As GDPR turns two, what's changed in the digital advertising world?

This promoted content is produced by a member of The Drum Network.

The Drum Network is a paid-for membership product which allows agencies to share their news, opinion and insights with The Drum's audience. Find out more on The Drum Network homepage.

Two years have now passed since the EU’s General Data Protection Regulation (GDPR) came into force. At the time, most in the ad sector appreciated that it had become necessary to update regulations for a much changed digital world, but many were concerned it would damage their business models. The best case scenario for these businesses was that they could adapt fast, get behind industry solutions and avoid the huge fines and brand damage that would follow non-compliance. The worst case was that the regulation would sound the death knell on a formerly prosperous sector.

Some things change…

In the event, however, the impact of GDPR has been much more nuanced. Of course, there were some negative consequences. Many publishers outside the EU, for example, decided to block traffic from the bloc rather than go through the costly and complex GDPR compliance effort. Other publishers stopped operating on open exchanges and have instead focused on direct sales and private markets.

There have also been positive moves to help the ad tech industry adapt. One of the biggest initiatives in this respect has been IAB Europe’s Transparency & Consent Framework (TCF) – a framework aimed to achieve GDPR compliance built by members of Europe’s digital ad industry. The TCF seeks to achieve data privacy across the advertising value chain and includes provisions for advertisers, publishers and ad tech vendors. But this framework hasn’t come without its critics.

..much stays the same

Despite initiatives like the TCF, it often seems that extraordinary little has changed since GDPR came into force and that ad tech companies are sticking to tried and tested methods. For example, until Apple closed all workarounds in March this year, many third-parties were still using cookies for cross-tracking on Safari – despite the practice being against both the spirit and letter of Apple's anti-tracking policies.

As far as the UK’s Information Commissioner’s Office (ICO) is concerned, routine breaches of GDPR are commonplace. In June 2019 it decided to act and gave ad industry companies six months to get their houses in order or face formal regulatory action. However, since then the regulator has temporarily suspended its data audit work to help relieve the huge pressure on the digital ad industry stemming from the Covid-19 crisis. This move has provided a short-term reprieve for the industry.

The need for speed

The past two years have therefore been one of slow adjustment rather than wholesale transformation. However, the pace of change now needs to pick up dramatically. As a result of GDPR, the tech companies that own device operating systems and web browsers have also been required to rethink data protection and the privacy of their users. Their simple solution – ending the use of cookies and mobile device IDs – is simple and effective. For the ad tech industry that relies on these identifiers to personalise and automate advertising it’s also devastating.

That means there are now just two years left before cookies and probably mobile device IDs are withdrawn. In that time, the industry needs to come up with new, GDPR compliant ways to identify users for targeted advertising. That means the time has come for the industry to come together and drive forward some meaningful change.

Working on an answer

The tech giants will provide part of the answer. Google, for example, plans to replace cookies with APIs in a Privacy Sandbox through which advertisers can access anonymised signals from Chrome users’ browsing habits.

While such ‘walled garden’ approaches will be useful, advertisers will also need privacy-first ways to reach audiences at scale in the open web and on browsers other than Chrome. Technical solutions to this challenge already exist that ensure private data stays within the data provider’s network and only tokenised audience segments are sent out into the ad tech ecosystem.

This is the approach taken by Novatiq, using consented audience segments from telcos. Within the carrier’s own network, we translate subscriber data into audience segments that are then applied to our unique, dynamic snowflake ID. Once the ID has fulfilled its purpose it can’t be reused, so consumers remain in control of their data at all times and advertisers can stay on the right side of GDPR.

The technical solutions to addressing GDPR are therefore in place. All that remains now is leadership and cooperation. With the TCF, IAB Europe has shown that the industry can come together to map solutions to the GDPR challenge. What we need now is to go a step further and for all elements of the ad value chain to come together and start implementing real change. Doing so will not merely ensure compliance with a regulatory requirement or help adjust to the post-cookie world, it will also help rebuild consumer trust in the digital ad ecosystem and lay the foundations for a sustainable advertising industry in Europe.

Tanya Field, co-founder and chief product officer at Novatiq

Join us, it's free.

Become a member to get access to:

  • Exclusive Content
  • Daily and specialised newsletters
  • Research and analysis

Join us, it’s free.

Want to read this article and others just like it? All you need to do is become a member of The Drum. Basic membership is quick, free and you will be able to receive daily news updates.