‘Everyone is breaking the law right now’: GDPR compliance efforts are falling short

The arrival of the General Data Protection Regulation a month ago led to a flurry of activity, clogging email inboxes and flooding people with tracking consent notices. But experts say much of that activity was for show because much of it fails to render companies compliant with GDPR.

Part of the issue, experts say, is the vague regulation has been interpreted in wildly different ways. GDPR consent-request messages vary wildly across sites. There are default pre-ticked opt-ins, buried options that require users to hunt for them, consent banners with information only available at a further click but no button to reject, and implied consent approaches. Others have used what some industry execs refer to as “nuke buttons,” which let the user reject everything without explaining what they’re rejecting or what they’re agreeing to. Others have simply reskinned cookie-banner messages required under the existing ePrivacy directive.

“Many publishers [and marketers] seem to have shot themselves willfully, or ignorantly, in the foot,” said Adrian Newby, chief technology officer at Crownpeak, parent company to privacy vendor Evidon. “They have bombarded their audiences with entirely unnecessary and noncompliant consent and opt-in emails.”

A tumultuous few weeks after the law’s arrival on May 25, in which programmatic ad volumes plummeted mostly as a result of Google’s last-minute GDPR policy changes, programmatic spending is returning to pre-GDPR levels. Jangled nerves are calming, but experts warn against feeling a false sense of security.

“Pretty much everyone is breaking the law right now,” said Denmark-based media analyst Thomas Baekdal. “There is not a single consent dialogue box anywhere that is easy to understand. We [publishers] have not really realized how much this is going to hit us. Everyone is trying to make things work the way they used to, rather than thinking about privacy.”

“The European Union is very aggressive about privacy. This won’t stop just because we have a found a way for people to ignore it. This is coming,” added Baekdal. “They’ll likely attack Google and Facebook first. That’s how it will start, but through that, we will realize that as publishers, we’re just as bad.”

GDPR has been criticized for being vague and open to interpretation, which is what led to such disparate consent-gaining methods. Publishers across Europe are divided between those that have taken softer legitimate interest-based approaches or opt-out methods to claim compliance, while others have gone the harder consent-based route that requires people to opt in.

For example, Bloomberg and Forbes appear to be taking strict active consent approaches, while others like the Guardian and MailOnline are running consent banners. Several publishers have divided explainers on their cookie use into those used for advertising and tracking, and those used for site analytics — though users aren’t always able to pick one and reject the other; in many cases, it’s all or nothing. Others are simply hoping to stay under the radar until they have figured out how to be compliant in a way that doesn’t damage the business model.

“Confusion will continue to reign, and until someone actually gets burned, everyone is trying to fly as close to the sun as possible,” said a publishing executive.

But those who choose to do less now won’t necessarily be better off in the long run, according to some industry executives.

“Just being compliant and talking to users in a legal language won’t take publishers very far and fail to make the best of the potential advantages GDPR is presenting to them,” said Alessandro De Zanche, independent publishing consultant. “Inaction will just play into the hands of the duopoly.”

There are many examples of businesses simply repurposing the existing EU cookie directive policy and running cookie banners at the base of sites, to which users can click “OK” to proceed.

“GDPR consent requires an affirmative action, which leads you to conclude you need an explicit yes button,” Newby said. “No data should be collected until the user says yes. But a lot of publishers have gotten confused and taken a more similar approach to ePrivacy.”

Publishers went on a soul-searching mission when ad blocking reached crisis levels in 2017. A lot of focus returned to ensuring the user experience wasn’t neglected for the sake of hitting short-term revenue targets.

“With Y2K, there was so much freaking out,” said Brian Kane, co-founder and chief operating officer of ad tech vendor Sourcepoint. “But it came and went, and was never talked about it again. It’s the exact opposite with GDPR. It came on May 25, and it was the start of the conversation. We’re in conversations with publishers about how they approach consent, how they tie it with their subscriptions offerings and monetization strategies.”


More in Media

Three strategies publishers are adopting to drive affiliate commerce revenue for Amazon Prime Day 2024

Publishers like Condé Nast, Gallery Media Group and She Knows are taking what they learned from last year’s Amazon Prime Day to shape their strategies this year in an effort to boost affiliate commerce revenue during the July shopping event.

Why the Tribeca Film Festival embraced AI movies with OpenAI and Runway

The 2024 festival brought new dialogue about generative AI, from AI-generated films to feature-length documentaries about AI’s risks and rewards.

Media Briefing: Top takeaways from the Digiday Podcast Creator series

The biggest themes from some of the internet’s biggest creators.