GDPR Advertising

A new dawn for programmatic display in a post-GDPR World

By Andy Houstoun, Product director



Opinion article

July 26, 2018 | 9 min read

25 May 2018, the date the General Data Protection Regulation came into force, has quietly slipped into the ether of the past. The legal industry are smiling at their healthy bank balances and naming newly acquired Swiss chalets ‘GDPR’; small businesses who firmly believed the first knock at the door on 26 May would be from data protection bailiffs demanding the highest of 4% of their turnover or €20m are feeling less anxious; and the promised Armageddon for adtech companies in the European Economic Region (EEA) has, by and large, not happened.


Companies outside the EEA have been less directly affected by the GDPR, but there are signs that privacy laws are toughening up.

Those that tried to support the spirit of the legislation for ‘the rights of individual data subjects’ (GDPR wording not mine) in regard to their ‘personal data’ might feel a little aggrieved at the loose interpretation of ‘legitimate interest’ and ‘affirmative action’ adopted by many companies in the market. Diligent staff who worked tirelessly through the legal obligations hidden in broad GDPR guidelines, to deliver clear and unambiguous information to data subjects about how they are tracked and for what purpose, might feel that their efforts were wasted. Hundreds of Consent Management Platforms (CMPs), the new ad-tech acronym for 2018, have sprung up, some choosing to use them, many not.

The always-complex programmatic supply chain is now splintered and more comparable to the fiefdoms and allegiances in Game of Thrones than a collaborative collection of companies with a common goal - smarter ads for better performance. Access to ‘consented IDs’ for data subjects, (normally stored in cookies) might, or might not, come via a plethora of consent mechanisms. These differ across inventory suppliers and, in some cases, inventory sources have dried up as large publishing groups, worried about fines, adopt policies that remove deterministic cookie ID matching from the supply chain altogether. And because the industry is further divided on what constitutes explicit consent and legitimate interest, the decision whether to serve or not to serve a personalised ad has confused many industry veterans – so pity the poor data subject it is served to.

Many are rueing the decision to put off responding to countless notifications from supply chain vendors to fill out GDPR forms. Even serving dynamic creative becomes impossible as it involves integrated systems that are meant to, somehow, pass consent (or not) from place to place. The supply side are the bouncers at the door: if your name wasn’t down correctly, you are not coming in.

While adtech has increased complexity in typical fashion, the gulf between advertisers and the industry widens as they worry about the impact of GDPR on their business. Hidden beneath the consumer-facing email farce requesting valid consent, millions of bits of paper on data processing have been signed - confirming controller, joint controller, processor and sub-processor relationships - ready to wave at the data protection authorities in case of ‘The Audit’.

Privacy outside the EEA

Companies outside the EEA have been less directly affected by GDPR, but there are signs that privacy laws are toughening up everywhere. The EU-US privacy shield connection might be severed unless the US is compliant with tougher rules by 1 September. Japan updated their Act on Protection of Personal Information (APPI) in May 2017 to allow data transfer from the EEA post GDPR, and the State of California voted in data privacy laws not too dissimilar to GDPR. In Australia, a recent statistic showed that 80% of Australians don’t like being tracked without knowing it, so watch that space too.

Programmatic advertising has survived and, for me, GDPR is a reset button for our industry. Updated legislation on personal data is here to stay and each country outside the EEA will be looking to refine their laws to give consumers more control over how we use their data.

Even bigger change ahead

The genie is out of the bottle and the GDPR heralds a new dawn of data transparency. The forthcoming update to the Privacy and Electronics Regulation (PECR), will usher in the Electronic Privacy Regulation (ePR), which will do what GDPR did for ‘personal data’ to third party cookies. There is a very real possibility that all browsers across all devices will behave like Safari currently does, with its opt-out of third party cookies and Intelligent Tracking Prevention (ITP) system rendering it completely useless for deterministic, ID based targeting. In addition, legitimate interest excuses for targeting activity will no longer be acceptable and a ‘consent first’ model will emerge, something that GDPR tried to achieve, but couldn’t.

I have seen changes like this before in other marketing channels and in online retail. What it boils down to is, rather than trying circumnavigate or ignore these challenges, brands need to embrace them and put the customer at the centre of everything they do. If a customer knows what you are doing with their data, they are more likely to trust you, and appreciate more relevant experiences - as opposed to those that often detract and annoy. A recent spate of acquisitions in the data space show that it is still very much alive and well, if done in the right way.

We work with our clients to support them with GDPR and are seeing consent for relevant advertising upwards of 80%, so it’s not as bad as everyone thought. And there’s a bonus, explicit consent under the new legislation is yours forever, as long as you fully support the rights of individuals. This delivers the opportunity to build a more meaningful relationship with that customer through display, engaging and interacting with them at the right time with the right messages – developing a better relationship with your brand and what you have to offer.

What happens when third party cookies go?

Obviously, customer relationship management (CRM) is not a new thing, it is just that while programmatic display has been widely used for branding and re-targeting, it has never been used to grow the lifetime value of a customer. Why? Well that’s down to adtech’s reliance on deterministic matching using third party cookies. This methodology works well for short periods - the average cookie lifetime on Safari is 24 hours. Most businesses can only dream of customers coming back and buying again within two months, so the adtech cookie model is flawed for true CRM. However, with explicit consent it is OK to build meaningful profiles around a user ID, breathing new life into data-driven customer relationship management through display.

And what about targeting without user consent? It is no surprise that Oracle snapped up Grapeshot, a contextual targeting system. For the 20% of users who don’t give consent, programmatic advertising can leverage good old-fashioned marketing and apply the myriad of ambient ‘non-personal’ data like website context, keywords on page, viewability, page quality, geo (provided it’s not too precise), device, connection type and speed.

Embrace best practice – and focus on customer lifetime value

The new dawn has also brought brand experience and creative relevance back into sharp focus. If the customer is going to give consent based on trust, the practices of no frequency caps, invasive formats, spray and pray, and bad creative focused on driving clicks will have to stop.

As advertising continues to be digitised across multiple channels, programmatic will become more important as it offers the ability to overlay ID based profiling and ambient data alongside strong sequential creative and messaging in all these formats - to find new customers, prospect to conversion and grow lifetime value - allowing true customer lifetime value to be attributed and realised.

Life after third party cookies will not be so bad. With ePR making the adtech cookie divorce complete, probabilistic matching based on non-personal signals will replace the cookie. Our recent tests show that with the right application, it can actually deliver better results.

So there we are. The sun is rising on a new world where privacy is at the centre of everything we do. Nothing has changed too dramatically, but the change has begun. The new dawn will be a mixture of embracing legislative change, giving the customer more transparency on their data, and enhancing interactions so that your permission to use that data is not taken away.

With consent, your hand is being forced to build longer and more meaningful engagements through intelligent display programs that deliver real customer lifetime value but I, for one, am looking forward to it.

Andy Houstoun is product director at Crimtan

GDPR Advertising

Content by The Drum Network member:


Find out more

More from GDPR

View all


Industry insights

View all
Add your own content +