It has been more than three months since the European Union’s General Data Protection Regulations (GDPR) came into law, and as similar legislation is being drafted in California and Vermont, many companies from agencies to tech giants like Google are trying to avoid the pain points experienced by European parties.
In particular, the industry seeks to learn from the tensions caused by recent policy changes by Google—all of which were ushered in to gain GDPR compliance, but resulted in widespread, unpleasant circumstances. GDPR, which targets Silicon Valley behemoths like Google and Facebook, has partially backfired, according to industry observers who argue that the data protection authorities’ rules lack clarity.
“In retrospect, these complications are not surprising, given the rush by all participants in the final months to understand and apply GDPR to their diverse businesses,” said Doug McPherson, OpenX chief administrative officer and general counsel, adding that GDPR’s lack of clarity delayed companies from finalizing their plans.
“This is a longer journey than most players probably anticipated, and we’re all learning together,” said Chetna Bindra, Google’s product manager for identity, privacy, transparency.
After the May 25 implementation of GDPR, groups immediately started logging data protection complaints against companies, including one against Google and Facebook for forced consent.
The pre-May 25 compliance frenzy saw several American ad-tech companies including Drawbridge and Verve abandon EU operations as trade bodies and regulators stalled in offering definitive guidance. This meant that publishers, media agencies and major tech platforms all vied to absolve themselves from liability in a haphazard manner.
This is perhaps best demonstrated by Google introducing several policies affecting advertisers, publishers and third-party ad-tech companies using its suite of online ad tools.
Google’s most impactful change has severely limited the pass-back of data to advertisers using its ad campaign management tool—formerly known as the “DoubleClick user ID”—causing many advertisers to experience difficulties with their attribution tactics, as many media agencies had primarily built their attribution tools primarily on this data feature.
Several media agency sources, speaking on condition of anonymity, confirmed that they have subsequently had to readdress their attribution strategies. Google was formerly “the only game in town” when it came to attribution, said one source.
“This has pushed agencies to explore third-party ad servers,” another source added.
Furthermore, Google’s 11th-hour agreement to integrate with the IAB’s proposed GDPR-compliance framework led to much consternation in the space. As late as May 24, Google cited difficulties with both policy and technical integrations as cause for the delay, with concerned parties being briefed on its intentions. As of last week, the full integration has yet to be completed.
This was further aggravated by similarly burdensome policies proposed by major media agency holding groups that attempted to heap compliance liability back on to publishers—attempts they successfully resisted. For instance, Digiday reported that Publicis Media asked publishers to agree to terms that would have made them responsible for collecting consent for ad retargeting.
Independent ad-tech company Sizmek asserts that players such as Google were using the legislation to raise their “walled gardens even higher,” thus shutting out independent players, almost all of whom suffered a significant dip in their EU business, post-GDPR.
Google’s Bindra claimed its decision to reverse an earlier policy proposal that would have restricted publishers using its Funding Choices tool to 12 ad-tech partners demonstrates that this is not the case.
“What it shows is that we’re all extremely interconnected,” said Bindra. “GDPR has been as big a change for us as much as anyone else, and what we are all learning together is that something like this just takes a lot of time.”
However, Chris Pedigo, svp at publisher trade body Digital Content Next, said Google’s policy proposals pre-May 25 were attempts to “game the system to their advantage” by imposing policies that would edge out competition.
But in a rare episode of solidarity between the online behemoth and the publisher trade body, both Bindra and Pedigo called on data protection authorities to provide more clarity on the exact terms of the legislation.
“As we get more clarity from the DPAs [data protection authorities], that will help all of us refine how we respond,” said Bindra.
Pedigo added, “With GDPR, the jury is still out, and I think what we need is some clearer guidance from regulators.”