GDPR’s AdTech Fulcrum: The lone provision which makes or breaks AdTech in the EU


These days the “What will be the GDPR’s impact on digital advertising?” discussions are a cacophony of disparate opinions, declarations, fears, and half-finished solutions. No one has a finger on the pulse yet. The grand plan was that the GDPR would simplify the European data protection framework currently in place by creating one single overarching regulation, doing away with the need for individual member state laws, interpretation challenges, and complexity.

However, as we get closer to the official implementation date, we’re seeing drafts and interpretations come out that toss aside the original grand plan. The GDPR’s “derogations” allow for member states to flex certain provisions in their own implementation and enforcement. This is creating an environment of uncertainty and mild chaos when it comes to global approaches to the GDPR and how to predict the impact on data availability for advertising, as well as potential revenue.

However, there is one key factor which could shift the balance while not impeding the GDPR’s lofty, important goals: validity of consent.

Validity of consent of GDPR

The GDPR’s refined requirements for consent to process personal data are front and center in all GDPR/AdTech discussions. But when I talk about one concept which can make or break AdTech, I’m not talking about the idea of consent in general. And I’m also not talking about whether or not downstream 3rd-party AdTech companies can take advantage of the “legitimate interest” basis for processing personal data. I think GDPR’s fundamental provision for AdTech players is the validity of consent section of the GDPR, Recital 43; Article 7 (4):

“ …in situations in which the controller’s performance of a contractual obligation or provision of a service is contingent upon the data subject’s granting of consent to process his or her personal data, consent is presumed to be invalid if data processing is not necessary for the controller to meet its obligations.”

This is the “bundled consent” concept. If this stands, as drafted/interpreted the challenges of consent are magnified and in turn, the challenges and scope of digital advertising face steeper mountains to climb by May of 2018. If this provision/interpretation of the provision is relaxed, 3rd-party AdTech players are in better shape.

RELATED: GDPR is coming, are you ready?

Said more simply (I hope), this bundled consent concept de-links consent from the service of a website meaning that if you are a website publisher, with ad space to sell, you cannot tie consent to the use of your site/viewing of your content. In essence, the GDPR asks publishers to provide content without allowing for the most effective means of monetizing their content/services. Sure, sites can still sell ad space under GDPR. But they can’t sell it nearly as effectively. One of the regulatory responses to these arguments has been that publishers should put up paywalls and charge directly for content/services.

Bold prediction: EU consumers will not “enjoy” paywalls and paying for content or services which were previously free.

And EU consumers said as much in the IAB’s recently released study aimed at specifically enumerating the economic impact of the GDPR on the EU advertising market. This study highlighted the significant impact on publishers of the “bundled consent” requirement in a few ways. A few salient points from the study:

  • 83% of consumers prefer free sites with ads over paying for content
  • 92% of consumers said they would significantly reduce their use of the internet if required to pay for content
  • 69% of consumers indicated that they would be willing for browsing data to be used in advertising in order to access free content
  • Data-driven advertising is over 500% more effective than advertising without data

So, the IAB is attempting to provide evidence which supports softening the bundled consent language. The EU Member States have individually and collectively stated publicly that this concept needs to be revisited. The instability of this particular issue is, in my view, slowing GDPR compliance programs in the AdTech space. For example, you can’t build full product requirements if you’re planning any sort of technological solution without understanding the scale of data which will be available for behavioral advertising.

The lack of clarity is challenging. But, it isn’t stopping dataxu. We’re deep into our GDPR compliance program already. Team Voltron is humming along. Privacy by design is built into our product/feature lifecycle, data optimization teams, and company policies. And, we are working on technical solutions by planning for all outcomes. So, even if the GDPR bundled consent requirements don’t ease, we’re ready. It may adjust the approach and strategy in the EU, but it doesn’t move us off the block.

The Marketer’s Guide to GDPR