How will GDPR affect the programmatic advertising industry?

Maya Youdovski

As a response to the massive shift in the regulatory landscape, ad-tech companies are quietly updating terms and rolling out new personal data tools as the deadline for GDPR compliance is near.

So what is GDPR?

The General Data Protection Regulation (or GDPR), is a regulation in EU law on data protection and privacy for all European Union residents. In theory, the GDPR only applies to EU citizens’ data, but the globalization of the internet means that it will have a far-reaching effect on the entire ad-tech supply chain, with companies already scrambling to adapt.

GDPR and the ad-tech industry

When it comes to the ad-tech industry, data collection and data sharing practices are obscure due to the lack of restrictions. GDPR will necessitate rewriting the rules of how ads are targeted online, creating a serious challenge for advertising technology companies, on two main aspects:
1. Explicit consent – GDPR sets a higher privacy standard for obtaining personal data than we’ve ever witnessed before. By default, a company will be able to collect personal data for EU citizens, only if they actively opted-in and are aware that said data is being collected. Brands, publishers and everyone in between looking to collect data will have to ensure they are clear about how the data will be used.
2. The carrot and the stick – the severity of GDPR’s penalties is another indication to how serious the EU is taking data privacy. Maximum fines are set at 4 percent of a company’s global annual revenue of the prior financial year or $20 million, whichever is larger.

In its essence GDPR is meant to empower users and give them the ability to control what data they are willing to share. GDPR is not a groundbreaking privacy policy, but rather comes at a time when there is a major shift in user’s tolerance for companies misusing their data for profit.

From Facebook and Cambridge Analytica’s latest privacy scandals to the growing demand for transparency, privacy is put in the spotlight. GDPR’s high penalties have gotten the entire industry buzzing, forcing us to re-examine how a user’s personal information is used along the supply chain.

Protecting from liability risks

Adhering to the GDPR regulations has a direct impact on companies who come in direct contact with the user. Publishers will have to ensure that the data obtained from the users under the GDPR will have all the necessary consent data. IAB’s openRTB latest solution is one example, giving publishers the option to embed said consent data in their inventory. Meaning that since much of programmatic and other advertising optimization practices rely on customer data (such as retargeting, cookie matching, mobile ID targeting, frequency capping, etc) inventory is likely to become more valuable (AdExchanger, 2018).

On the other hand, the impact on advertisers, networks and other vendors in between is less than it is set out to be. It will require a more bureaucratic solution, making sure all agreements with third parties clarify that a user’s data holds explicit consent, ensuring no foul play that can taint and put the company at liability risk.

In summary, all parties will have to establish explicit consent, so that information not approved for public use will not flow down the transaction stream. However, with the familiar complexity of the ad-tech ecosystem, that can become tricky. This new standard will challenge data processes as we go down the supply chain.

Companies are already working vigorously to prepare and find their way to co-exist alongside the new regulations. Although it seems that publishers have the upper hand as they have opportunity to win back control over their inventory, it’s likely that GDPR will have an undeniable affect, jeopardizing many common advertising practices. To survive, other industry players will have to find a way to remain in the game without compromising transparency and compliance to new privacy processes.