GDPR in AdTech One Year On: What Actually Changed?

The lead-up to the European Union's General Data Protection Regulation (GDPR) on May 25, 2018, had a lot in common with previous looming deadlines like Y2K. Anxious anticipation and speculation set the industry on fire: GDPR-themed blog posts, analyses, and predictions spread like wildfire.

In the weeks and months before enforcement, theories circulated that GDPR would end targeted online advertising entirely. Companies scrambled to make their contact lists compliant (remember all those opt-in emails?), and the broader AdTech world braced for the unknown.

Now, with a year of enforcement behind us, hindsight offers a clearer picture. Was the hysteria justified? Did GDPR reshape AdTech the way everyone expected? What follows is a look back at the most significant news stories from before enforcement, on the day itself, and in the months that followed — a useful gauge of both the genuine disruption and the considerable overreaction.

The Lead-Up to GDPR

In the early months before enforcement, the noise was loud but the signal was weak.

• An increasing number of posts described the what of GDPR but offered little on the how — what the regulation required, but very little practical guidance on achieving compliance.

A recurring theme was that companies — particularly non-EU ones — simply weren't ready. Part of the reason was the regulation's extraterritorial reach.

• From an American vantage point, GDPR was hard to fully grasp — a sprawling piece of legislation covering 99 articles and 173 recitals, conceived by a legislative body that had no authority over US firms. What struck many as particularly jarring was the obligation to comply even if a US company processed the data of a single EU resident.
• With so much uncertainty about how GDPR would unfold, some brands put their programmatic activity on hold ahead of enforcement day, choosing to wait and see what industry leaders like Facebook and Google would do.
• Google's response was particularly consequential, given how much of AdTech depends on its infrastructure. The company restricted marketers from using DoubleClick ID data for cross-platform reporting and measurement — a move that rattled the industry and further consolidated Google's walled-garden position.
• Other US-based companies, like identity resolution firm Drawbridge, chose a different path entirely: rather than building toward compliance, they exited Europe and planned to stop buying media there. This approach reflected a misunderstanding of how the regulation works — closing European operations doesn't eliminate compliance obligations for any company that markets to EU-based audiences.
• Various bleak scenarios made the rounds — doomsday predictions about AdTech collapsing — most of which turned out to be vastly exaggerated.
• Alongside the darker forecasts, there were positive voices arguing that GDPR would empower users and bring some order to the wild west of online advertising. One widely cited MediaPost piece laid out why GDPR could ultimately benefit publishers, advertisers, and consumers alike.
• GDPR was also recognized as something that would rewrite the rules of AdTech without necessarily destroying it. The more credible predictions suggested it would push the industry away from bottom-of-funnel retargeting via open exchanges, and toward contextual advertising and first-party, consent-driven data use.
• There was a broader sense that brands would no longer be able to treat customer data as a freely tradable commodity on open markets — a direct challenge to the third-party data economy.

As enforcement neared, the industry's understanding sharpened and more specific analyses began to surface.

• A general consensus emerged that GDPR compliance would require, at minimum: respect for user data, functioning consent management, transparency around breaches, and de-identification of personal data.
• The quality of third-party data had always been questionable — estimates put its accuracy at roughly 50%. Despite that, third-party data remained foundational to online marketing because, for AdTech companies without access to first-party data, something imperfect was still better than nothing. GDPR's focus on this data category at least helped raise broader awareness of privacy issues and how the industry actually operates.
• As attention turned to consequences, the financial penalties for non-compliance came into sharper focus: fines of up to €20 million or 4% of worldwide annual turnover, whichever is higher, for the most serious breaches.

Closer to enforcement day, the conversation turned practical: what would GDPR-compliant consent actually look like in the wild?

The question of how to collect, store, and manage user consent from a technical standpoint generated considerable debate before a single consent pop-up had appeared in the wild.

• PageFair published a detailed look at proper consent box design, including examples and downloadable wireframes.
• Alongside UX considerations, there was growing discussion of how consents would be transmitted between vendors in the programmatic chain — the foundation of what would become the IAB Transparency and Consent Framework.
• AdTech vendors began watching each other closely, trying to gauge who was actually ready.
• Pre-enforcement analysis consistently showed that brands and agencies were in a holding pattern — aware that compliance was coming, but waiting for further clarity before committing resources.
• For publishers, verifying their AdTech partners' readiness became a pressing concern. PageFair went so far as to develop Perimeter, a regulatory firewall that whitelisted, blacklisted, or greylisted third parties based on compliance status.
• ExchangeWire surveyed a number of prominent AdTech companies — including dataxu, Rubicon Project, Sizmek, Adform, Quantcast, and AppNexus — on how they were preparing.
• Industry research from the period revealed a notable lack of readiness among AdTech and MarTech vendors in the final stretch before enforcement.

Enforcement Day: May 25, 2018

When the day finally arrived, the immediate picture was dramatic:

• Facebook and Google were hit with lawsuits almost immediately by None Of Your Business (NOYB), the privacy advocacy group led by Max Schrems, over their use of forced consent tactics.
• Ad demand in Europe dropped between 25 and 40 percent on some exchanges on enforcement day itself.
• A number of US news sites simply blocked access to EU visitors rather than attempt compliance on day one.

AdTech in a Post-GDPR World

In the days, weeks, and months after enforcement, the stories that emerged were a mix of the expected and the surprising:

• AdTech vendors ran into significant teething problems with the IAB Transparency and Consent Framework (TCF).
• Reports showed that ad retargeting was actually growing post-GDPR — largely because many businesses adopted a "business as usual" posture, skipping proper consent mechanisms, leaning on the legitimate interest argument, or relying on implied consent.
• For companies that were collecting consent properly, a new problem emerged: consent-string fraud, stemming from a lack of interoperability between Google's CMP and the IAB TCF.
• Vectaury, a mobile demand-side platform, was investigated by France's data protection authority, CNIL, over improper collection of user consent.
• Premium publishers started pulling back from open exchanges. The Financial Times cut off open programmatic trading. The New York Times turned off open exchanges in Europe entirely, shifted to contextual targeting and direct deals, and saw ad revenues grow as a result.
• Google was fined €50 million by CNIL for invalid consent mechanisms and a lack of transparency around data usage — the largest GDPR fine issued at the time.
• Brave and Panoptykon Foundation filed multiple complaints with European data protection authorities over alleged GDPR infringements by Google and the IAB related to the real-time bidding ecosystem.
• Ireland's DPA opened an investigation into Quantcast over its consent collection practices, joining a list of other companies under Irish DPA scrutiny that includes Facebook, Instagram, WhatsApp, Apple, Twitter, and LinkedIn.

Where AdTech Goes From Here

GDPR enforcement didn't produce the doomsday scenario that so many pre-May 2018 headlines threatened. But it did produce a steady stream of DPA investigations across Europe, and Google's €50 million fine was an early signal that regulators are willing to act against the industry's biggest players.

GDPR is, however, only one part of the compliance picture facing AdTech companies, agencies, brands, and publishers. The introduction of Apple's Intelligent Tracking Prevention (ITP) in Safari and Google Chrome's restrictions on third-party cookies are likely to have a more immediate and direct impact on the industry — these are technical changes that take effect regardless of whether a company chooses to comply, unlike a policy that can be quietly ignored while enforcement ramps up.