It’s been one year since the General Data Protection Regulation (GDPR) became enforceable, and marketers are still anxious about data regulation. Government regulation is the top obstacle threatening marketers’ data projects this year, according to a survey of US marketers that Winterberry Group and the Interactive Advertising Bureau (IAB) published in March.
The GDPR states that a user’s data can be used only if that individual gives a company explicit permission. Companies found to be in violation of GDPR face a fine of €20 million ($22.3 million) or 4% of global revenues (whichever is greater).
Big fines under the law have been rare so far. French regulators fined Google €50 million ($59 million) for GDPR violations; however, most GDPR warnings have been issued to smaller companies. But that could change, given that GDPR's effect on the ad industry is just beginning to be realized. In May, it was announced that EU regulators were investigating Quantcast and Google for possible GDPR infractions.
“Enforcement has not been looking to decimate companies, but instead to identify violations, provide clarity, and help the industry move towards compliance,” said Eric Berry, CEO of programmatic native ad company TripleLift.
While there have been few big fines so far, the regulation has still has affected the ad industry. It nudged programmatic advertisers to shift spend from open exchange to private marketplace; prodded advertisers to use less third-party data for ad targeting; contributed to an increased adoption of consent management platforms (CMPs); led publishers to hire data protection officers and shut off open exchanges; drove EU publishers to purge ad trackers; drove US publishers to block European traffic and cut off EU ad exchanges; and led marketing tech vendors to pull out of Europe out of concern over being fined.
GDPR is an EU law, but US advertisers will have to contend with domestic legislation soon. The California Consumer Privacy Act is set to take effect in 2020. Lawmakers in various other states, including Washington, New Jersey and Colorado, have proposed their own data regulations. The proposals are coming at time when big tech firms are perpetually in the news for abusing people’s data. The chief reason public opinion is turning against the tech industry is the misuse of personal data, according to a poll of internet users worldwide by Dentsu Aegis Network and Oxford Economics.
In recent months, ad industry trade groups have protested the state-by-state approach and advocated national privacy regulations, hoping to avoid a patchwork of different rules. Previously, industry groups said the digital advertising industry should regulate itself, but they’ve changed their approach as legislation looks increasingly inevitable.
We asked some ad tech industry insiders how GDPR has affected their industry during its first year.
Ameet Shah, vice president of global tech and data strategy, Prohaska Consulting: Overall, we were expecting GDPR to have a more meaningful impact. There have been a few claims filed, though litigation is pending, and the conversations around GDPR have minimized. That being said, part of this is due to the significant attention that it received in advance of launch. Publishers had adequate time to determine how they were going to respond.
Tal Chalozin, CTO, Innovid: An area that we think will be the next one to evolve is consent gathering and management. There is movement in the space by the emergence of CMPs, but we think the usage of consent in the full advertising workflow is still in its early days.
Jack Carvel, general counsel, Qubit: GDPR has been great for raising awareness about the rights of individuals and giving citizens control of their data. This has made a huge impact on the way companies operate, including forcing companies to understand where they are getting their data from and what parties they are sharing the data with. The scrutiny has improved tremendously, I'd give it an eight on a scale of 10.
Nick Cuniffe, vice president of product management, SpotX: We’ve seen major positive overhauls in our industry and with consumers around data minimization, awareness and security. On the other hand, we are still far away from an industry-adopted solution for communicating legal bases throughout our supply chain.
Daniel Jaye, CEO, aqfer: The largest effect has been the reduction of audience-targeted delivery and the exit of some ad tech firms from the EU market. Operationally, the biggest impact to the overall ecosystem has been the move by large players like Google to redact unique identifiers and many other useful attributes from reporting and data feeds.
Ben Feldman, senior vice president of strategy and innovation, NYIAX: What is important to recognize is that the EU is taking GDPR very seriously, with fines being established for any breach. I would expect that the first six-to-nine months of any new regulation action would be spent working out the kinks and processes of implementation. It is quite likely that we will see more fines in the coming months.
Check back for our July 2019 report that will look at how GDPR and other privacy initiatives are changing the digital marketing landscape. The report will be available to eMarketer PRO subscribers.
Not sure if your company subscribes? You can find out here.