One Year After GDPR – What Have We Learned?

May 25, 2018, is one of this century’s most important and controversial dates for online advertising — it was the day when the General Data-Protection Regulation (GDPR) went into effect in the European Union. When the law was adopted in 2016, many did not realize it’s full scope and repercussions.

The GDPR replaced the 1995 Data-Protection Directive which was founded when the internet was in its infancy. Both initiatives intended to strengthen data protection for individual citizens within the EU but the new regulation generated many more doubts and apprehensions due to the vast level of changes and limitations.

In 2019 to process any personal data, you must comply with the GDPR. This means that you need to base the processing on one of the lawful grounds laid out in the regulation. Without lawful grounds, it is illegal to process personal data. High penalties are possible for those who do not obey the new requirements (e.g. consent from every user to use his data).

Different strategies of publishers

Considering that specifics of GDPR implementation were still not clear weeks before it came to life, publishers started looking for the low hanging fruits. Legitimate interest is the most common for publishers in Europe. It may be used when businesses identify a compelling justification for using personal information, including commercial interests, which cannot be achieved without processing data and will have a minimal impact on privacy.

“Some publishers feel there is an argument for legitimate interest because they need revenue to create and distribute free content for their audiences and they can only make that revenue through advertising, which requires the processing of personal data.”
Pubexec.com

As a result of the mentioned uncertainties, many publishers decided to apply legitimate interest as a legal basis for the handling of personal data. But there were also many who have chosen a fully compliant way and applied very specific consent boxes. As a result in some of the second scenario cases, they have lost a great amount of ad traffic and thus revenue. One of the publishers, who have been in contact with us, lost up to 40% of its ad requests on May 25, when he launched his pop-up consent box.

This new requirement has been a challenge for many companies, as data privacy is a major concern of the public. However, several publishers with whom we have been working faced only a few days of declined revenues after the launch of the GDPR. It has been mostly due to the advertisers’ strategy. They have decided to limit the spending to let the first wave of confusion pass.

In recent years, we have become accustomed to closing pop-ups on the sites we have visited, but these should not be associated with GDPR-consent boxes. The EU has demands on how a consent box should look. Above all, the user must approve each of all third-party services with whom the publisher shares his data, and these entities must not be pre-selected. But you don’t see many of 100% compliant pop-ups yet in the EU. What is more interesting – the United States has taken the regulation a bit more seriously. US companies have implemented compliant pop-ups for visitors from the EU, using their IP addresses to determine who to show the consent box.

Do you like what you’re reading? Subscribe our newsletter for more content like this!

[mc4wp_form id=”407″]

Third-party data future

Another big issue tackled by the GDPR is the usage of third-party data, which means selling and buying for audiences, for example, users interested in sports. In the past, the agency/advertiser used a third-party provider, often bundled into the demand-side platform, that provided the third-party segments. Third-party data, in general, has become less and less popular, especially after the Cambridge Analytica incident. However, I believe that the scale of the third-party data negative publicity is a little overrated.

Nevertheless, as the effect of those changes, some providers of third-party data have closed their businesses in Europe. One of them is Addthis. The company owned by Oracle, who acquired it two years ago for around 200M USD. At that time, AddThis claimed that it tracked 1.9 billion users. The third-party audience service relied on the third-party data collected without consent.

“European publishers could still access AddThis tools for free, but not with data originating from Europe.”
The VP of Product Management, Cecilia Mao for AdExchanger.

Will first- and second-party data be a lifesaver for publishers?

First-party is a kind of data that the publisher has gathered about his clients/users. This information may be a new holy grail in light of the GDPR, also because many publishers around the world are switching to a paid-content strategy. This strategy also aligns very well with selling advertising based on the first-party data. When you get logged-in users who also approve of using the data, you get the consent much easier, even for a little wider use of data.

Publishers can also cross-identify segmented users against offline data sources which are called Second-party data. They can thus create interesting and relevant target groups to whom they may sell for higher prices, due to their unique and precise recognition.

Different countries have different access to offline data sources. For example, in Nordic countries, there are about 300 data points on every individual, and with an ID number or an address, these offline data points can be linked to the logged-in user. Then, the publisher can start selling qualitative ads for segments such as families with villas, sport car owners, etc. The limitation is the number of logged-in users, which is low among a few publishers. Some publishers have increased their login strategy since the implementation of the GDPR and the results are promising.

The login collectives

From a first- and second-party data perspective, it’s very exciting to look at the issues which the Germans are discussing. In light of the GDPR and the upcoming ePrivacy Directive, they suggest a login collective.

“The favored approach is login collectives made up of major publishing groups and non-publisher partners. The reason: one publisher’s single login strategy doesn’t likely have the necessary scale to rival the login platforms of Google, Facebook, and Amazon. However, a combined login structure that spans multiple publishers, IP firms, and other e-commerce brands potentially could.”
Digiday

This is a concept. For the individual publisher, this means the number of identified users on his site may increase significantly if the visitor has already logged in to one of the other sites in the collective. In this strategy, the volume of identified users may increase to a sufficiently large base. This also clearly places demands on how to design a technical solution so that it is legal under the GDPR.

It is obvious that the large walled-garden companies, Google and Facebook, have gained competitive advantages at the expense of European publishers. Both companies have relationships with their visitors and can thereby get a legal basis for processing personal data from their visitors much easier, it’s possible that the local alliances will change the odds but today it’s to soon to tell.

ePrivacy on the horizon

“53 percent of the respondents claimed they estimate the changes they’d have to make for the ePrivacy Regulation compliance would cost their annual sales to the tank by at least 30 percent. An even higher percentage — 67 percent of publishers said they’d expect to lose more than 30 percent of sales on all programmatic advertising that uses retargeting, according to the same research.”
Digiday

The GDPR has surely led to a revival in the contextual advertising trend. At the beginning of digital advertising, this type of targeting was widely popular. At that time, the article was manually tagged by the writers but today site analysis is performed by external technologies, which, with the help of bots, crawl the pages and segment its content. Thanks to this method, new user packages can be created and the publisher can continue with GDPR-safe targeting. Unfortunately, contextual campaigns are usually relevantly cheaper.

It’s just getting started

The idea and purpose of the GDPR are surely positive. Now we are in a period before the market stabilizes and finds a good and steady path. In the future, it will be particularly interesting to follow the local data inspections applying the GDPR like ICO from the United Kingdom. After some analysis and consideration, they are pointing out issues with Ad Tech industry compliance, which publishers and advertisers will need to take care of soon if they want to avoid penalties.

[simple-author-box]