Stay ahead – join The Drum+

How adtech players are approaching consent in GDPR and whether they will be compliant in time

Adtech faces challenges at gaining consent in line with upcoming GDPR laws

Time is ticking for adtech vendors when it comes to data consent in GDPR, but with little to no guidance from regulators and no direct relationship with the consumer, are adtech players being set up for failure when it comes to hitting the May 2018 deadline?

While GDPR has been on the industry’s radar for nearly two years now, negotiations as to how individual players in the data chain will gain opt-in consent - a challenge still shrouded in ambiguity - has only now started heating up over the past few months, according to Grapeshot and a number of other adtech shops who wished to remain anonymous.

With GDPR, adtech vendors face three key issues when it comes to gaining opt-in consent from consumers; as third party companies they have no direct relationship with a user, and due to the nature of real-time programmatic they do not always know which sites their ads are appearing on; guidance on how they should ask for consent isn’t being published till December; and until then many rules are still up for debate.

Essentially, there is little clarity as to what approach third parties will/can take when it comes to gaining consent, neither from the adtech players themselves, the publishers who will likely be responsible for gathering consent for all their partners, the Internet Advertising Bureau (IAB) who represent the digital ad ecosystem in the UK, and digital agencies in this space.

At the hands of publishers

The challenge, according to one adtech executive who wished to remain anonymous, is that the players who act on first party data most (advertisers, agencies, DMPs) are usually the ones furthest down the adtech chain, yet the further away a company is from the consumer the harder it is to get consent.

Therefore, what the adtech players, trade associations, consent, tech and policy experts can agree on is that while everyone in the adtech chain that handles customer data is ultimately liable and responsible for being GDPR compliant - third parties have little other choice than to rely on publishers to get their consent.

“Everyone is responsible but publishers have a direct relationship with the consumer, so they are the only ones who can get it,” the anonymous executive said. “It is up to us (the adtech companies) to help them get that. When they get consent it passes down the chain.”

While this largely renders the adtech players helpless in the hands of the publishers, what they can do is help publishers communicate the value of advertising to consumers, and the value exchange between free content and data consent, in order to secure their future on the site.

“Being able to provide contextually relevant content and communications is going to be key in helping the customer understand why it is they should select ‘opt-in’ in the first place. Having the omnichannel insight and infrastructure to power real-time, contextually driven conversation will be key,” said Kurt Kratchman, chief operating officer of Grapeshot.

If anything, adtech players should see this as an opportunity to have a closer relationship with their publisher partners to ensure they are all handling data in a sensitive and appropriate manner, Kratchman believes, which can only be a good thing for the industry.

Indeed, it’s not a doomsday scenario as many reports suggest, according to Damian Scragg, ‎SVP of global sales & European managing director of Evidon. Having those transparent conversations with consumers about exactly how their data will be used helps to build trust with the consumer, makes them more likely to give the adtech chain permission to use their data, and ultimately “transfers into additional revenue” for the publisher, Scragg says.

It could also lead to "better, more accurate tracking", and a reduction in the amount of advertising dollars wasted on people that don't want to be tracked, who "arguably don't respond to advertising in general", said Dan de Sybel, chief technology officer at Infectious Media.

Late guidelines; late compliance

However, Yves Schwarzbart, head of policy and regulatory affairs at IAB UK, admitted “we are not there yet” when it comes to a perfect solution. “What makes things more complicated is that consent remains an area of GDPR where we have some open questions.”

Schwarzbart is referring to the fact that consent requirements as written in GDPR can be interpreted in different ways, both company-wide and country-wide, and it is usually up to regulators to provide guidance to clarify some of those areas. Yet regulators aren’t expected to publish guidelines on the issue of consent till December.

That means any adtech company that has gone to market with a consent solution - or those that are currently working on one - have to work in an “environment of uncertainty”, since whatever they implement now may be contradicted by the guidance in December, Schwarzbart reveals.

Voicing these concerns, Grapeshot’s Kratchman said regulators are “not yet” being clear enough as to what is expected from adtech players when it comes to GDPR compliance.

“More guidance is required and simple actionable measures for all customers, not just publishers but anyone involved in customer data from the local business to a global FMCG groups,” Kratchman said.

De Sybel believes that given the lateness of guidelines, it is “extremely unlikely” that any company that uses personal data will be fully compliant when GDPR is enforced in May.

“I expect a transition period of at least six to 12 months where companies demonstrate they have made changes to prepare for the GDPR and wait to see who gets taken to court first, making further adaptations once the court rulings are announced,” he said.


With little guidance from the regulators, the industry has formed consortiums like Germany's Verimi and the non-profit DigiTrust, with a view to creating a single standardised ID/ login to make it easier for participating partners to gain permission to use consumer data in a way that does not destroy the customer experience.

These consortiums “are necessary to start the kinds of dialogue between partners that will enable more upfront and transparent data sharing with end users”, claims de Sybel.

“It's worth noting that these consortiums don't provide solutions to all the rules outlined in the GDPR, but the key point is that individual adtech companies can no longer unilaterally address them, as is the case with cookie tracking technologies. If they try, end users will be faced with a myriad of pop up boxes asking them to agree to this data sharing or that data sharing, destroying customer experience and driving people towards Google and Facebook as being single points of consent for all their online needs,” de Sybel added.


Another side effect of GDPR laws is the need for greater accountability in the digital ad ecosystem. The days of the ‘spray and pray’ approach whereby adtech vendors put ads out across the internet without full knowledge of which sites they appear on will no longer cut it with regulators.

Fixing this is both the responsibility of the vendors themselves, who will have to ensure there is less opacity around where they are placing ads, and the publishers who under GDPR law will have to be aware of who has access to their site and what those vendors do.

Since it is likely publishers will be forced to disclose every single vendor they work with when asking consumers for consent - based on the draft consent guidance published by the ICO - this could lead many publishers to clean up the amount of partners they have. Adtech vendors and the IAB continue to be coy as to the implications of this, with Schwarzbart simply saying: “It is up to them [the publishers] to decide if it is easier to work with fewer partners or more.”

The Drum reached out to a number of publishers for comment on how they are working with adtech partners in GDPR compliance, but all declined to comment.

By continuing to use The Drum, I accept the use of cookies as per The Drum's privacy policy