In a Post-GDPR World, Who Will Be the Emissions Cheaters of AdTech?

You may remember the Volkswagen emissions scandal that made headlines worldwide in 2015. The German automaker had intentionally programmed its turbocharged-direct-injection (TDI) engines to activate emission controls only during laboratory tests — just enough to meet US pollution standards on paper, while doing nothing of the sort on actual roads.

The scheme worked until independent testing revealed that those same TDI engines were producing 40 times more NOx during real-world driving than in lab conditions, far exceeding what the law allowed.

That scandal was hardly an isolated incident. Car manufacturers including Fiat, Chrysler, Ford, Hyundai, and Kia have all run afoul of the US Clean Air Act (CAA) at various points over the five decades since it came into force in 1963. Volkswagen's case was simply the most dramatic — and the most expensive, ultimately costing the company approximately $30 billion in total fines.

So what does any of this have to do with AdTech and the General Data Protection Regulation (GDPR)? Quite a lot, as it turns out. The parallels are hard to ignore.

1. A Regulation That Changed the Game

Most car manufacturers caught up in CAA violations had to fundamentally redesign how their engines worked. Reducing NOx output to meet legal thresholds typically meant accepting a trade-off: cleaner combustion, but restricted engine performance. For companies whose products were built around performance claims, that was a real commercial problem.

AdTech vendors find themselves in an analogous position. The GDPR requires them to rethink the mechanics of their platforms in ways that cut against how those platforms have traditionally operated. Just as the CAA was designed to protect the health of US residents, the GDPR's stated purpose is to protect the personal data of people living in the EU and EEA — an objective that sits in direct tension with the data-hungry foundations of behavioural advertising.

2. A Financial Incentive NOT to Comply

The car manufacturers that cheated on emissions tests did so primarily for economic reasons. Stopping production, funding new R&D, and retooling manufacturing lines to achieve genuine compliance was expensive. Cheating was cheaper and faster — until it wasn't.

AdTech companies face a similar calculus, though the incentive structure differs in degree. Compliance requires real development investment, whether that means expanding in-house engineering capacity or engaging outside technical resources. That cost comes with no obvious short-term revenue upside.

More significantly, GDPR strikes at the commercial core of online advertising: third-party cookies. For companies whose entire business model depends on third-party cookie collection — data brokers being the clearest example — the regulation is an existential threat, not merely an operational inconvenience. This is roughly analogous to the position diesel-dependent car manufacturers faced when the CAA first came into effect.

The regulation requires AdTech companies to obtain clear, unambiguous, and explicit consent from users before dropping third-party cookies in their browsers, collecting their data, and using it for behavioural targeting. That's a high bar — and it's getting harder to clear as ad-blocking software adoption continues to grow, with users actively eliminating ads and blocking third-party cookies on their own.

Against this backdrop, it's not surprising that many AdTech vendors have been leaning heavily on "legitimate interest" as an alternative legal basis for data processing under GDPR, rather than pursuing explicit consent. That bet is likely to prove a losing one under serious regulatory scrutiny.

3. High Fines for High Crimes

The penalties CAA violators have faced have ranged from modest to catastrophic, depending on the severity and scale of the infringement. Volkswagen's $30 billion total bill sits at the extreme end — a figure that underscores what regulatory non-compliance can ultimately cost.

GDPR enforcement carries similarly tiered consequences. Less serious infringements attract fines of up to €10 million or 2% of the previous year's global revenue, whichever is higher. More serious violations — such as failing to obtain proper consent for data processing — can result in fines up to €20 million or 4% of annual global revenue.

None of this is to say that AdTech vendors will intentionally set out to circumvent the regulation. But the financial incentive to cut corners is real. Compliance requires spending money on something that delivers no conventional return on investment, while simultaneously threatening the business models that have driven growth across the industry. The next several years will make clear which companies treated GDPR as a genuine compliance obligation and which ones treated it as an obstacle to be minimized.

This article was originally published on ExchangeWire.