Complacency is a dangerous mistress. But it’s a trap many companies are in danger of falling into when it comes to the General Data Protection Regulation, according to advertising sources.
The temptation to do as little as possible, so as to maintain ad revenues, is high. And with no seriously worrying fines levied yet at businesses, several publishers that had taken a strict approach to consent, have started to loosen their terms in order not to feel punished by falling ad revenues while their rivals flourish.
“There is a certain amount of complacency setting in,” said Andrew Buckman, COO of ad tech vendor Sublime. “Until a lot of people get a wrist slap [from regulators,] then people will carry on in this way and say, what’s the point if it is reducing my revenue?”
Yet privacy activists continue to file complaints specifically targeting the use of real-time-bidding techniques in programmatic advertising by ad tech companies, including Google. The latest to come through have been filed from The Netherlands, Belgium, and Spain. Whether or not real-time bidding can continue in its current form, is a note of serious contention between privacy activists and businesses that prefer to preserve the status quo.
Various ad tech vendors that took a strict approach to GDPR, have also felt penalized given many others made pretty cursory changes. “We still take a strict letter-of-the-law approach, but that has probably hurt us,” said Walter Knapp, CEO of ad tech vendor Sovrn. “We have not employed dark UI [user interface] patterns. We did not hide behind legitimate interest or ignore it and hope regulators wouldn’t come after us. But there is evidence to suggest others did. Did it hurt us? Of course — if you’re playing by the rules and others aren’t.”
Regulators have numerous investigations ongoing. The Irish data protection authority is pursuing 52 complaints: 11 concern Facebook, WhatsApp and Instagram, three concern Twitter, two for Apple, one for LinkedIn and one for Quantcast. Google still faces a €50 million ($57 million) fine from French regulator CNIL.
“A lot of people thought last May was the time it would hit, but really that was just the start,” said Stuart Colman, vp sales at InfoSum. “We’re not even 20% of the way through what GDPR means for the industry. There is a long way to go.”
The journey so far
GDPR will celebrate its one-year anniversary this Saturday. Attitudes toward the regulation and how it will impact business could not be more different than they were a year ago when media and advertising executives across Europe were in a state of panic.
Much of that nervousness had been triggered by Google’s last-minute changes to its own data privacy controls, which sent publishers particularly but also media buying agencies and ad tech vendors into a state of disarray. Ad rates plummeted temporarily in the immediate aftermath as a result but stabilized in the following weeks. U.S. publishers such as the New York Times halted advertising on the open marketplace in Europe while they waited for the dust to settle. USA Today blocked all ads running on its site, and continues to do so. Others like Los Angeles Times blocked their entire sites from European visitors, though it has since opened up its site in Europe but has no ads running.
Last April, publishers’ biggest fear was that the reduction in targetable ad inventory brought about by people not consenting to have their data used. Advertisers shared similar concerns about reduced cookie pools. While those that have implemented strict consent strategies have lost out on ad revenue to some extent, those losses haven’t been detrimental to bottom lines. In general, publishers have reported high opt-in rates.
Across Europe, 63% of publisher traffic is now filtered via a consent management platform, according to research from Teads. Spain has the highest CMP implementation rate with 82.12% of traffic, the Netherlands follows with 82.39%, France is at 74.22% and the U.K. 67.28% of traffic, according to the same report. On average, 95% of those users gave consent for their data to be used for advertising purposes.
Naturally, there is a counter-argument: There’s a worryingly high number of sites that operate on default opt-in, rather than opt-out as GDPR law requires. Some websites have taken the approach that if people continue to click through to other articles or show activity on the page, then that counts as consent. These “assumed” consent strategies fall wide of the GDPR mark; however, they’re another reason why certain agencies suspect that ad rates haven’t actually fallen that significantly.
“Everyone is violating the rules,” said Buckman. “None of these companies are adhering to what regulators say. Everyone has taken the easiest way out — to just show something to consumers, and consumers aren’t too bothered by it. They don’t take the time to read the banners and lengthy terms and conditions.”
No longer just a Europe issue
It’s fair to say that data privacy-conscious business is no longer Europe’s priority alone. It’s a global issue. That has no doubt been partly inspired by GDPR, but the news around considerable sensitive user data breaches such as the Cambridge Analytica scandal, and the role platforms like Google and Facebook have played in elections — have helped to push data privacy up the priority list in the U.S. California is set to roll out its GDPR equivalent — the California Consumer Privacy Act — in 2020. Meanwhile, Washington State is gunning to become the second state to enact a privacy law. And Congress is circling closer to a federal privacy regulation. That has also put the spotlight even more firmly on Google and Facebook.
“What is absolutely significant — and the GDPR roll-out was part of it — is there is now global not just European attention on the intersection between their [Google’s] dominance as an advertising business and the rules they play by for their use of data,” said Jason Kint, CEO of U.S. publisher trade body Digital Content Next. “The data policy and competition policy is now a global discussion. That is by far the most material change.”
There is a very strong concerted effort to pass privacy federal law that would bypass state law, according to Kint. “By itself, the bigger skeptics and stronger consumer advocates wouldn’t want that as California has a very strong law now, and they don’t trust the system. We’d certainly prefer to have one law that is federal as it makes it easier to run business.” That, however, is unlikely, given the fact people will be torn between wanting to have policies as strong as the CCPA and GDPR, while others demand watered-down versions, he added.
Ahead of GDPR’s arrival, industry consensus was that Google and Facebook would benefit from the law. After all, they’re the only companies that can claim logged-in user IDs en masse. Both companies are under serious data-privacy pressure that goes above and beyond GDPR. Facebook is fighting fires left, right and center, with the Cambridge Analytica scandal still fresh in consumers’ minds. Meanwhile, Google’s latest product changes, such as its alterations to its Chrome browser settings, are merely a precursor to how the platform plans to shape its future products around data privacy, advertising sources believe.
“There were two days that I’ve ever slept in my office —one was Y2K, which came and went with zero impact. And the other was GDPR, said Brian Kane, co-founder of Sourcepoint. “GDPR is nothing like Y2K, which was a one-time thing with no social ramifications. We’re still very much feeling the effects with GDPR. Just look at how Apple and Google are marketing their privacy capabilities. There is a new focus on the right to privacy, and GDPR is a microcosm of that. Transparency on how data is used is not a flash in the pan.”
User experience has suffered
There is a clear irony in the fact that GDPR was conceived primarily to benefit users, to help them better understand and control how their personal data is used by businesses. In practice, the lack of CMP standardization and the media and advertising industry’s broad interpretation of the law has meant that GDPR consent messages on websites are a mess. Brand marketers are shaking their heads at how bad the consumer experience has become. “As a consumer, I initially clicked reject on a lot of messages,” said a senior marketing executive at Digiday’s Brand Summit Europe in Ireland this week. “Now I’m just so fed up with all the different messages, I click OK to everything. No one has ever actually educated consumers on what GDPR is.”
While the majority of publishers have now adopted a CMP, some only implemented one three months ago, according to ad tech sources. That hasn’t helped when it comes to establishing a unified interface for consent messages.
The slowness isn’t a matter of publishers having bad intentions or trying to hide behind legitimate interest strategies — which have moved from being a majority to a minority strategy in the U.K. in favor of consent, according to sources. But it was simply down to uncertainty. “The net result is that we haven’t moved forward as far as we should,” said Colman. “That makes it a bit of a nerve-wracking time. The ICO and other DPAs are going to start stepping up and providing more definitions and clarity around the rules. The announcements we’ve seen in the last few months have been the thin end of the wedge. We’ll see some significant fines coming up.”