Digiday Research: 18 percent of European publishers are ready for GDPR

federal privacy law

This research is based on unique data collected from our proprietary audience of publisher, agency, brand and tech insiders. It’s available to Digiday+ members. More from the series →

At the Digiday Publishing Summit Europe in October, we sat down with 35 industry leaders from across the continent and drilled down into two hot topics, ePrivacy and the General Data Protection Regulation. We asked their feedback on and expectations for the coming changes. Check out our earlier research on the state of agencies here. You can also learn more about our upcoming events here.

This report does not seek to outline every upcoming policy and procedural change. It merely reflects the opinions of industry veterans — from publishers headquartered in and out of Europe — undergoing this profound change.

Top findings:

  • Only 18 percent of publisher respondents said their companies have already prepared for the GDPR.
  • The majority of publishers that were not GDPR-compliant were Europe-based as opposed to U.S.-based.
  • Fifty-six percent said they expect the GDPR to have a very serious or extremely serious impact on their company.
  • Forty-three percent think the GDPR would equally affect all companies, publishers, platforms and ad tech vendors.
  • Forty percent said losing audience data is their biggest GDPR concern.
  • Thirty-three percent said negotiating with browsers for access to consumer data is the greatest challenge the ePrivacy Regulation poses.
  • Only 6 percent believe ePrivacy doesn’t give too much power to browsers.

On May 25, 2018, enforcement will begin for the European Union’s General Data Protection Regulation. Under the GDPR, a host of new standards will take effect, particularly pertaining to new data collection procedures, establishing strict standards for what information users allow websites to collect from them and how that data may be used. The transfer of control over data ownership back to consumers represents a fundamental shift for the digital media world. Publishers, platforms, ad tech vendors, brands and agencies have long built businesses off the ability to extract information, identify and advertise to online users.

The ePrivacy Regulation, also known as “the cookie law,” is passing through the European Parliament. Although not as far-reaching as the GDPR in scope, ePrivacy could still drastically effect the digital advertising ecosystem. ePrivacy will force publishers to obtain clear consent from consumers to deploy cookies. These cookies, which play a critical part in online advertising, form the bedrock of ad retargeting and A/B testing capabilities.

Most publishers have a plan for GDPR
The prevailing sentiment is that most publishers are unprepared for the GDPR. However, according to Digiday’s findings, over three-quarters of publishers have developed — and in some cases, implemented — a strategy to become GDPR-compliant.

The GDPR isn’t an exclusively European issue. The GDPR affects any company servicing or collecting information on citizens in the EU. Due to their perceived lack of education about the regulations, publishers unequipped for GDPR implementation are often assumed to be headquartered outside of Europe. On the contrary, the majority of publishers that lacked GDPR plans were in fact based in Europe.

Publishers still aren’t sure what the final GDPR protocols will require of them. This could explain why almost two-thirds of publishers have yet to implement their GDPR strategies. For U.K. publishers specifically, the Information Commissioner’s Office recently released updates for data breach notification requirements and fine administration. However, the ICO has yet to lay out final comprehensive GDPR compliance standards.

Publishers fear GDPR but think it could be worse
Publishers’ fear of the GDPR should be expected because the new laws will redefine the online relationship between companies and consumers. Fifty-six percent of publishers think the GDPR will have a very serious or extremely serious impact on their overall business strategies. This figure jumps to 80 percent for European publishers. No non-European publishers anticipate the GDPR having a very or extremely serious impact on their business strategies.

The EU represents a growing digital marketplace with 500 million citizens. European digital ad spend continues year-over-year growth, totaling $49.8 billion in 2016. Depending on how companies seek to protect themselves from GDPR noncompliance, this growth could be in jeopardy. According to some industry insiders, agencies and trading desks will likely cut back on programmatic spending because of its reliance on consumer data and greater potential exposure to GDPR penalties.

Two GDPR outcomes stand out to publishers
The GDPR threatens noncompliant companies with a fine of either $24 million or 4 percent of global revenues, whichever is higher. Analysis by the NCC Group found the fines the ICO levied in 2016 would grow 7,900 percent under new GDPR penalty guidelines.

However, worries about potential fines pale in comparison to fears about losing audience data and digital revenues. Respondents were five times more likely to be concerned about a loss of audience data than about being fined. Under upcoming GDPR regulations, EU consumers will not be obligated to share their personal information with sites they visit. A recent report by PageFair found that only 23 percent of marketers expect consumers to disclose their data for advertising purposes.

Publishers rely on quantity and sophisticated audience data to sell their inventory both directly and programmatically. A sudden depletion of audience information would certainly result in a loss of digital ad revenues. Without key demographic data, many publishers that rely on ad targeting will struggle to maintain competitive CPMs in an environment with stringent privacy controls, according to Yves Schwarzbart, head of policy and regulatory affairs at Interactive Advertising Bureau U.K.

Media buyers, trading desks and demand-side platforms accustomed to buying audiences across exchanges will have to readjust. The lack of audience data will reduce how certain buyers are about which consumers will be served their ads. Ad buying measurement issues also pose a threat. According to Eric Berry, CEO of native ad platform TripleLift, attribution companies will struggle to track consumers’ paths to purchase under the GDPR. This could potentially alter ad buyers’ marketing strategies and damage publishers that rely on programmatic spending.

Losing audience data would leave publishers in France, the U.K. and the Netherlands particularly at risk. All three have mature data-driven digital marketplaces where programmatic buying accounts for more 50 percent of digital ad spend, according to Statista.

