GDPR - What's next?

May 25 has come and gone, meaning GDPR is now in full effect. So what, in practical terms, does that mean for the industry? 


The elephants in the room, from a GDPR perspective, are Facebook and Google. A lawsuit was filed by the Austrian activist Max Schrems and his privacy organization None of Your Business against Google (for Android) and FB (separately against each of FB, Instagram and WhatsApp), on May 25, alleging that both companies violated the GDPR prohibition against "bundling" consent. GDPR Article 7(4) states that "[w]hen assessing whether consent is freely given, [one must consider] whether [...]  provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract." Android and each of the core FB apps required broad, and effectively limitless consent upfront in order to use their services - meaning it is possibly not valid consent under the GDPR. There are further arguments in the lawsuit based on the notion that the GDPR requires a separation of types of consent (e.g. for advertising, for analytics, etc), and the user must consent, or not, to their data being used for each purpose. This doesn't seem to be the case for how FB and Android have implemented their consent mechanisms. That said, both do we have ways through their subsequent privacy pages to give the user additional control about how their data is used. It is unclear how (or when) this case will be decided, but it does appear that the case has at least some merit.

Beyond Facebook and Google, for publishers across the web and app ecosystems, there are a number of distinct paths with various ramifications that we discuss below. The simplest is that certain US-based publishers that are less focused on European monetization have either turned off EU access to their properties altogether, such as the LA Times, the Chicago Tribune, Instapaper, A&E, Ragnorak Online (a video game), and others. It is unlikely that this will persist forever, but until they've determined either how to best comply with GDPR or implemented their solution (whatever they're held up on at the moment), it will continue. For some publishers, it may simply be the case that implementing the solution isn't worth the risk and the cost, so this will persist until there is more clarity, which may be many quarters from now. Other publishers, like USA Today, have eliminated all advertising, tracking scripts, etc. from their European experience - so it can still be accessed but the publisher is effectively losing money for every user. Some US publishers have ignored the issue altogether, though this is probably not a viable long-term solution. 

The real issue, of course, is for European publishers that derive substantially all of their revenue from European users (and non-European publisher that derive a significant portion of their revenue from European users). They have a few choices: 1) use GDPR as an opportunity to completely end programmatic ad sales, 2) work with a vendor to implement a consent management platform (CMP), or 3) implement an independent consent mechanism. We discuss these in further detail below.

Every publisher that leverages programmatic ad platforms does so voluntarily - there is no law requiring their use. However, it may be the case that publishers view programmatic as having been thrust upon them by an ever-more-powerful buy side that was keen to commoditize publishers and that prioritized buying audiences more than quality publishers. Further, they might believe, the fees involved in implementing every step in a programmatic transaction outweigh any potential efficiencies gained and ultimately hurt a publisher's bottom line. The validity of this statement is immaterial (but, of course, I think it's wrong) - the fact that some may believe it is important. As a result, some publishers may believe that if they use GDPR as a tool to undermine the effectiveness of programmatic platforms - especially in buying audiences - that buyers may return to the "good old days" of buying direct from publishers, potentially even through IOs. While theoretically possible, this seems highly unlikely. Buyers have fully embraced programmatic, with an ever-declining portion of budgets being transacted annually through IOs (albeit without the influence of GDPR). Unless so many publishers band together that programmatic as a whole ceases to be viable, this approach seems unlikely to succeed.

Many publishers that have an interest in monetizing their users via programmatic channels simply were not in the appropriate position to do so on May 25. The direct value chain of monetization is publisher -> SSP/exchange -> DSP -> programmatic trader. In each step, every entity wants other entities to be responsible, meaning the lead-up to May 25 was marked by contracts, disputes, and general legal wrangling. This generally lead to conversations are controllers, processors, and "legitimate interests."

If an SSP is to be a controller, it needs either consent or it can rely on a notion called "legitimate interests." For legitimate interests, no explicit action is required. Several SSPs have taken this position, but it a risky position to take as the GDPR is vague on what is allowed other than requiring a balancing test between the individual's right to privacy and the company's interest in using that data. Creating audience profiles based user activity without consent is particularly dubious as being valid under legitimate interests - meaning it would likely require explicit consent. So any DSP that would do this, of which there are many, should either be obtaining consent on its own, which is unlikely since DSPs rarely have publisher relationships, or having explicit consent passed via the IAB consent string, and not relying on legitimate interests. That said, there are disagreements on this point. 

There is a strong financial incentive for publishers to obtain consent indirectly for DSPs - specifically getting money from any DSP that does profiling may not be possible unless they do get consent. But many publishers have yet to fully implement their consent mechanisms (as discussed below), and many have failed to sign agreements with potential "processors" outlining what they may or may not do, and many DSPs didn't know how to interpret various types of signals around consent from SSPs. As a result, immediately after May 25, programmatic monetization dropped for many publishers by up to 40% in Europe. Over the coming weeks, it is expected that publishers will more clearly defined their relationships with SSPs, and for there to be market consensus, as to whether SSPs are processors or controllers. 

Publishers implementing consent mechanisms may choose to use CMPs. These are made by various companies, including Google's Funding Choices, that notably limits consent to only 12 vendors, as well as a host of others like Evidon (perhaps the CMP market leader) and Quantcast. These platforms allow users to opt in or out, provide vendor-level and purpose-level controls, and then translate the consent into the IAB consent string. This consent string will be passed through the RTB ecosystem and it is expected that participants will abide. Not every SSP or DSP has completed their integration against the IAB consent string (TripleLift has) - but this will happen soon. Google only committed to following the IAB consent mechanism on May 24 or so, adding material complexity to the ecosystem given limited time to adapt to the late stance. Further, while many (but not all) publishers have at least implemented a CMP, the CMPs generally do not yet contain the full set of the publisher's partners nor are the CMPs necessarily conveying the consent accurately per the IAB spec. That said, it is likely that the ecosystem as a whole will, in a matter of months, arrive at a suitable level of interoperability and that a significant enough set of publishers will fully implement CMPs. On May 25, however, very few publishers had a CMP with every partner, which accurately conveyed the full scope of consent, meaning monetization on this date and shortly thereafter wouldn't be very high - and indeed it is not. It is also expected that the consent levels may raise as CMPs refine their language and experience.

Some publishers may not use vendor CMPs, and may instead use a proprietary banner that reads something like "By continuing to use this site, you agree to our advertising. Click for more details." It's unclear if this is satisfactory under the GDPR. It is further unclear if this is sufficient to establish the downstream rights for things like audience profiling. It is thus very likely that there will be ongoing confusion about the quality of consent through the ecosystem until the European Union provides some sort of guidance. Unfortunately, that is probably not going to be very soon. 

GDPR will be enforced by each country's data protection authority (DPA). Reuters did a serve of the 24 national DPAs, and 17 indicated that they don't have the funding or currently lack the powers to enforce it. Even those DPAs that do have some resources don't have unlimited resources, meaning the nature of the violation - scope and egregiousness - will likely determine when or if a GDPR violation is pursued. This means that many questions will continue to be unanswered, but the industry will arrive at one or two generally accepted answers. Publishers and the ecosystem will build toward them, and monetization may eventually improve.