The GDPR policy - short for General Data Protection Regulation - is meant to protect personal data of people in the EU countries. As personal data is becoming more and more of a commodity, GDPR aims to give more control to individuals as to how their data is used.
The creation of the text took years due to the numerous stakeholders involved and the complexity of the topic. The project was first proposed by the European Commission in 2012, voted in 2015 and, as most of you probably know, came into effect on May 25th 2018.
The GDPR is likely the most complex regulation that the EU has ever released: we’ve seen that those in charge of writing the 99 articles have had a hard time communicating the requirements for publishers and enforcing its execution for the time being.
We thought we’d take the opportunity to lend you a hand and compile the basic GDPR concepts and observations from Adomik’s clients and partners. We’ll start by giving you an overview of the GDPR and the new regulations it introduces to the EU online community then we’ll dive in deep and explain the impact that we’ve noticed so far and some possible consequences in the future.
But that’s not all! This is only half of a 2-part series on the GDPR; next up in the coming days, we’ve got a quantitative analysis that will keep you on the edge of your seat! We’ll take a look at the impact of the GDPR and go into the grainy details that we’ve seen among our clients per SSP, buyer, etc. so stay alert and keep an eye on your inbox!
Let’s start with some definitions we’ve seen recurring in the GDPR text. They will help us understand the rest later.
GDPR defines two main roles in regard to the use of personal data:
- Data Controller: “determines the purposes and the way personal data are used” - in short, it means those who use a person’s data for a certain purpose
- Data Processor: “processes personal data on behalf of the controller”
- If a publisher creates targeting segments based on their users’ personal information, then the publisher is a Data Controller
- Adomik collects the data from publishers for them to visualize their own data - Adomik is a Data Processor
Throughout this article, we’ll cite examples of how Data Controllers and Processors should go about their digital advertising activity as underlined in the GDPR policy.
GDPR revolves around the following principles:
These concepts sum up how the GDPR intends to protect individuals’ rights regarding their personal data.
- Personal data should be collected in a lawful, fair and transparent (i.e. based on a valid purpose - see details in next paragraph) way for the data subject
- Purpose limitation and data minimization:
- Personal data should only be used for the purpose it was explicitly justified to be collected for
- Only the necessary amount of personal data should be collected in order to serve such purpose
- Accuracy: personal data should be accurate and up to date
- Storage limitation: identifiable personal data can only be stored for a limited period of time
- Integrity and confidentiality: personal data collection should be safe and prevent breaches
- Accountability: Data Controllers are responsible for applying the principles mentioned above. If Controllers fail to comply, they can be fined either 4% of their annual turnover or 20 million euros, whichever is higher.
So we’ve discussed personal data collection and the penalties if its done incorrectly, now let’s discuss what is a good or “valid” reason to collect data, and what is forbidden.
Valid Purposes for Collecting Personal Data as Defined by the GDPR:
As mentioned above, whenever personal data is used by a Data Controller, it has to justified by a “valid purpose”. Here are the different legal means accepted by the policy:
- Consent from the data subject: Anytime that the user gives explicit consent to use, store and process his or her data, the Data Controller and the Data Processor have the legal right to do so for the cited usage
- Without consent from the user, personal data processing can be justified to:
- Achieve legitimate interests pursued by the Data Controller or by a third party - this one can be subject to a lot of interpretations. Boundaries are not clear yet on this one and we don’t yet know what will be allowed by the administration. But for example, a website that personalizes content based on previous usage might justify data use with this clause.
- Respect a contract with the data subject
- Comply with a legal obligation
- Protect vital interests
- Perform a task carried out of public interest
We’ve found that The Economist sums up the new regulations pretty well:
“Consent to collect and process personal data now has to be “unambiguous” and for “specific” purposes, meaning that catch-all clauses hidden in seldom-read terms and conditions, such as “your data will be used to improve our services”, will no longer be sufficient. “Data subjects” can demand a copy of the data held on them (“data portability”), ask for information to be corrected (“right to rectification”), and also request it to be deleted (“right to be forgotten”).”
Europe’s tough new data-protection law - The Economist - April 5th, 2018
Publishers serving ads on their inventory are most likely to choose between getting consent from their users or declaring legitimate interest to justify personal data collection.
Google, to this concern, has said that they will need to receive the user consent information for all their advertising activities (even when they are not acting as Data Controllers). This announcement pressured publishers to get consent from their users.
Consent Management Platforms
A new type of technical solution has recently been developed to ease the consent collection and storage for the ad tech ecosystem.
Consent Management Platforms (CMP) are technical solutions that allow publishers to encode and store the user consent information. In practice, a CMP is a form on a web page that asks users for the authorization to collect and use their personal data, with the detail of how the data is used and by whom. Users can opt in or out of each data usage and partner using their data.
The IAB (Interactive Advertising Bureau) created the Transparency and Consent Framework (TCF) which standardizes how consent information is collected and encoded across all publishers. Most of the existing CMPs have adopted this framework.
