The EU’s General Data Protection Regulation (GDPR) has produced an atmosphere of caution across the industry with marketers the world-round now adopting a conservative approach to consumer privacy. As the law's enactment sparks a widespread depletion in fortunes in the European adtech sector, The Drum probes the consequences and looks at attitudes to the path ahead.
The recently introduced EU-wide privacy rules came into force on May 25, and while the optimistic media observers have interpreted them as an opportunity to reassess the value exchange of data between consumers and businesses, the arrival of GDPR has not been without its casualties.
Amid the earlier looming specter of its introduction, adtech vendors faced three key issues over gaining opt-in consent from consumers; as third-party companies, they have no direct relationship with a user, and due to the nature of real-time programmatic, do not always know which sites their ads are appearing on.
Ergo, many such companies – aka “data processors” – deemed themselves reliant on those with more direct relationships with a consumer – such as a publisher, aka a “data controller” – and then gain consent to target them for personalized ads. Either that or risk the (still highly debated) “legitimate interest” route.
This effective loss of what many are terming “data sovereignty” was compounded further by the 11th-hour guidance on how such companies can achieve consent compliance, with some of the largest companies in the sector attempting to take matters into their own hands, and resulting in efforts to strong-arm the industry’s media owners.
Fear and closures in GDPR-land
In fact, trepidation over the introduction of GDPR was such that it led to considerable withdrawals from the European adtech scene with adtech companies such as Kargo, Verve, and Drawbridge among those opting to focus us their attentions elsewhere, rather than risk potential fines of €20m, or 4% of global revenue (which ever is greater) for handling personal data without gaining the necessary consent.
Gil Elbaz, chief executive officer of Factual – a company that helps developers and publishers monetize their content through location data – explains the rationale behind his outfit’s decision to press delete on its database of EU residents prior to May 25.
“So with GDPR we've taken a very conservative approach, we had been studying it carefully and … in our analysis of the developer landscape we felt like too many either aren't compliant or don't fully understand how to begin working on it because they didn't fully understand what consent mechanisms they need,” he says.
“So we decided to take a pause on a portion of our business that involved a device level data on Europeans residents.”
The immediate fallout of the great data clearance
Some have forecast that vast amounts of the data previously available to EU-based marketers will have been lost virtually overnight with Google’s conservative interpretation of the laws limiting the amount of data it would pass on to third parties, particularly those dependent on its DoubleClick ID data flow.
The fact that Google’s interpretation of the regulations has put it at odds with multiple tiers of the industry given that its proposed GDPR compliance framework was initially at odds with those proposed by several trade bodies, including the IAB, has made data-rich media buys that bit more difficult to come by.
As a result, in the immediate aftermath of the introduction of the laws, European adtech companies reported that automated ad requests have diminished by as much as 25%, with spend down 40% as buyers and sellers alike took a conservative attitude towards data sharing.
Additionally, one of the industry’s major data management platforms is widely understood to have seen circa 30% of its audience profile disappear almost overnight, according to sources familiar with the matter.
In fact, several adtech chiefs at multiple publishers with audiences on both sides of the Atlantic decided to switch off their programmatic buys in Europe, instead of opting to risk exposure to the regulation (and sizable potential fine).
Meanwhile, one brand-side marketer, speaking with The Drum upon the condition of anonymity, explained the extent of data loss post-GDPR has meant they had to revert to a last-click attribution model whereas the organization had spent years previously devising a multi-touch model.
Despite Google since stating it would reconcile its interpretation of a consent framework with that of the IAB (eventually and with no committed timeline) the suspension of earlier levels of data-rich media buys is hurting many.
Will the industry reduce its reliance on Google?
Prash Naidu, Rezonence chief executive officer, describes the scenario as “kind of frustrating” because “you and your partners are just waiting on Google to do something” as all the media buyers using DoubleClick’s DSP currently cannot trade with them. He adds: “We are suffering along with anyone else, but thankfully not everyone is dependent on DBM [Google’s DSP].”
Naidu also reports that many in the digital landscape, especially those in the media buying agency sector, are eager to hold this up as an example of why it should reduce its reliance on Google and its DoubleClick stack.
However, the online behemoth’s direct relationship with marketers appears to insulate it from such dynamics, even if some brands are responding to such calls.
“We’ve definitely had those kinds of conversations with [brand-side] clients whose agencies are using DBM, and they’ve set aside some budget for us – and they don’t exactly give that away,” Naidu says.
He then goes on to explain how subsequent attempts to convince said media buying agencies to use additional DSPs that are currently compliant with the IAB Framework are oftentimes positively received (in theory) but legacy contractual issues have frustrated such efforts.
“We investigated other brands spending on those DSPs, but the problem here is that a client has a direct contract with DBM to spend all their money through it,” he says. “So the agency is like ‘yes, we have another DSP, but for this client, we cannot swap because we have to user their DBM account’.”
