As of today (May 25), the General Data Protection Regulation has been in force for five years across the European Union. A period in which the data privacy law has been lightly enforced by regulators, left ad execs confused over what is and isn’t permissible and overshadowed by platforms.
There’s no other way to explain why there’s been so little enforcement of the law. Indeed, most (64%) of the 159 enforcement measures by late 2022 were merely reprimands, according to the Irish Council for Civil Liberties study of the European Data Protection Board’s register of final decisions.
Maybe this is the nature of bureaucracy in all its glory.
When it launched in 2018 the GDPR was hailed as a privacy superhero of sorts. It set the rules for how companies handle personal data, making sure they couldn’t just grab it without someone’s permission.
But those rules were written in a way that left a lot open to interpretation. And that should’ve been fine. Regulators said they would educate the market and only enforce where they believe the most harm was being caused. This happened, but not always in ways that have changed the ad market for the better. Efforts to educate were often reduced to guidance notes that some ad execs deemed indecipherable — see the thriving cottage industry of so-called GDPR consultants” as proof — while enforcement has been patchy at best.
Johnny Ryan, senior fellow at the Irish Council for Civil Liberties, was more blunt with his assessment: He said the GDPR has not been “enforced in any significant way”. The crux of his argument can be read in a post he shared with the Economist. Other industry voices have been equally underwhelmed by the impact (or lack thereof) of the GDPR. “The platforms never really changed their practices,” said one agency exec speaking on the condition of anonymity.
In short, the story of the last five years is one of missed opportunities, minimal reforms and lots of privacy consultants.
That assessment, while overly simplified, is at least directionally right, and the recent record-breaking €1.2 billion fine dished out to Facebook owner Meta only augments the argument.
It was issued by Ireland’s Data Protection Commission earlier this week (May 26) after it concluded that the tech company had ferried troves of personal data of its users in Europe to the U.S. without sufficient safeguards in place against its misuse. The breakdown can be found here, but this is the abridged version: the fine itself doesn’t really matter (Meta made a net profit of more than $23 billion last year): what does matter, however, is the requirement for Meta to stop the storage of personal data on European users in the U.S. where contraband Meta says this is about a clash of EU and U.S. law rather than data being at risk. This is basically true.
Needless to say, the implications of this ruling will take a while to shake out.
Keep in mind that Meta will probably appeal. Then there’s the possibility that lawmakers in Europe and the U.S. can agree on a mechanism known as the Data Privacy Framework that will let Meta and other companies to legally transfer the data of EU individuals to the U.S. In the meantime, any company which needs to transfer personal data to the U.S. will remain utterly confused.
This is the GDPR in a nutshell: a delicate dance where every step forward feels like three steps back. The wide deviation from the anticipated outcomes for advertising starts to make more sense.
Facebook, media agencies, programmatic advertising were all meant to be among the biggest losers in the fallout, and yet they came through it relatively unscathed. Even dodgy cookie consent, which was a big bugbear of regulators in the run up to the GDPR, are in rude health. Advertisers still don’t know how cookies — the mechanism that houses the data they use to power programmatic advertisers — are obtained. It turns out pretty sneakily on occasion.
That’s not to say, the GDPR was a walk in the park for the ad industry. The scars are there for all to see.
Remember Drawbridge, the cross-device vendor? It had to exit Europe entirely thanks to the GDPR. Verve did similar as did countless smaller ad tech vendors who didn’t have the resource or knowledge to deal with the GDPR. Larger companies also struggled. Criteo’s stock price seemed to be in a permanent state of flux in those final few months before the regulation arrived. Oh, and don’t forget Google’s Doubleclick ID. The thing agencies relied on for cross-device attribution across the web got restricted due to the wide-ranging data privacy law.
Still, these flashpoints were rare and the consequences of them were limited.
The same can’t be said for Transparency & Consent Framework (read those cookie notice pop-up that gets in the way of reading online articles).
