10 Unintended Consequences of the GDPR


When legislators in the EU came up with the GDPR legislation, I know they had the best intentions to protect the rights of users.

For too long digital media, marketing, and advertising technology platforms have been harvesting and monetising data (albeit cookie data, for the most part) without the knowledge of the user.

The EU decided to take on this practice by introducing the GDPR – and force companies handling PII to give more control to users.

Whilst nobody can argue against the logic of the legislation, I doubt EU legislators could have envisaged the unintended consequences of their lofty attempts to empower EU citizens to take a stand against the questionable use of PII.

Here I list the 10 probable unintended consequences of the GDPR and their likely effect on the digital marketing ecosystem in the EU.

1. Strengthening the duopoly, weakening the 20 percenters – in the short term

Many say the GDPR was conceived as a means of blunting the control of the duopoly. This is utter nonsense. Legislators have been concerned about how both Facebook and Google process data, but the GDPR wasn’t architected as a way to control their dominance in Europe.

But one of the biggest unintended consequences is likely to be a strengthening of the duopoly. Their power is absolute in digital advertising. They control nearly 80% of digital spend in the EU.

I am about to tell you that things are going to get worse before they get better. I am predicting that the duopoly is going to get to a 90% share of the digital ad market in the next 12 months.

The GDPR, in its current guise, is a godsend for the duopoly. For years, advertisers and agencies have been pushing Google and Facebook for independent measurement and the ability to extract data. This is useful for basic things like frequency capping and insight.

The GDPR now almost makes this impossible. Google and Facebook will have no oversight. They get to mark their own homework. It’s a ridiculous situation. But brands need the duopoly more than it needs the brands. Those walls just got a little higher; and from the conversations I have been having with European agency heads, more money is coming their way.

2. Big publishers will be the first victim of GDPR

While I have an ambivalent relationship with Google, I do think their stance on GDPR has been correct. Absolute consent is necessary to use and process users’ PII. Legitimate interest is not legally defensible for some of the practices that take place in this industry – Google has been pushing this aggressively and has been backed by the WFA.

What I have been shocked by, in the run up to GDPR, is the way publishers have been approaching it. The majority of them believe legitimate interest will be fine. While this is a grey area, I think they will be first in line to be tested by this legislation.

Go to any of the top newspaper publisher sites and run a cookie audit, and count the number of cookie syncs taking place on a single page.

This URL that hosts a story about Barbara Windsor on the Daily Mail is running 88 advertising trackers on the page.

Come 25 May, the Mail will have to opt-in these users to allow this type of data processing on their site. Legitimate interest does not work here. In my view, publishers are most exposed post 25 May, and as such will be the first to be legally tested by the new regulation.

3. The effect of the GDPR on programmatic and display

I haven’t seen much written about the economic consequences of GDPR. I think it will be significant. If the biggest buyer in the market (namely Google) and other top DSPs are asking for explicit consent, programmatic volumes are going to drop. That means less money for publishers. I am hearing drops in programmatic video could be as much as 40% on some platforms post-25 May. The effect on mid-to-long-tail publishers could be even more pronounced.

Now, the other consequence not yet understood by the industry is the effect on measurement and performance tracking. If users opt out, how do things like post-view measurement continue to function? Do we then question the value of display advertising?

My prediction here will be a shift of budget to paid search (Google benefits) and closed platforms (Facebook, Snap) and a drop in the open marketplace.

4. The rise of contextual tech

The GDPR makes me feel like we might be heading back to the noughties, when premium and context ruled. I believe context will make a huge comeback in Europe, and there will be a new clutch of ad tech specialising in contextually based solutions. If the recent multi-hundred-million pound acquisition of Grapeshot is anything to go by, it will be a hot area for M&A over the coming months and years. But then the king of contextual targeting, Google, could just clean up.

