It’s been just over a month now since the General Data Protection Regulation (GDPR) came in to force within the European Union, and while May 25th wasn’t quite as apocalyptic as some had predicted, we’ve seen some other interesting trends emerge and the impact hasn’t been evenly distributed. Some companies have clearly benefited from the new laws, whilst others have been left struggling. Perhaps the true impact will only be seen when the regulators start taking high profile scalps, but even now it’s possible to identify some of the winners and losers under GDPR over the last month or so.
Facebook and Google will likely have known that GDPR would give privacy campaigners critical of large tech companies a new avenue of attack, so immediate filing of lawsuits against them won’t have come as a surprise.
However, the reality is that Facebook and Google have emerged as two of the prime beneficiaries of GDPR. Given that both companies own multiple platforms which are among the most visited in the world and have access to large amounts of first-party data, the two have had an easier time than many getting users to consent to use of their data (though the nature of these consent mechanisms is the crux of the Austrian privacy campaigner Max Schrems’ lawsuits against the two, as he believes their approaches amount to forced content).
Google’s GDPR strategy was regarded as unfair and self-serving by some, and an act of machiavellian brilliance by others. Shortly after May 25th reports emerged that Google’s DoubleClick Bid Manager (DBM) had begun driving much more ad spend through AdX, Google’s own exchange. Google justified the move by saying it was following a strict interpretation of GDPR that required it to funnel more bids into its own exchange to ensure user consent, which they claimed was higher than other SSPs and exchanges.
Google has also made a couple of other moves in the name of privacy, but which have simultaneously strengthened Google’s own position. For example, the company has started restricting third-party ad serving on YouTube and some commentors say they have effectively killed off independent attribution.
Whether these moves have been cynical efforts by Google to use GDPR as an excuse to strengthen its own market position, or genuine efforts to ensure full compliance, is up for debate. Either way, the new regulation certainly seems to have had some positive side effects for the company.
Facebook meanwhile has also benefited from a high opt-in rate, with CEO Mark Zuckerberg claiming in the run up to May 25th that the “vast majority” of EU users had opted in to use of their data when prompted to update their privacy settings. This means that at a time when some other publisher have struggled for consent, or seen revenues drop due to the failure of their ad tech partners to gain consent, Facebook’s private ecosystem has apparently remained relatively unharmed.
With the new regulation restricting the ability of advertisers to target audiences based on personally identifiable information, many predicted a resurgence in contextual targeting, which uses information based on the the content a user is interacting with in order to target ads.
Some believed it was no coincidence for example that Oracle completed its acquisition of contextual targeting specialist Grapeshot shortly before GDPR came into force. While Oracle didn’t specifically mention GDPR as a motivation behind the purchase, an anticipated boom in contextual targeting may have been a factor in driving the acquisition.
Christian Dankl, co-founder and chairman of YouTube contextual targeting company Precise TV, believes that GDPR will fuel the “age of relevance” as marketers shift towards contextual targeting. His company saw a jump in interest after last year’s brand safety scandal due to Precise TV’s ability to analyse YouTube content, and Dankl said he has seen a similar increase in the run up to GDPR.
“Brands are asking ‘How can you help us build a predictive model that gives us the same or better performance that we’ve seen with our DMP and audience targeting?’ I think this is really where GDPR fuels the age of relevance,” said Dankl.
Perhaps the most unexpected winners to emerge in the aftermath of GDPR going live are independent ad servers who have seen an uptick in usage. The new business hasn’t come about because the regulations gave them any benefits, but because Google’s response to GDPR has pushed business away.
“It’s given ad serving a bit of a renaissance,” said Martin Pavey, CMO at Flashtalking, “purely because of the moves Google have made with DoubleClick, specifically the DoubleClick products used by advertisers related to measuring digital marketing activity across multiple channels and media owners.”
Shortly before GDPR came into force, Google announced it would restrict the portability of unique identifiers needed to conduct independent analysis of campaigns, a move which concerned a number of advertisers working with DoubleClick Campaign Manager and has led them to consider taking their business elsewhere.
“We’ve had a lot of inbound phone calls from advertisers and agencies asking for our position post-GDPR in regards to having a consistent ID which allows us to continue doing the kind of independent attribution and measurement we’ve been doing,” said Pavey. “It’s quite an exciting opportunity for us, and one we didn’t really expect.
Not many CMOs placed a new ad server at the top of their shopping lists for 2018, but now clients who weren’t previously looking for an alternative to DoubleClick Campaign Manager are considering moving elsewhere.”