Forming trusting relationships with users will have a significant impact on a publisher’s success. As ad blockers proliferated, publishers restricted site access to users who refused to whitelist them. It’s unclear whether the GDPR will allow publishers to conduct similar practices or install tracking walls that block content access to users. One thing that is clear: If publishers are going to have meaningful audience data, they need to figure out how to get users to trust them.

All parties expect GDPR to affect them equally
General expectations are that brands, agencies, platforms, ad tech vendors and publishers will be equally affected by the GDPR.

While publishers will see their audience data diminished, ad tech vendors that have never had direct relationships with EU consumers could struggle as well. Ad tech vendors that rely on plugging into publishers’ sites for access to consumers will face more difficulty getting users to hand over their data. In PageFair’s aforementioned report, 64 percent of publishers thought consumers would be averse to them sharing user data with other companies. For ad tech companies that users have never heard of, obtaining access to consumer data could prove extremely challenging.

“There are a lot of ad tech players who feel that GDPR could potentially put their model at risk, given that a number of those businesses have never had a direct relationship with people and therefore are not in a position to be getting consent for the data that they’ve been using and monetizing for such a long time,” said Stephan Loerke, CEO of the World Federation of Advertisers.

Some people believe major platforms have an edge over publishers due to their scale and existing relationships with consumers. While many online users are accustomed to ceding privacy rights to the Facebooks and Googles of the world, both of these platforms will be forced to undergo significant reform.

Platforms like Facebook and Google will find their use of user data limited. The GDPR has explicit terms that say data can only be used for the exact purpose it’s collected for and for the shortest time necessary. As a hypothetical example, a platform tracking a user’s location through a map feature or an app can no longer use that information to serve location-based advertisements. Facebook and Google, which offer a number of services such as maps, news feeds and messaging platforms, will need separate opt-ins from consumers for each service to adhere to GDPR standards.

Publishers are equally concerned about ePrivacy and GDPR
The GDPR and the ePrivacy Regulation concern separate issues. Whereas the GDPR guarantees data protection rights, ePrivacy covers how data communications are monitored. Publishers are equally worried about both.

The power of browsers is publishers’ top ePrivacy worry
Depending on who you ask, browsers could be the biggest winners when the dust settles from the ePrivacy Regulation. Half of all respondents believe ePrivacy will give browsers too much power. Meanwhile, publishers noted that negotiating with browsers for access to consumer data was their biggest concern about ePrivacy. The fact that 44 percent of respondents were unsure whether ePrivacy gives too much power to browers underscores the concerning amount of confusion regarding its implementation.

All European users face infamous “cookie banners” that ask for their consent for websites to use various forms of cookies. These banners were the result of the 2002 ePrivacy Directive that stated that users can refuse to allow websites to attach tracking technologies like cookies to their online identities. Furthermore, websites are required to notify users of the option to refuse tracking in terms that are as “user friendly” as possible.

Since then, websites have developed drastically different standards of what constitutes “user friendly,” and few people truly understand the terms of what they are agreeing to. There are several ways to ask for consent under ePrivacy, according to the IAB Europe’s ePrivacy implementation center.

One solution under consideration to mitigate the potential flood of new banners under ePrivacy is to have users manage their privacy settings within their browser preferences. If this strategy is adopted, browsers would instantly become unavoidable giants in the digital media industry as the gatekeepers of consumer privacy data.

Publishers and advertisers fear they could be forced to negotiate with browsers for access to consumers’ privacy settings. One possible outcome: Publishers could pay browsers to whitelist their sites. If that ends up happening, then publishers would be completely at the browsers’ mercy. Stefan Betzold, managing director of Axel Springer title Bild, addressed these concerns: “The ‘browser supremacy’ will give a gatekeeper role to browser providers, who mainly come from the U.S. or belong to U.S. platforms. This might have major effects on the open and free advertising-financed internet in the long term.”

As of January 2017, Google controlled 50 percent of the browser market in Europe, while Firefox and Apple’s Safari were a distant second and third at 19 percent and 12 percent, respectively, according to Statista. European publishers believe it would be problematic if Google and Apple — large U.S. corporations — controlled access to EU consumer data.

Google and Apple already laid out plans to exert increased control over digital advertising by introducing browser-based ad blocking. Both browsers are attempting to protect user experiences by blocking intrusive autoplay video ads, which drive significant revenues for publishers.

Search marketing, which is based on keywords and less on audience data, is less likely to be impacted by ePrivacy or the GDPR. This means that Google could then control another major aspect of digital advertising.

https://digiday.com/?p=265562

More in Media

How The New York Times is using visuals to boost podcast discovery and grow listenership

To grow podcast listenership and help people discover new shows, The New York Times is experimenting with visuals on platforms like YouTube and its own audio app this year.

Media Briefing: Publishers search for new ways to grow (and authenticate) audiences, overheard at the Digiday Publishing Summit

“[Advertisers] already pay data providers for data. So why not pay the publisher?”

Research Briefing: Publishers’ revenue sources are top of mind at Digiday Publishing Summit

In this week’s Digiday+ Research Briefing, we examine which revenue streams were top of mind for publishers at the Digiday Publishing Summit, how TikTok is getting even more marketing spend from brands and retailers despite facing a potential U.S. ban, and how Disney is rolling out DRAX Direct, a direct integration with the industry’s largest DSPs, as seen in recent data from Digiday+ Research.