5. The sales house makes a comeback

The sales house got killed by programmatic. But, in the user-first environment, I can see it making a comeback. The IO, sold and optimised on context, could capture a significant slice of budget, as marketers look for options outside the walled gardens. It’s hard to predict what will happen in the programmatic space. But if enough users opt out, there will be a new ad economy that needs servicing – the economy of non-personalisation. And there will be no better solution to help advertisers than the sales house 2.0. The sales house will need to white label contextual-targeting solutions and figure out measurement strategies that satisfy both the GDPR and the buyers. The IO still reigns.

6. The GDPR ‘ambulance chasers’

Get ready for the robo-calls: “Has your data been processed illegally? You might be entitled to compensation.” GDPR is going to spawn a whole cottage industry of consumer-rights solutions that will go after non-compliant companies. Everybody is at risk. And don’t think people won’t take legal proceedings if you you don’t get buttoned up legally. I predict a three-month lull while cases are being built. Remember, we are talking about massive fines if companies don't comply - as well as the inevitable PR disaster of court action.

7. The emergence of the SSO (single sign-on)

A number of European markets have come together to establish a single sign-on strategy in the face of the GDPR. The idea is to build a premium entity where users have to sign in to access content. This obviously does not allow publishers to serve ads using that data. But it would give them a richer data set, if and when users opt in for data-driven advertising. It would also allow them to upsell other products, like subscriptions or tailored solutions.

8. Disrupting the user-attention economy

The GDPR will significantly alter the way we monetise attention. We are going to see a number of new solutions enter the market. Companies like Brave, which take the ad blocker to the next level, are trying to introduce micropayments to support publishers. I don’t think everyone will pay for content, but attention is a currency that can still be traded, as long as there is an agreement on the process. For too long, the user has been invisible in this monetisation process. And whether that’s a micropayment, opt-in, or an outlier solution like onsite crypto-mining, the user-attention economy is ripe for disruption. Expect to see lots of new innovation in the space. The best brains in ad tech will head in that direction.

9. Data-rich, consumer-facing companies enter the fray

In the scramble to be GDPR-compliant, a raft of opportunities to capture ad budget will arise for new vendors. Those consumer-facing apps, with strong customer relationships, are well-placed to get advertiser spend. Companies like Uber, Airbnb, and Netflix have massive user bases, and lots of logged-in data. Most publishers/apps have fleeting relationships with their users; and their current monetisation strategy is based on non-GDPR-compliant practices. These consumer-facing apps could build big ad businesses – at the expense of utility plays on mobile. Remember that mobile device IDs are also now classed as PII. The Ubers and Netflixes are well-positioned to get consent from users and serve ads within their own ecosystem.

10. GDPR as a long-term problem for Google

At the time of publication of this post, none of Google’s ad tech products were in the IAB list of vendors for its framework. Most independent CMPs (consent management platforms) building off this framework are pretty useless without Google.

To add to this, Google’s CMP is allowing publishers to list a maximum of 12 vendors (including Google’s own ad products) to users, when they are opting in to data-driven advertising. On my last count, Google had at least 15-20 measurement and ad products.

That presents little wriggle room for ad tech’s sprawl of vendors. I would add here that Vestager and her team are monitoring this stuff closely. Google is close to being broken up or forced to divest parts of its business.

I would start with DoubleClick. It’s the tech that Google ruthlessly uses to force control over spend at the marketer/agency level and supply on the publisher side.

The GDPR has plenty of upside for Google in the short term, but ultimately it exposes their absolute dominance in Europe. It will, therefore, become easier to build an anti-competitive case to break up certain parts of the company.

I think Google will cave on going it alone with its CMP, opting instead to partner with the IAB. Money will still flow to them regardless – and that is a huge problem for Google. A 90% market share of digital advertising – controlled by Google and Facebook – is too much for the EU and the industry to stomach. A break-up is inevitable – and it will happen sooner than you think.

While there is much to fret about the GDPR, there is going to be some significant upside in the long term. As such, we should all see GDPR as a good thing and, more importantly, a necessary rebalancing of data use in favour of the consumer. I look forward to seeing you all on the other side of 25 May.