Technology Programmatic GDPR

Paul Gubbins: GDPR has been good to you


By Paul Gubbins | Head of Strategic Partnerships

August 28, 2018 | 6 min read

Several months into what some thought would be a nuclear winter for adtech, I wanted to take a look at the impact of the GDPR on the buy and sell sides, and see if it was as bad as many once feared...

Close to half of media agencies use their own programmatic buying solutions

Paul Gubbins takes a look at the impact of GDPR

As the 25 May deadline loomed, many publishers on the sell side tried to understand the potential impact the hefty and sometimes confusing legislation would have on their programmatic revenues. Remember, many premium publishers make well over 50% of their revenues via programmatic demand and they’re under pressure to deliver growth, so they’re naturally concerned about any potential compression on these numbers.

On 25 April, the IAB Europe launched 'The Transparency and Consent Framework' that was designed to give audiences full visibility and control over who is allowed to process their data in connection with advertising, and for what purposes. Publishers who wanted to join the framework had to work with a consent management platform (CMP) approved and registered by the IAB Europe.

This is where you hit the first dilemma faced by the sell side: what CMP should you adopt? With more than 80 CMPs registered within the IAB framework, at first glance it looks like the challenge is simply one of overwhelming choice, but then, as always, there’s Google...

Google operates its own unregistered CMP called Funding Choices. Some industry commentary has suggested that the Google DSP would only buy impressions furnished with consent passed via the Funding Choices CMP.

Imagine I’m a publisher: people suggest that one of the biggest DSP's in market is only going to buy from publishers who have adopted the Google CMP, so why don’t I just implement Funding Choices? It seems like an obvious decision.

Well it isn’t. When it launched, the Funding Choices CMP only allowed a publisher to list 12 vendors it could collect and pass consent to. Why 12? Google’s research suggested users were more likely to opt in if fewer vendors were listed in the consent pop up messages. Now, if you are new to programmatic, you may think 12 is a reasonable number. I mean, how many vendors does a publisher really need to work with to build a robust programmatic strategy?

I can tell you it’s a lot more than 12. Most publishers work with multiple SSPs due to the proliferation of header bidding, then there are DMPs, CMPs, DSPs and ad networks, as well as viewability and brand safety vendors.

So what happened next? How did publishers react? Well, as you can imagine, there was both chaos and confusion in the market, ending with US trade body Digital Content Next and others lobbying Google to remove the 12 vendor cap in Funding Choices. On 7 June it was reported that Google were lifting the cap and publishers could list as many vendors as they needed to.

Fast forward to today. Are we living in a Mad Max-like apocalyptic world where the Lumascape has imploded? In short, no. Most, if not all scaled publishers now support one of the CMP’s registered by the IAB Europe or use Funding Choices from Google. We have had public earnings calls from adtech vendors and major agency holding co’s and I think it’s safe to say the headwinds caused by GDPR have been navigated with minimal turbulence.

That said, GDPR has accelerated some change in practices. This is apparent in buyers and sellers reducing dependency on third party data and the rise of second party data (somebody else's first party data) marketplaces.

For many years, the output of data-driven, audience-based buying often resulted in premium publishers being overlooked by DSPs that could find their audiences in longer-tail or more affordable environments. CMP’s created gatekeepers out of publishers and enabled them to be once again custodians of their audiences.

What’s next in GDPR?

Fraud follows the money

Today, many DSPs only want to target inventory that is passed with GDPR consent. As a result, there are reports about fraudulent practices manipulating ‘consent strings’, and tricking DSPs into thinking a bid request is being passed with GDPR consent (when it’s not) to command a higher price.

Both buy and sell sides will respond with proprietary features and the deployment of third party partnerships who specialise in fraud detection. The pending OpenRTB 3.0 protocol when adopted will also make fraud much harder when it comes to supply manipulation via initiatives such as Ads.cert.


Article 6 of the GDPR states that a data controller may only process data lawfully if, among other things, it has legitimate interest or consent. There is a question if “legitimate interest” will be supported under ePrivacy when it comes into effect.

If it isn’t, business would have to collect explicit consent, which could result in publishers forced to collect consent for every single vendor they work with, instead of the holistic consent many collect today.

Beyond Europe?

The proposed 2020 California Consumer Privacy Act - watch this space.

To summarise, GDPR has not been the iceberg that many thought HMS programmatic was sailing towards. It’s been a great opportunity for the data-driven ad and martech sector to be open about internal and external practices, and resulted in greater transparency for all. Identity is the new battleground in 2018 and only those that can interpret, navigate and build around increasing legislation are going to be well poised for growth. The role of DPO is not going anywhere!

Paul Gubbins is programmatic lead at Unruly

Technology Programmatic GDPR

More from Technology

View all


Industry insights

View all
Add your own content +