This was the industry’s attempt to standardize how businesses — publishers and ad tech vendors predominantly, but also agencies — can continue running programmatic advertising on the open exchange in a way that is compliant with GDPR. Surprisingly (or maybe unsurprisingly), it didn’t.
The IAB Europe is working to fix the TCF it orchestrated with the rest of the market. However, those efforts may not be enough. That’s a matter for the EU’s Court of Justice to settle.
Until then, the TCF’s fate and more broadly the fate of buying ads from the open exchange, where prices are decided in real-time through an auction, hang in the balance. Cue lots of concerned ad execs — the foundations of a large part of their industry could crumble.
“The information-and-choice paradigm that the GDPR incarnates is undoubtedly the best way to empower users to decide which online content and services they pay for with money and which they wish to access against their willingness to receive advertising,” said Townsend Feehan, CEO of IAB Europe. “But having produced a global ‘gold standard’ for data protection regulation, Europe needs to ensure the supervisory authorities have the knowledge and other resources to ensure the Regulation delivers all the benefits to users and to Europe’s digital economy that it can.”
In many ways, the fracas over TCF is symptomatic of how much the ad industry, especially the buy-side, has adapted to the GDPR. Where possible those stakeholders have tried to replace or even rewrite cornerstones of how personal data is sourced, processed and stored but rarely have they tried to rewrite them entirely. That’s changing now, to be fair, but that’s more due to second order effects of the GDPR than a direct causation of it.
“A lot of this is because data privacy regulation is starting to become much more comprehensive and as a result it’s becoming customer centric, ” said Jon Suarez-Davis, chief commercial officer at data control business Ketch, who was leading Kellogg’s digital strategy when the regulation came into effect. “Pre-GDPR you had a handful of people who were stewarding billions of dollars of media and data investment at companies. Today, that aperture has widened: legal counsel, data scientists and other specialists are being brought into the fold a lot more when it comes to these discussions.”
Trying to figure out what the GDPR has added up to over the last five years is really a process of addition by subtraction. The demonstration of what it hasn’t achieved illuminates what it has. And what it has achieved is public awareness. Nowadays, people are a lot more aware of their personal privacy online than they were in 2018. True, they already were aware in markets like Germany, Italy and Spain, not so much in places like the U.K.
One in six people in the U.K. say they clear their internet browsing history and cookie cache daily and 18% say that they opt out of websites’ tracking cookies on a daily basis, per a study of 2,000 respondents by ad tech firm Nano Interactive. These aren’t overwhelming numbers by any means, but they do show an interest in data privacy issues,
“We can complain about the level of enforcement or the fact that it’s [compliance] is too complicated but without the GDPR individuals would be in a far worse place than they are today,” said Nigel Jones, co-founder of Privacy Compliance Hub. “We’re well set up for the future because of it.”
What he means is what the GDPR has lacked in enforcement chops it made up for in terms of influence.
Over the last five years, it has become the base for many privacy regulations beyond the EU, from the California Consumer Privacy Act in the U.S to Brazil’s General Data Protection Law. Even recent calls for a federal privacy law in the U.S. can be traced back to the GDPR. And that’s not even considering the broader impact it could have on cross-border data flows as the Meta fine shows.
Perhaps, this is the more enduring effect of the GDPR. It was the start of a more nuanced, focused debate over data privacy. And if nothing else, those conversations have forced ad execs to think a bit more about the provenance of the data they used, whether consent equated to compliance with the law, and confront aspects of an ad industry that are unethical at best and unlawful at worst. No, this didn’t always lead to reform for the better, and yes marketers have got complacent in some regards. But no one — marketer or otherwise — can say they aren’t aware of these issues now.
“That’s a good thing,” said Ben Kartzman, chief operating officer at Mediaocean. “It’s really important that the ad industry gives people choice over how they share their data and are clear with them on what happens to it if they do. If GDPR has accomplished anything over the last five years it has heightened awareness of the importance of privacy and the need to protect that.”