GDPR is coming, and many U.S. ad tech firms aren’t ready

In the lead-up to Dmexco in Cologne, Germany, which brings together the world’s ad tech decision-makers, the elephant in the room is the implementation of European Union rules on data protection that will become enforceable in less than a year.

For many visiting American executives, the drumbeat of warnings could serve as a wake-up call of sorts. As of next May, advertisers won’t be able to market to individuals without obtaining specific consent to use their data. It won’t matter whether a company’s servers are held in Israel, India or the U.S. — if it is storing the data of an EU citizen, it must abide by the General Data Protection Regulation or face fines.

The warnings can be dire. Johnny Ryan, head of ecosystem at PageFair, has said the regulations could “rip the digital ecosystem apart.” Several ad tech executives have noted that some U.S.-based vendors see the rules as a regional rather than international issue, while others are delaying preparations for the GDPR because they fear losing money.

From an American perspective, GDPR is difficult to fully comprehend: sweeping regulations that have 99 articles and 173 recitals. Some are betting that the sheer scope of GDPR means EU regulators will struggle to enforce it, said Matt O’Neill, gm for Europe at ad verification business The Media Trust at ExchangeWire’s ATS conference on Sept. 11. When the GDPR came up at a recent industry event, one industry source said none of the people they spoke to could confidently say they had a plan in place.

Businesses outside of Europe aren’t necessarily reluctant to adapt for the GDPR. The reasons they’re delaying preparations have more to do with procrastination, not reading the fine print and, most importantly, not fully processing the GDPR’s implications, said Shane Minte, U.S. head of supply at mobile data platform Ogury. “It’s one of those things that, due to the geography, might feel like a distant problem, yet it is going to affect us all,” he said. “Having just a single user in the European Union for which [a company is] not GDPR-compliant means 2-4 percent of their global revenues are at risk.”

Sam Tomlinson, a partner for media, insight and assurance at PwC, has witnessed the disparity between European and U.S.-based advertising businesses firsthand. Since the one-year countdown to GDPR enforcement began, ad tech vendors in Europe have inundated Tomlinson and his group with requests to educate their teams on the far-reaching implications of the rules. From the discussions, it’s become clear to the auditing firm that some of its ad tech clients don’t see the GDPR as a top priority yet.

“Another reason [for the ad industry’s lack of focus on the GDPR] is that ad tech strategic thinking is often happening in the U.S,” he said. “Those ad tech businesses probably have a sales outpost in London or continental Western Europe and are mainly concerned with those teams hitting quarterly sales targets rather than listening to ‘local’ concerns about impending GDPR regulation. That makes it hard to escalate GDPR to the U.S. head office, although there are some signs that’s now starting to change.”

Most marketers outside of Europe are struggling with the GDPR, according to the WFA. The trade body, which questioned 18 companies with a combined spend of more than £20 billion ($26.3 billion) a year, found that 56 percent of respondents said their European teams are more aware of the challenges of adhering to tougher data laws, compared to the global average of 44 percent.

“GDPR has only just begun to really hit mainstream commercial headlines in the U.K.,” said Sue MacLure, head of data at customer engagement agency Psona. “Outside of Europe, there is no reason to have heard about it in anything other than a compliance workshop. And marketers don’t appear to be going to those.”

Stephan Loerke, CEO of the World Federation of Advertisers, attributes the lack of urgency about the GDPR outside of Europe to non-European marketers’ confusion about how the rules affect their global practices, leading them to delay the implementation of necessary safeguards. Furthermore, those same marketers aren’t receiving much help from other parts of the supply chain, specifically ad tech vendors.

“There are a lot of ad tech players who feel that GDPR could potentially put their model at risk, given that a number of those businesses have never had a direct relationship with people and therefore are not in a position to be getting consent for the data that they’ve been using and monetizing for such a long time,” he said.

Some ad tech vendors like AppNexus are making moves ahead of the GDPR. The company is cutting loose all partners that don’t adhere to the rules, and it sowed the seeds of a compliant, people-based ID in May, which other leading ad players, such as OpenX and Rocket Fuel, back.

“AppNexus is future-proofing its business for the next generation of privacy compliance to provide a vital competitive advantage in the new GDPR environment,” said Julia Shullman, senior director and deputy general counsel for commercial and privacy at AppNexus. “Every publisher and advertiser should ensure they and their technology partners are taking steps to prepare.”

The ad industry’s fortifications for the GDPR are set to be hotly debated at the Dmexco conference in Cologne, Germany, this week.

More in Media

Teads’ M&A rumors are firming up with a deal to merge with Outbrain

The latest installment of ad tech M&A activity is leaving some industry folks surprised.

Publishers’ Privacy Sandbox pauses settle into a deep freeze following reports of poor performance

Publishers aren’t ready to press play yet on dedicated Privacy Sandbox tests.