May 25 will be the day of reckoning for many businesses in the media and marketing industries. It’s the date Europe’s highly anticipated General Data Protection Regulation kicks in, from which point no business operating in Europe can use data without explicit permission from users to do so. The maximum penalty for noncompliance: fines to the tune of €20 million ($24 million) or 4 percent of annual sales.
The GDPR is a slow-moving wrecking ball, after a two-year incubation period that served mostly to heighten confusion over what the regulation means and how to get out of its way. In 2018, the hand-wringing and chatter will give way to action, with a period of intense pain, while companies come to grips with a post-GDPR world. For all the talk of revolution, the GDPR will end up a blip for most rather than a world made new. But that will be after the new regulation causes its share of confusion.
For years, publishers and brands have been burned by not fully understanding how vendors operate within their digital ad transactions — that lack of information will land them in hot water with regulators if left unchecked. Under the GDPR, publishers will share liability if a vendor uses data without the correct level of consent.
Wrestling that level of transparency from ad tech vendors and agencies won’t be easy. Even now, some vendors are passing the buck to publishers, which they expect to shoulder the burden of gaining compliance on their behalf. The harsh reality is, no one will shelter anyone. When it comes to the GDPR, it’s a dog-eat-dog world.
In the U.K., detailed updates on exactly what implementation will look like have dripped through from the Information Commissioner’s Office at a snail’s pace, leaving very little time for businesses to actually implement. That means companies have been forced to second-guess potential outcomes and try to lay out contingency plans for worst-case scenarios, like if advertisers panic about not being ready themselves and pull campaigns. It also means a last-minute scramble to get ready is inevitable.
That said, it’s not all bad news. There are some silver linings hidden within the confusion. For instance, the GDPR will root out bad practices in digital advertising that have long been cause for embarrassment — like cookie bombing. It could bring about some much-needed change in programmatic trading; help end interruptive ads altogether; improve the user experience; and reward publishers and marketers that offer a clear value exchange with users, while penalizing those who don’t, along with bad actors like data merchants that scrape fees within digital ad transactions, essentially stealing from both publishers and marketers.
“GDPR will force programmatic to evolve to greater accountability and improve advertising,” says Amir Malik, programmatic lead at management consultancy Accenture. It could cull bad practices like cookie bombing, where ad networks buy a load of low-quality inventory so they can drop as many cookies as possible in order to inflate campaign conversions, to the detriment of the user experience, he adds.
Those are the long-term benefits. But in the short term, things are going to be tough. For those who think that the issue will be fixed on May 25, think again. The “fun” is just beginning.