Over the course of the past 20 years, brands, agencies and publishers have poured billions into building sophisticated advertising technology systems capable of collecting reams of data about consumers’ online preferences and interests—and then with hyper-precision, deploying targeted ads. This year alone, according to the digital marketing research firm eMarketer, U.S. advertisers are estimated to spend $39 billion on programmatic ads.

But now, Europe’s landmark General Data Protection Regulation (GDPR) law, set to take effect on May 25, is changing the game, potentially placing this massive data-driven ad spending at risk. Intended to put the privacy back into the concept of private data, GDPR enables consumers to view, limit and control how businesses collect and process their personal information.

“GDPR is the single most significant regulation of digital advertising ever,” says Doug McPherson, chief administrative officer and general counsel at OpenX, a programmatic advertising company. “A lot of companies were accustomed to collecting everything they could, storing it and figured that they might need to use it later.” Now he notes, “GDPR forces companies to design privacy into all of their products and systems.”

The new regulation is a much needed update of the 1995 Data Protection Directive—enacted before the explosion of the digital economy and with it, the expansive ability to shop, bank and do all manner of business on the internet.

Under GDPR, businesses must now adhere to a set of strict stipulations regarding why and how they collect data—in many cases enabling people to decide what information they choose to share. For instance, GDPR rules allow for the “right to be forgotten” (people can ask for specific online data about them to be removed). The law also now prevents companies from collecting data on children under the age of 16 without parental consent. And when it comes to data breaches (think Equifax, Target and Wells Fargo to name a few), they must now be reported to authorities and customers within 72 hours. According to a recent study by Javelin Strategy & Research, last year 16.7 million American consumers had their identities compromised, up 8 percent from 2016, causing $16.8 billion in losses.

While GDPR is a European Union initiative, its reach is worldwide. That means American companies, from small online retailers to tech giants that stockpile and use EU citizens’ data, are subject to comply.

“Even if you don’t have an office in Europe, if you’re delivering ads to Europeans, European regulators will likely expect that you are subject to GDPR,” says J. Trevor Hughes, president and CEO of the International Association of Privacy Professionals (IAPP), a nonprofit organization focused on privacy. In advance of the regulation coming online, the organization estimates that companies will spend some $7 billion on privacy and compliance this year. Notably, IAPP reports that the number of firms specializing in data and privacy solutions has increased to 115, up from 39 last year.

Facebook, for instance, has announced plans to add a privacy center feature to its site where users can choose what data advertisers can collect from them to serve them ads. The Menlo Park, Calif.-based social media colossus also plans on doubling the number of employees focusing on safety and security to 20,000 by the end of 2018. Meanwhile, Google has created a website detailing how all of its businesses such as AdWords, DoubleClick and AdSense collect info to target ads and personalize experiences.

Companies that do not comply can be held liable for financial penalties of 20 million Euros or 4 percent of a company’s global revenue, depending on which is larger. For instance, Procter & Gamble—the world’s largest advertiser—could be subject to 2.3 billion Euros ($2,855,404,000) in fines based on its 2016 revenue, according to numbers crunched by PageFair, an Ireland-based ad-serving company.

Then there’s the soft costs associated with consumer backlash. Violating personal data has the potential to cause significant reputational damage for the companies involved, argues Johnny Ryan, head of ecosystem at PageFair. “It’s not just about the brand, nor is it about the particular publisher—it’s about all of the businesses that touch the data,” he says.

Given the ever-evolving nature of the digital universe, many experts view the May 25 deadline as just the beginning. GDPR, explains the IAPP’s Hughes, is “not a finish line—in some ways it’s just the starting line. [It’s] not just writing a privacy policy and sticking it up on your website. It’s doing the hard work of data protection … this is the new normal.”

As GDPR shapes up and shakes out, Adweek spoke to four experts from areas likely to be affected by this regulation about the changes coming and their potential ramifications.

THE AD-TECH
COMPANY VIEW

Criteo currently operates under Europe’s Data Protection Directive regulations. Those rules differ country by country and GDPR will make all European companies—and by extension any U.S.-based company that works with them—play by the same rules.

“This framework is going to bring consistency across Europe,” says Fouilland, whose company works with brands and retailers to retarget consumers with ads after they’ve left a site without making a purchase. “It’s bringing clarity to personal data protection given the fact that there were multiple applications across Europe [beforehand.]”

Here’s one way that it will play out for Criteo’s retail clients (which include U.K. retailer New Look and jewelry brand Stella & Dot): Brands will now have to include either copy or a pop-up ad requiring consumers to agree to share data about themselves in exchange for browsing product pages on the website.

“It is very much the experience that the consumers have already in markets like France or Spain,” he says.

THE AGENCY VIEW

Wunderman is staffing its European offices with data protection officers, a new role that all companies are required to fill under GDPR regulations. They’ll be responsible for conducting audits and serving as an organization’s point person with the EU.

Wunderman is also establishing liaisons in its EU offices tasked specifically with GDPR-related requests for proposals and requests for information from brands.

According to van Niekerk, GDPR gives small brands the opportunity to compete with tech behemoths like Facebook, Google and Apple, which will now be forced to open up about their once fortressed data policies.

“I think what the EU legislators are trying to do in theory is create more of an equal playing field for smaller companies to get data from the walled gardens or the big incumbents so that the consumer can easily shift to a new competitor or a smaller provider,” he says.

THE PUBLISHER VIEW

For years, major publishers like Dow Jones Media Group, The New York Times and Bloomberg have leaned heavily on data-based technology to learn about their readers and help advertisers target specific groups of consumers.

With GDPR’s deadline rapidly approaching, those ad-tech companies powering up publishers’ tech pipes are having to now revamp their data collection processes. For a global news firm such as Dow Jones, taking in huge amounts of data, including from Europe, and figuring out how to balance business versus privacy concerns is an ongoing activity.

To that end, Dow Jones has created a privacy steering group, made up of at least a dozen senior executives across the company in order to assess and act on the developing new digital ad frontier.

Among publishers, one potential scenario being discussed is placing pop-ups and boxes on pages that require consumers to enter their data before they can read a story. Also under consideration, cutting the number of ad-tech companies to streamline the compliance process. In other words, readers could see less annoying ads on pages, causing publishers to charge more for premium inventory.

“With the way that this topic evolves, you have to think about it in a 360-degree way,” says Latour, who runs publications including Barron’s, MarketWatch and Financial News. “If the leaders are actively engaged and aware, that fosters an atmosphere of education and collaboration that ripples through the company.”

THE BRAND VIEW

When you think of Pitney Bowes, you probably think of postage meters and mailing equipment used by offices, but the brand also powers location analytics and ecommerce sites in 100 countries for brands like Harvey Nichols and Zillow; it’s currently retooling its data processes to meet GDPR’s requirements.

Two years ago, Pitney Bowes ran 20 privacy risk assessments to analyze how data was collected and broken out in Europe versus information collected within the U.S. The company has now completed more than 90 assessments and has a specific working group in its marketing department that focuses on determining what data meets GDPR’s “consent” requirements.

Says Umerley, “We’re trying to globalize our process wherever possible and then localize where required—hopefully we do this once and augment going forward as opposed to having to do heavy lifting again and again.”