Non-Compliance with GDPR Will Cost AdTech Companies More Than 4% of Revenue
Given the volume of coverage the EU's General Data Protection Regulation (GDPR) received in the lead-up to its enforcement, it would be easy to assume the regulation emerged from nowhere. In reality, it supersedes an existing framework — the EU's Data Protection Directive — that has been on the books since 1995.
The Data Protection Directive never attracted anything close to the same level of attention, largely because of what it was: a directive, not a regulation. That distinction matters.
The shift from directive to regulation means that both the goal and the process for achieving it become unified across all EU member states. It also means that companies failing to comply now face genuinely significant penalties — not vague recommendations.
Comply or Pay Up
For years, many companies — particularly those operating outside the EU — took a relaxed approach to user privacy, or offered reassurances that amounted to little more than posturing. Statements like "we don't collect PII" or "we take privacy seriously" were common, and largely unchallenged.
That era is over. As of May 25, 2018, the GDPR holds all companies that collect, store, transfer, sell, or use data from EU citizens accountable — regardless of whether those companies directly operate in the EU. A US-based publisher running US-based AdTech platforms becomes subject to the GDPR the moment an EU citizen visits their site. So do the AdTech vendors serving that inventory.
Publishers, brands, ad agencies, and AdTech and MarTech platforms alike must implement compliance steps and update their policies. There is no workaround.
The financial exposure is real:
- €20 million or 4% of the previous year's global turnover, whichever is greater, for the most serious infringements — including failing to obtain proper consent from users.
- €10 million or 2% of the previous year's global turnover, whichever is greater, for less serious infringements — such as failing to notify the relevant supervisory authority and affected individuals following a data breach.
To put this in concrete terms: a company with €100 million in prior-year revenue could face a €4 million fine for a single serious infringement. Critically, these fines apply per infringement, not as a single consolidated penalty.
Business Losses Will Arrive Before the Regulators Do
Regulatory fines typically come after the fact — following a data audit, a breach investigation, or a formal complaint. But the commercial consequences of non-compliance can hit well before any enforcement action is taken.
Companies that have invested time, money, and resources in becoming GDPR-compliant are not going to expose themselves to liability by working with partners that haven't done the same. Non-compliant vendors risk losing both existing relationships and future business opportunities as compliant players start reviewing their supply chains.
AppNexus made this concrete early on, publicly committing to GDPR compliance and stating it would stop working with partners that failed to meet the new requirements. It was a signal of what was coming across the industry more broadly.
To remain viable in a post-GDPR environment, AdTech and MarTech companies need to be able to show how their data practices align with privacy regulation — not just assert it. Some have gone further, positioning privacy compliance as a genuine differentiator rather than a box-ticking exercise.
For many platforms, this requires rethinking core business practices and investing in new approaches to targeted advertising that respect user privacy by design. That's a significant undertaking, but GDPR compliance could also serve as the forcing function that drives real innovation in privacy-respecting ad technology.