GDPR 2.0: Europe’s ePrivacy Regulation could upend digital advertising again

To some extent, 2018 was General Data Protection Regulation Y2K, but that hasn’t allayed fears that the coming ePrivacy Regulation could upend digital advertising. Again.

Plans are underway to update the current European Union ePrivacy Directive, known as the EU cookie law, into a Europe-wide regulation in 2019. This means all 28 member states will need to follow the same implementation, no wiggle room, with punchy fines of 4 percent of annual worldwide turnover for non-compliance. That’s for all companies wishing to trade with the EU too. Here’s the state of play and what it means for publishers and marketers.

Gaining explicit consent for cookie dropping
In its current guise, the ePrivacy Directive gives uses control over whether companies can use their personal data through dropping cookies, used for site analytics, reporting and advertising. Prior to GDPR — which is broader in scope and aims to regulate the handling of personal data — site visitors in Europe will have been familiar with pop-up banners asking, but not requiring, consent. But this doesn’t go far enough.

The regulation will mean publishers and marketers will have to gain more explicit consent to drop any kind of cookie and provide clear opt-outs for the user, ultimately giving people more control over what data is collected. Wrinkles are being ironed out about how this looks in practice without causing huge user-experience headaches, leading to droves of people choosing not to be tracked, damaging ad revenue and reporting capabilities.

Squeezing programmatic revenue for publishers
In Germany, which historically implemented a more relaxed version of the ePrivacy Directive, research from VDZ, the Association of German Magazine Publishers, found in early 2018 that the German media market will lose upward of €300 million ($341 million) in yearly ad sales if the proposed version of the ePrivacy goes through. In the same report, publishers said that requiring cookie consent would lead to a 30 percent drop in digital revenues.

A huge concern for publishers is that, in order to avoid more annoying, ineffective banners, the European Commission suggested users can decide whether they opt in or out of consent for cookie collection through their browser settings. Even if a user opts in at site level for a publisher to drop cookies, the decision is overridden by the browser setting. Publishers fear the browsers could use this to their advantage and offer publishers the chance to add their site to a whitelist for a fee. However, this isn’t a feature that browsers are keen to enforce either, partly because they would likely have to shoulder additional costs and responsibility to respond to the changes.

Strengthening the walled gardens
Another issue getting publishers concerned is that the regulation will strengthen the hold of walled gardens like Facebook, Google and Amazon, which already have a ton of user login data, don’t rely directly on third-party cookies for advertising like publishers and have a direct relationship with audiences.

“Facebook and Google are already profiting from having specific consent,” said Oliver von Wersch, CEO and founder of Von Wersch Partners, digital strategy consultant for publishers. “This is costing the programmatic landscape every day.”

Like everyone, the platform’s ability to collect and use consumer data will be hampered, for instance, they won’t be able to target ads based on data from services such as WhatsApp, Gmail and Messenger unless they have consent from all parties. But companies with larger legal teams are also in a better position than others.

Good news for login registration strategies
Subscription publishers or companies with login strategies will fare better from the regulation. As well as having recurring non-advertising revenue, being able to demonstrate what the value exchange is for consumers would mean people would likely be more willing to give consent.

“We’d like to see it be made clear whether it’s possible to collect data to be used as part of and a condition for a service,” says Ingvild Næss, chief privacy officer at Nordic publisher Schibsted. “Going forward, many of our news services will be personalized; we need data for that, provided transparency is assured so consumers can make informed choices.”

Updating the rule book is already behind schedule: The law was meant to pass at the same time as GDPR in order to work as a complementary set of rules, but it wasn’t ready in time. Added to that, changing priorities and leadership in European Parliament next year could hold up proceedings further. Meanwhile, some lawmakers want to wait and see what the outcome of GDPR is before deciding on new data privacy regulations.

More money and legal workarounds are going to be needed for companies, think ad-tech vendors, as well as new strategies to make sure that advertisers can find audiences in effective ways. For these reasons, lawmakers are suggesting a three-year implementation process — one more than companies had for GDPR — once the finer details have been decided.

More in Media

Teads’ M&A rumors are firming up with a deal to merge with Outbrain

The latest installment of ad tech M&A activity is leaving some industry folks surprised.

Publishers’ Privacy Sandbox pauses settle into a deep freeze following reports of poor performance

Publishers aren’t ready to press play yet on dedicated Privacy Sandbox tests.