Before the European Union’s General Data Protection Regulation, or GDPR, went into effect, the advertising industry scrambled to prepare for the sweeping privacy rules governing data collection practices and permissible data use that were expected to shake up long-running digital marketing practices.
But a little more than two months in, executives at ad-tech companies that operate data management platforms (DMPs), which collect data from various sources and provide it to marketers for targeted advertisements, said the changes haven’t fazed them as much as they thought they would.
“There has not been the nuclear winter that some had speculated would occur in Europe around media and the use of data,” said Philip Smolin, the chief strategy officer at Amobee.
Under GDPR, websites that collect data about visitors for advertising purposes must first inform them how their data is being collected and used and subsequently obtain consent before collecting that data. To comply with the new regulations, many websites present new visitors with pop-ups that prompt them to review and agree to the site’s data collection practices. Some websites in the U.S., including more than a thousand local news publishers, have chosen not to implement changes to their data-collection practices and ability to receive “informed consent” from page visitors, making their websites non-GDPR compliant, and to protect themselves from being fined for violating the regulations, those websites are now inaccessible in EU countries.
For websites that did comply with the E.U. regulations, it took a little while for site visitors to agree to the new GDPR-compliant terms around data collection and usage, which resulted in a temporary dip in the amount of data collected.
At Dataxu, the amount of data being collected by publishers has mostly returned, said Bill Simmons, the company’s co-founder and chief technology officer. Simmons estimated that from the various publishers Dataxu works with, there’s about a 10 percent opt-out rate, lower than what he had expected.
“On the economic front, it hasn’t affected the industry in the way we anticipated,” Simmons said. “In general, we’re seeing high rates of consent, and we haven’t had trouble delivering for our clients.”
Opt-outs haven’t materially affected Dataxu’s business, either, Simmons said.
Simmons said there has been at least one major unanticipated consequence of the GDPR rules as far as he’s concerned. When a user makes a right-to-access request to see what sort of data companies and marketers are collecting, the company must go through a process of connecting the individual’s identity to the data they’ve collected. And for legal reasons, the company must store details about those requests.
“Before GDPR, we strictly never connected the dots between the data we held and an individual’s identity. … It is a great irony of GDPR that we’ve gone to great lengths to protect privacy, and now we are doing this,” Simmons said.
Smolin said GDPR implementation has had some effect on the types of data available to Amobee, particularly from location-based data vendors. Under GDPR requirements, precise location-based data must be anonymized when it’s collected, and businesses must obtain explicit consent from users before collecting it. Those regulations prompted several location-based data vendors, including the cross-device targeting company Drawbridge and the location data company Verve, to close up shop in Europe.
But in the absence of some of that audience-based location data and the resulting loss of reach due to the GDPR limitations on behavioral targeting, Amobee has found relative ease in complementing the remaining audience-based data it has with contextual-based targeting.
“There has been some low-level, double-digit decrease in the availability of data … but we have really not seen any significant business impact,” Smolin said.
Contextual-based targeting, unlike audience-based targeting, is not directly affected by GDPR and is expected by some industry experts to make a comeback in the wake of GDPR and other similar U.S. legislation, like the California Data Protection and Privacy Act.
Smolin compared preparing for GDPR with the frantic preparation for the Y2K problem, the fear that the year 2000 could cause a wave of computing errors that would affect computer systems worldwide. Panicked businesses, organizations and governments implemented a number of preventative measures, but there were very few problems.
There are still a lot of unknowns, particularly surrounding how GDPR will be enforced and what copycat regulations in the U.S. might look like, but all in all, Smolin said, the regulations will be good for the industry as a whole.
“At the end of the day, we’re all consumers, and we as an industry should be treating all consumers with respect,” Smolin said. ” … In the long run, GDPR is a good thing. Don’t work around it.”