Joshua Koran, managing director, DMP at Sizmek, said his company has seen a similar surge of interest, saying that, “as soon as Google announced its change, our phones began to ring.” Koran emphasised though that any benefit is likely to be more long term as it will take a while for companies to commit to making such a drastic change. “The challenge is that switching ad servers can’t be done overnight,” he said.
One of the hardest hit groups by GDPR has been publishers, who have have been hurt by the new regulation in a number of different ways.
Publishers, as the first point of contact with the user, have been tasked with the bulk of responsibility for acquiring consent. Some have opted to stick with cookie notifications assuming consent if the user continues browsing (whether this is compliant or not is questionable).
Others have taken a much more cautious approach, asking users to actively opt in to the use of their data, whilst some have blocked European access altogether. Tronc, publisher of the Chicago Tribune and Los Angeles Times, and Muscle & Fitness owner American Media were among those to shut down access from the EU.
Some publishers have resorted to stripping out ads completely on EU versions of their sites. The Atlantic, for example, requires users to actively opt in to use of their data, and no ads are shown to users who choose not to do so.
A lot of the disruption in the ad tech world has has knock on effects for publishers too, as inventory becomes less valuable in cases where consent isn’t granted and data is stripped out. Sizmek’s Joshua Koran described how Google’s blocking of independent attribution and measurement on DoubleClick Campaign Manager (described above) has knock on effects for publishers.
“If advertisers are limited to analysis within each independent walled garden of data, then you can no longer understand what was the overall frequency of exposure from your media spend. That’s going to negatively impact your ROI and hence drive down the value of that media in each independent walled garden,” said Koran. “Long term, this would drive down the value of publishers’ inventory”.
Few publishers have shed any light on exactly how large of a financial hit they’ve taken from GDPR so it’s hard to tell the extent of the damage. The UK’s Johnston Press partly blamed the new data laws for a nine percent drop in revenue (though given that these financials were released less than half a month after GDPR came into force, it’s hard to see GDPR having that much of an impact in such a short period).
Data-Focused Ad Tech
One of the more predictable groups to be hurt by the new laws is ad tech companies which specialise in helping advertisers build audience profiles and use personal data for ad targeting.
Some of these companies, such as retargeting specialist Criteo, have seemingly weathered the initial storm by following relatively relaxed interpretations of the GDPR. Criteo has said it’s confident that its platform is GDPR compliant, and so far it’s not been proven wrong, with the company’s stock having risen in the month since May 25th.
Many are skeptical though over whether regulators will agree with Criteo’s interpretation, with financial news analyst Capitol Forum saying the company would need to “significantly overhaul” its data collection methods in order to reach compliance.
Other data focused ad tech companies have similarly taken a much more cautious approach. Location targeting specialist Verve and identity solution provider Drawbridge are two of the highest profile ad tech companies to close down their European operations due to the strain of GDPR.
GDPR isn’t necessarily incompatible with the services Verve and Drawbridge provide, but the law is vague on areas including what counts as legitimate consent, and what sorts of information count as personally identifiable information. Some companies like Criteo may be willing to gamble on a relaxed interpretation of the law, but for other ad tech companies and their clients, it’s not worth the risk.
To add insult to injury, reports have emerged that some publishers are using GDPR as an opportunity to cut down the number of ad tech partners they work with.
Programmatic Trading Platforms
In the immediate aftermath of GDPR coming into force, ad tech vendors reported huge drops in European demand on ad exchanges of up to 40 percent in some cases, according to information shared with Digiday.
Partly this was attributed to factors mentioned above. Google DoubleClick Bid Manager’s funneling of more ad spend through its own exchange punished other ad exchanges and SSPs, and the decision of several publishers to stop programmatically trading ads, or to shut off ads for EU users entirely, decreased the supply of inventory too.
Some of this may have been short term disruption, caused by confusion and uncertainty leading companies to be cautious. The Financial Times, for example, has said it’s shut down its open marketplace activity altogether, but will review over the coming months whether it can switch open marketplace trading back on. “We’re taking the overly cautious approach because we don’t make much revenue from the open marketplace,” the FT’s global head of programmatic told eMarketer.
Others however worry the implications for programmatic trading are more long term. As VAN reported earlier this month, many supply-side platforms (SSPs) and exchanges have started to strip out user IDs from bid requests, without which “you cannot fully exploit the benefits of programmatic,” according to Accenture’s digital marketing expert Amir Malik.
While Malik was keen to stress that he doesn’t seen GDPR as an apocalyptic event for the programmatic world, he stressed that the infrastructure which currently powers programmatic trading operationally may not be compliant with the regulation, and may therefore need a rethink.