Google is not IAB compliant yet and has developed its own CMP, Funding Choices. Google said they will become IAB compliant in the coming weeks.
CMPs haven’t been widely adopted by European publishers yet:
- The GDPR policy says that if the grounds to use personal data is consent, there should be an explicit consent signal
- Most premium European publishers have implemented a form asking users for consent, but not explicitly. It is also very common for these forms to automatically opt-in users by default. These forms look very similar to pre-GDPR cookie disclaimers. It is unclear how this will be interpreted by the administration, but it feels like it is not in line with the regulations of the GDPR
- A lot of other European publishers haven't implemented any consent forms yet and are waiting for the situation to stabilize
- For the moment, even if publishers have implemented a consent form, partners are not able to read or use the user consent information
Impacts of GDPR: From Panic Mode to Business as Usual?
Ad tech stakeholders are all wondering how GDPR will affect their advertising business. Here’s what we’ve seen so far among Adomik’s clients and partners.
Doubleclick for Publishers
- Google has announced that anyone who uses their advertising platforms must have user consent (opt-in) for all their advertising activities. This means that in theory, all publishers using the DFP AdServer need to collect and transfer the consent information in every ad call
- In practice, Google offers 2 options for publishers using DFP:
- Use Google’s CMP, Funding Choices, to collect and transfer the consent information. But when it was released, Funding Choices only allowed the inclusion of up to 12 vendors, which is very limited when you take into account all monetization partners, DSPs, tracking partners, etc. in the ecosystem.
- Bypass consent collection through DFP’s EU consent platform:
- Whitelist vendors using personal data on the publisher’s inventory (DSPs, tracking partners, monetization partners, etc.)
- Allow Google AdWords to serve personalized ads on their inventory
- So far most publishers have chosen the second option, due to the limited amount of vendors initially allowed in Funding Choices. In the meantime, Google has retracted their announcement to exclusively accept the 12 vendors, and will open up Funding Choices to an unlimited number of vendors after much criticism from publishers and the ad tech industry.
- We haven’t seen an impact on publishers’ revenues on AdX and DFP, except for some publishers that had not completed their set up in the DFP EU consent platform.
Doubleclick Bid Manager
- DBM is also a Google service, and as such, they need user consent information in order to buy impressions
- But no one in the ad tech ecosystem is able to properly send or read the user consent information yet. When GDPR went live, DBM was still able to buy on AdX thanks to the vendor whitelisting system explained above. But outside of AdX, DBM was unable to buy because they were not receiving the consent information:
- On May 25th and 26th, DBM stopped buying outside of AdX
- On May 26th, AppNexus and Rubicon white-listed DBM to let them bid even without the user consent information
- On June 4th, Index and Pubmatic also white-listed DBM
- Since June 5th, we haven’t seen a major impact on revenue so far, among the publishers that Adomik works with in Europe
It’s important to bear in mind that currently, publishers are the most exposed to potential consequences regarding GDPR compliance. When publishers whitelist vendors in DFP, and when SSPs whitelist DBM, publishers are certifying that they are receiving consent from users even when they aren’t collecting the consent information. The legal risk for publishers should be limited in the first weeks following GDPR, but this situation is not ideal in the long run.
The Road to GDPR Compliance Is Still Long
So all in all, it looks like GDPR hasn’t caused a real impact on the ad tech ecosystem so far. Right after May 25th, publishers’ revenues, along with DBM’s spending, were fluctuating due to bad connections between SSPs and DBM. But since these issues were solved, the situation is back to normal. In fact, it feels like the real impacts of the GDPR are yet to happen.
We expect to see more waves of fluctuating spending and revenue in the coming weeks:
- When Google enters the IAB framework, there will probably be further connection issues, just like the ones we saw between DBMs and SSPs following May 25
- When buyers start reading and using the user consent information to determine their bids, it will be vital to monitor monetization using the consent information
So What’s Next? Analysis from the Programmatic Media
Exchange Wire has drawn up the main 10 GDPR consequences. Among these, it highlights:
- The ad-tech duopoly strengthening. According to CEO Ciaran O'Kane, Facebook and Google, who now control 80% of all digital spending in Europe, will come to control 90% in a year.
- The fact that big publishers will likely be the first GDPR victims. In fact, publishers “will have to opt-in users to allow this type of data processing on their site. Publishers are most exposed post 25 May, and as such will be the first to be legally tested by the new regulation.”
Adexchanger analyses that the effect of GDPR on publishers remains unclear:
- The available data reduction should lead to decreasing programmatic CPMs
- But on the other hand, “buyers will have at their disposal fewer media options and will have to turn to publishers’ second-party data or contextual data to achieve their goals, thus increasing revenue to publishers“
- GDPR could benefit premium publishers, who will be more likely to get users' consent than smaller publishers
- But GDPR could have a negative impact for publishers who rely a lot on programmatic revenues. Indeed, GDPR will make it more difficult to measure conversions, so buyers could reduce their programmatic spending