BlogGDPR compliancedata privacy regulation

Why GDPR Hasn't Yet Reshaped AdTech

GDPRdata processinglegitimate interestuser consentcookie consentthird-party dataretargetingprospectingdata protection agenciesCNILcomplianceregulatory fines

In the lead-up to the year 2000, dire predictions circulated about a potential end to the digital world — a software timebomb known as the Y2K bug that would trigger at the stroke of midnight on January 1. As it turned out, the world kept spinning. Computers still worked, digital calendars displayed the correct date, and the only real casualties were some minor edge-case incidents.

The lead-up to GDPR's enforcement date on May 25, 2018 produced a similar hysteria in the online advertising world. And, much like Y2K, the AdTech industry didn't collapse. Companies didn't file for bankruptcy. Ads kept moving programmatically and otherwise.

If anything, the year following enforcement produced headlines that seemed to contradict the doomsday narrative entirely.

Stock Prices Up, Activity Running Hot

One outcome nobody predicted was rising stock prices among some of AdTech's largest publicly traded players.

The Trade Desk climbed from $82.99 on May 24, 2018, to $202.09 at the time of this writing, alongside healthy revenue growth. Rubicon Project went from $2.34 on the day GDPR came into force to $5.76 a share. AT&T acquired AppNexus for close to $2 billion, with similar acquisitions expected as large telecoms look to compete with the Google-Facebook duopoly.

On the surface, the industry looks remarkably healthy.

A few caveats are worth noting, though. Both The Trade Desk and Rubicon are US-headquartered, and The Trade Desk's growth has been driven substantially by non-display channels like connected TV and audio. When you look at European AdTech companies operating primarily in display, the picture shifts. Criteo's share price dropped from $25.35 on May 24, 2018, to $19.07 by May 29, 2019.

Unlike Y2K, GDPR's potential downsides aren't instantaneous. The worst may still be ahead, which means the current stock gains and M&A activity could prove short-lived.

Although GDPR doesn't prescribe a single cookie-banner design, it's detailed enough to make clear what consent mechanisms must and must not include. The regulation explicitly states that consent must be freely given, and data controllers — publishers included — cannot deny access or service to users who decline to provide consent or simply don't express a preference.

That's not what's happening in practice. Many publishers are blocking content from users who won't agree to data sharing. Some have adopted "assumed consent," whereby closing a consent dialogue without selecting any preference is treated as an affirmative agreement. These interpretations directly contradict the regulation's intent.

On top of that, there's the widespread practice of firing third-party tags even after a user has rejected data processing. While consent decisions must be stored and passed to AdTech partners, the practical outcome is that user data often leaks to those platforms regardless. It's no surprise, then, that some companies have reported opt-in rates of 90% on their GDPR consent requests — figures that look good on paper but reflect mechanisms that are not meaningfully compliant.

Legitimate Interest as a Catch-All

Well before GDPR existed, much of the AdTech ecosystem had settled on "legitimate interest" as its default legal basis for processing personal data. That practice continued largely unchanged after enforcement began.

The regulation doesn't explicitly say that advertising and marketing fail to qualify as legitimate interests — but that argument will almost certainly not survive a proper EU court challenge. The realistic path to lawful data processing for advertising is genuine user consent, which, as described above, most of the industry still isn't collecting correctly.

Business as Usual — With a GDPR Coat of Paint

Among the more striking post-GDPR developments was the finding that retargeting activity actually grew in the months following implementation. The explanation isn't hard to find: advertisers shifted away from prospecting — which depends heavily on third-party data aggregated across many sources — and toward retargeting, which is considered a lower-risk approach under the new rules.

The net effect has been some compression in addressable audience sizes, but for the most part, the industry has carried on as before. Generous interpretations of legitimate interest and non-compliant consent flows have kept the machinery running.

The Full Impact Is Still Ahead

Approaching the one-year mark, GDPR had not reshaped AdTech the way many expected — but it remains early days.

Google received a €57 million fine from France's data protection authority, CNIL, for GDPR non-compliance. CNIL also investigated Vectaury, a French mobile ad location DSP, for non-compliant user data collection — though it withdrew that investigation in February 2019 after the company implemented valid consent mechanisms.

These cases have caught the industry's attention, but haven't yet triggered meaningful behavioural change at scale. Privacy advocates and campaign groups continue to surface non-compliant practices, which is prompting data protection agencies to take a closer look.

The move toward genuine GDPR compliance is likely to be a slow one — measured in years, not months — driven by a combination of growing public awareness and escalating legal proceedings.

The Y2K crisis was largely averted because organizations invested heavily in preparing for it. Most companies made no equivalent investment in GDPR readiness. The AdTech reckoning many predicted never arrived on schedule, but it would be premature to assume it isn't still coming.

<Related />