5 things we learned about GDPR in 2018

Here are five things we learned about GDPR in 2018.

It highlighted Google’s power
If the law was partly an attempt by the EU to reduce the power of Facebook and Google, we can safely chalk that up to a hard fail. Google’s relationship with major publishers became deeply fraught in the weeks around the law’s arrival. The tech giant’s failure to inform publishers (and media buyers) of its own strict interpretation of the law until the ninth hour caused massive issues that reverberated across the whole digital ad ecosystem. Unsurprisingly, volumes on AdX surged in the few days after May 25, while other ad tech vendors saw their volumes drop hard, according to ad tech and agency executives.

Google has battled anti-competitive charges in Brussels for years and won’t want to attract unwanted attention from regulators on whether its GDPR compliance strategy is working to its own commercial advantage. But its large logged-in user base naturally gives it an advantage that publishers don’t have on their own (hence so many GDPR alliances). Google has so far gone its own route with GDPR, but there are signs of more cooperation with the rest of the industry. Regardless, any change Google makes to its GDPR strategy will have ramifications for everyone else.

Trust between partners will take time to repair
Procrastination was the only common pattern of behavior in the media industry when it came to preparation for GDPR. During the last-minute scramble to get ready, swathes of businesses tried to hoist the burden of liability onto any partner in their digital ad supply chain who’d willingly sign — or bow to pressure to sign — updated contracts.

Clients wanted agencies to assume risks, while agencies insisted publishers assume them. Publishers then did the same to tech vendors in one giant game of hot potato. Meanwhile, publishers felt pressured by Group M, Publicis and Google, who they claimed used their size to push their own agendas. Google’s lack of consideration for publishers and other vendors when it came to forewarning them of its plans has also caused deep skepticism of its motives.

Discussions around the adoption of the Interactive Advertising Bureau Europe’s attempt at creating an industry standard, albeit a far-from-perfect one, has become an exercise in publishers and ad tech vendors relearning to trust each other.

Regulators are just getting started
Regulators were pretty quiet for the first six months after the law’s arrival. Then there came a flurry of fines and warnings. The ICO issued heavy penalties to companies including Facebook, which received warning of a £500,000 ($661,000) fine for its part in the Cambridge Analytica scandal. Uber also got slapped with a £385,000 ($485,000) fine for failing to protect customer data during a cyber attack. Both were fines that predated GDPR, however, and so were under the more lenient fining conditions of the Data Protection Act. Next year, that won’t be the case.

French data protection authority CNIL has come down hard on location ad tech vendors, issuing public warnings to ad tech vendors Fidzup, Teemo and, in November, Vectaury, which attracted a lot of attention. Although fines weren’t issued, the orders given to companies like Vectaury to get compliant could spell the end of some current ad tech business models.

“Assumed-consent” strategies are popular but risky
There’s a reason gaining GDPR consent has been described by some in ad tech as “a wobbly wagon.” The lack of standardization of consent management systems — which collect and store information on which users have given consent to be served personalized ads — has resulted in a messy online experience for people in Europe. And some publishers are uncertain they’re seeing the right opt-in rates due to CMP glitches. Those that are boasting super high opt-in rates of above 80 percent, are likely not doing much by way of compliance, according to ad tech sources. A common approach has been one of assumed consent, meaning that if a user continues to click through to articles after being notified, that’s a signal that consent has been given. But that’s a route regulators may not look kindly on.

“It’s hard to say how big an impact GDPR has been on monetization for publishers because the very large majority have not been doing things compliantly since the start,” said an ad tech executive who requested anonymity due to having a lot of publisher clients. That said, until regulators show their cards, most publishers will take the path of least resistance.

Good news for U.S. publishers in Europe
In November, U.K. regulator the ICO reprimanded the Washington Post’s approach to gathering consent, through which it offers a paid premium subscription in return for no ads and no tracking. The only free option requires the reader to give consent to be tracked in return for access to a selection of articles. The ICO ruled that this approach was in breach of GDPR. However, what was notable was the ICO’s watery delivery of the warning and lack of follow-through. The ICO stated that it had written to the Washington Post and told the publisher that its current approach isn’t compliant but stated merely that it “hoped” its warning would be heeded.

That could bode well for other U.S. publishers, such as the Los Angeles Times and the Chicago Tribune, which have closed their sites in Europe.