As GDPR Rocks the EU Ad-Tech World, Vendors Must Learn to Adapt

Regulators have been forced to push back against some industry giants

illustration of binary code data footprint being erased with squeegee
The Data Protection Commission is investigating Google, Facebook, Twitter and Quantcast for GDPR compliance. Getty Images
Headshot of Ronan Shields

Since May 2018, General Data Protection Regulations (GDPR) have been enforceable across the EU, with ad-tech companies both big and small now facing fundamental questions over their core functions.

The main questions focus on how the online ad ecosystem transfers audience data between players and casts doubt over their value proposition. While some data protection watchdogs have attempted to adopt a more market-friendly stance, others are increasingly baring their teeth.

For instance, in the Republic of Ireland, where the majority of scaled U.S. digital behemoths have housed their EU headquarters, the Data Protection Commission (DPC) is simultaneously investigating Google, Facebook, Twitter and Quantcast for GDPR compliance. At the vanguard of this movement has been Brave, an emergent web browser that wants to challenge the current default means of behaviorally targeted advertising, which has alleged multiple GDPR violations on each of these platforms.

The outfit’s chief policy and industry relations officer Johnny Ryan has penned multiple complaints to the DPC, and earlier this month, Brave made public allegations claiming that Google’s ad stack deliberately circumvents GDPR policies. Google’s ad stack broadcasts personal data to multiple parties in the ad-tech ecosystem, with a workaround that runs contrary to its own publicly stated GDPR safeguards, according to Brave, which has submitted its findings to the DPC.

In an emailed statement to Adweek, Ryan added, “The [U.K. regulator, the Information Commissioner’s Office,] ICO has yet to use its powers to compel answers from industry, whereas the Irish DPC has launched a statutory investigation into suspected infringement by Google’s RTB [real-time bidding] system. That inquiry is very important. We await similar action from the ICO.”

Elsewhere, the data protection watchdogs in the U.K. and France—the ICO and the Commission Nationale de l’Informatique et des Libertés, or CNIL, respectively—have made public their concerns over the GDPR compliance of real-time bidding, a foundation stone of ad tech, as it may expose individuals’ information to hundreds of companies without their consent.

Speaking separately this month at the annual ATS London conference, Ali Shah, head of technology policy at ICO, explained the rationale behind its current six-month liaison with the industry. He maintained that the body wants to take a constructive, not punitive, approach.

Albeit this came caveated with a stern warning, with sentiments that echo the earlier assertions of Ryan, which allege that online ad auctions leak web users’ sensitive data.

“We looked at the governance controls and technical components [of RTB protocols], and we thought the controls were just not robust enough,” he told attendees.

Shah further explained that in the coming months the ICO will start to make some judgment calls as to who is—and isn’t—serious about data privacy.

“You know, if this was a beach and [ad tech was] just sitting there chilling, I’d tell them that the tide is about to come in,” he added.

Meanwhile, IAB Europe has attempted to mediate the industry’s various competing interests with the drafting and publication of the Transparency Consent Framework, an initiative that got off to a stuttering start as Google failed to get on board upon initial publication.

However, even as these initial rifts have been healed and the industry conducts pilots to establish a more agreeable way to conduct data flows in the guise of TCF 2.0, some in the sector are questioning the fundamentals of how the industry operates.

Mathieu Roche, CEO of ID5, said a lot of ad-tech vendors currently rely on legitimate interest as their means of GDPR compliance. But that is very soft ground, he said, adding that “the days of all-you-can-eat data” will soon be numbered.

“I think there’s a new way of thinking, which involves redefining the way we access data. A lot of people will have to work out how they can offer access to data without necessarily offering access to identity,” explained Roche.

This story first appeared in the Sept. 23, 2019, issue of Adweek magazine. Click here to subscribe.
@ronan_shields Ronan Shields is a programmatic reporter at Adweek, focusing on ad-tech.