‘We’ve only just started’: 1 year into GDPR, ad industry braces for more fines

May 22 15:34 2019 Print This Article

Complacency is a dangerous mistress. But it’s a trap many companies are in danger of falling into when it comes to the General Data Protection Regulation, according to advertising sources.

The temptation to do as little as possible, so as to maintain ad revenues, is high. And with no seriously worrying fines levied yet at businesses, several publishers that had taken a strict approach to consent, have started to loosen their terms in order not to feel punished by falling ad revenues while their rivals flourish.

“There is a certain amount of complacency setting in,” said Andrew Buckman, COO of ad tech vendor Sublime. “Until a lot of people get a wrist slap [from regulators,] then people will carry on in this way and say, what’s the point if it is reducing my revenue?”

Yet privacy activists continue to file complaints specifically targeting the use of real-time-bidding techniques in programmatic advertising by ad tech companies, including Google. The latest to come through have been filed from The Netherlands, Belgium, and Spain. Whether or not real-time bidding can continue in its current form, is a note of serious contention between privacy activists and businesses that prefer to preserve the status quo.

Various ad tech vendors that took a strict approach to GDPR, have also felt penalized given many others made pretty cursory changes. “We still take a strict letter-of-the-law approach, but that has probably hurt us,” said Walter Knapp, CEO of ad tech vendor Sovrn. “We have not employed dark UI [user interface] patterns. We did not hide behind legitimate interest or ignore it and hope regulators wouldn’t come after us. But there is evidence to suggest others did. Did it hurt us? Of course — if you’re playing by the rules and others aren’t.”

Regulators have numerous investigations ongoing. The Irish data protection authority is pursuing 52 complaints: 11 concern Facebook, WhatsApp and Instagram, three concern Twitter, two for Apple, one for LinkedIn and one for Quantcast. Google still faces a €50 million ($57 million) fine from French regulator CNIL.

“A lot of people thought last May was the time it would hit, but really that was just the start,” said Stuart Colman, vp sales at InfoSum. “We’re not even 20% of the way through what GDPR means for the industry. There is a long way to go.”

The journey so far
GDPR will celebrate its one-year anniversary this Saturday. Attitudes toward the regulation and how it will impact business could not be more different than they were a year ago when media and advertising executives across Europe were in a state of panic.

Much of that nervousness had been triggered by Google’s last-minute changes to its own data privacy controls, which sent publishers particularly but also media buying agencies and ad tech vendors into a state of disarray. Ad rates plummeted temporarily in the immediate aftermath as a result but stabilized in the following weeks. U.S. publishers such as the New York Times halted advertising on the open marketplace in Europe while they waited for the dust to settle. USA Today blocked all ads running on its site, and continues to do so. Others like Los Angeles Times blocked their entire sites from European visitors, though it has since opened up its site in Europe but has no ads running.

Last April, publishers’ biggest fear was that the reduction in targetable ad inventory brought about by people not consenting to have their data used. Advertisers shared similar concerns about reduced cookie pools. While those that have implemented strict consent strategies have lost out on ad revenue to some extent, those losses haven’t been detrimental to bottom lines. In general, publishers have reported high opt-in rates.

Across Europe, 63% of publisher traffic is now filtered via a consent management platform, according to research from Teads. Spain has the highest CMP implementation rate with 82.12% of traffic, the Netherlands follows with 82.39%, France is at 74.22% and the U.K. 67.28% of traffic, according to the same report. On average, 95% of those users gave consent for their data to be used for advertising purposes.

Naturally, there is a counter-argument: There’s a worryingly high number of sites that operate on default opt-in, rather than opt-out as GDPR law requires. Some websites have taken the approach that if people continue to click through to other articles or show activity on the page, then that counts as consent. These “assumed” consent strategies fall wide of the GDPR mark; however, they’re another reason why certain agencies suspect that ad rates haven’t actually fallen that significantly.

“Everyone is violating the rules,” said Buckman. “None of these companies are adhering to what regulators say. Everyone has taken the easiest way out — to just show something to consumers, and consumers aren’t too bothered by it. They don’t take the time to read the banners and lengthy terms and conditions.”

No longer just a Europe issue
It’s fair to say that data privacy-conscious business is no longer Europe’s priority alone. It’s a global issue. That has no doubt been partly inspired by GDPR, but the news around considerable sensitive user data breaches such as the Cambridge Analytica scandal, and the role platforms like Google and Facebook have played in elections — have helped to push data privacy up the priority list in the U.S. California is set to roll out its GDPR equivalent — the California Consumer Privacy Act — in 2020. Meanwhile, Washington State is gunning to become the second state to enact a privacy law. And Congress is circling closer to a federal privacy regulation. That has also put the spotlight even more firmly on Google and Facebook.

“What is absolutely significant — and the GDPR roll-out was part of it — is there is now global not just European attention on the intersection between their [Google’s] dominance as an advertising business and the rules they play by for their use of data,” said Jason Kint, CEO of U.S. publisher trade body Digital Content Next. “The data policy and competition policy is now a global discussion. That is by far the most material change.”

This article was originally posted here: https://digiday.com/media/weve-just-started-1-year-gdpr-ad-industry-braces-fines/

  Article "tagged" as:
view more articles

About Article Author

GDPR Associates
GDPR Associates

View More Articles
write a comment


No Comments Yet!

You can be the one to start a conversation.

Add a Comment