Speaking at a recent conference hosted by ID5, Anthony Rhind, chief strategy officer at Beamly – effectively an adtech company owned by cosmetics giant Coty – explains that online advertising was a relatively minor consideration for companies “whose business is about much more” when preparing for GDPR.
“This was a massive exercise that was outside of the immediacy of adtech,” he says, underlining the scrutiny brands and other ‘data controllers’ face under the terms of the regulation given the scale of the fine (and public reputational loss) they prospectively face.
Rhind goes on to state how Beamly, which itself uses DBM as its primary DSP, is beginning to expand the number of media partners it is buying with post-May 25, as well as its short-term measures to maintain its reach.
“What we found was that Google has taken a very conservative approach – which is because Google is Google – and initially what we found was that the only inventory available was Google [owned and operated] … so, of course, we were limited,” explains Rhind.
“But of course Google does have a lot of PMP [private marketplace] operated inventory which was an option, and they’re constantly bringing more into the framework it’s currently operating from within.”
However, the fact that Beamly uses a third-party ad server in the guise of Adform to conduct its programmatic media buys means its targeting capabilities are somewhat frustrated, according to Rhind, adding that it is now more difficult to make the two pieces of technology work together.
GDPR as the beginning of a new dawn?
Speaking at a recent event discussing the likely impact of marketing post-GDPR, Sandy Ghuman, Sky, campaign and delivery controller, echoed the positive sentiments expressed by other marketers around the robustness of not only its first-party data, but also the reset dialogue it has with its customer base as well as its partners.
“GDPR was a piece of legislation that was not just new for the brands and the media owners, but also for the partners we’ve had to work with,” according to Ghuman.
The introduction of GDPR clarifies the role of Sky as the data controller, with liability for its protection – arguably a status that clears up the ‘who owns the customer data?’ debate – bringing greater clarity to the perimeters each partner can legally operate within.
“When you have that consent, it really pushes the value of it up,” she says. “This then gives you the opportunity to target customers either on the digital or below-the-line channels … that’s an opportunity to be personalized and engage.”
Tim Norris is general manager, EMEA, at mParticle – a customer data platform, or CDP, that launched an “open compliance program” earlier in the year – and echoes Ghuman’s sentiment.
He further points out that GDPR’s erosion of the volume of third-party data on the market will have a positive impact for those with “legitimate first-party data”. Historically, the comparatively low volumes of first-party data meant that it was less attractive as an advertising tool, but now that GDPR has arrived, its stock has risen sharply.
“Historically, clients have been obsessed with performance and scale metrics to achieve reach, but now [post-GDPR] there’s less focus on scale, and much more focus on quality,” he adds. “Now we’re starting to hear questions around fidelity, sovereignty and what happens to the data when it reaches [third-party] systems – that just wasn’t happening in 2017.”
How valid is your data?
Wayne Blodwell, The Programmatic Advisory chief executive officer, advises practitioners in the sector to take some of the lessons from this transition and apply the same principles ahead of the update to the ePrivacy Law, ie an update to the “cookie notification”, over the course of the next two years.
“This is the first step to more serious regulation in our space… as the control [over behavioral/identification tracking] gets moved [from a webpage] to the browser such as Safari, Chrome and Internet Explorer,” he says. “They [owners of such browsers such as Apple, Google and Microsoft] may control and then restrict how the industry controls device IDs and cookies, and impact [advertisers’] ability to target users.”
According to multiple sources, if adtech companies can embrace regulation as a means of bolstering transparency, then the wider sector, often accused of malign practices, can achieve greater longevity.
He says: “Regulation is often seen as a bad thing, but if our industry is to grow up, become more credible and have people like [Procter & Gamble] marketing chief Marc Pritchard say more positive things then we may need more regulation, and we’ll see how that pans out in the coming years.”
Rezonence’s Naidu explains the dynamics at work: “The way you build trust, if you will, is to first start with transparency because if you and I are dealing and you don't know what I'm doing, or don't understand the transaction, then you're like, ‘well he's sending me this, but I didn't understand how it makes me money’.”
He concludes: “The way we look at it as like say to fix the entire ecosystem, you have to look at the deal, implicit or explicit, between the reader, the publisher and the advertiser, make everything transparent.”
MParticle’s Norris closes by stating how he observes marketers and their use of data in a more privacy-centric world, with a focus on deterministic insights as the basis of their strategy, and that there should be updates to some old adages.
“About 10 years ago IBM came out with ‘the four V’s of big data’ [volume, variety, velocity, veracity] to help marketers assess the quality of a dataset,” he says. “But in 2018 as we enter a privacy-first paradigm, the most important thing is ‘validity’– just how valid is it for you to be using this data?”
The Drum Dadi Awards are now open for entry, celebrating the best digital marketing across Europe. Find out more information on the website.