot of work to do:

  • Businesses with annual gross revenues of at least $25m
  • Data brokers and other businesses that buy, receive, sell, or share the personal information of 50,000 or more consumers, households, or devices
  • Business that get the majority of their annual revenue from selling consumers’ personal information.

Why does California’s new law matter for everyone else? For now, it seems to be a new hot trend pushing companies toward greater accountability with regard to protecting consumer data since almost every state or country wants to have its own laws, you know just to be original. For example, Hawaii, Massachusetts and Washington are all considering their own laws while Brazil has already passed its own regulations that will take effect in 2020. Seems like it’s going to be a hell of a year.

We are looking to have an open discussion about this. Reach out to us at and share your ideas or concerns. We would be happy to chat.