2 Years In: 7 Industry Experts Weigh GDPR’s Impact

Jane O'Hara
Jane O'Hara
2 Years In: 7 Industry Experts Weigh GDPR’s Impact

May 25, 2020 marked the two-year anniversary of the GDPR, or General Data Protection Regulation, which the European Commission passed in April 2016 and began enforcing in May 2018.

The landmark privacy law states that EU (European Union) citizens own their personal data — and that companies must protect it. The GDPR affects all organizations with an EU presence or who process personal data of EU citizens.

On May 25, 2018, the EDPB (European Data Protection Board) began enforcing the GDPR, with potential fines as high as 20M Euros or 4% of yearly revenue, whichever is higher — but without the resources required to do so effectively.

Since it passed, the EU legislation has inspired other data privacy laws, including California’s CCPA, Brazil’s LGPD, and Thailand’s PDPA, but has the GDPR’s bark been worse than its bite?

Knowing there’s no simple answer, we asked seven industry leaders for their responses to the same question:

“Two years into the GDPR, has the law changed how you think about data privacy — or was the expense and race to compliance more hype than help for users?”
Jodi Daniels, Red Clover Advisors
Jodi Daniels, Founder and CEO of Red Clover Advisors, a boutique privacy consultancy that helps companies build customer trust while complying with global privacy laws such as GDPR and CCPA

“GDPR shifts the focus from the company to the individual. Companies now need to consider how data is being used: whether it has been appropriately communicated in the privacy notice, whether it honors a data subject’s rights, and whether data is properly secured. Before GDPR, only mature or often-regulated companies were even thinking about data privacy.

While the hefty fines that many had hoped would come to many of the big players have not yet happened, there have been fines for contract infractions to huge-scale data breaches. Just like a toddler, as GDPR now enters its third year, it’s learning from its slower steps as an infant and getting its foothold in the business world.

Customer expectations for privacy are ever-increasing in today’s complex data world, which puts further requirements for all companies in the ecosystem to comply with GDPR. Those that continue to put privacy at the top of their strategy will have a competitive edge.”

Tim Sleath, VDX.tv
Tim is Vice President of Product Management and Data Protection Officer at VDX.tv, a global advertising technology company transforming the way brands connect with relevant audiences in today’s converging video landscape

“There are definitely some positives. The EU data privacy landscape is more joined up than it was before, and the rules much clearer, which is a benefit for end users and data controllers alike. GDPR has become a global reference, of which the EU should be quite proud, raising the bar of standards and opening the door for things like CCPA to develop.

There are some negatives though — some of which may be ironed out in due course, while others seem ingrained flaws. It is astonishing that we’re still living in a limbo of waiting for the ePrivacy Regulation to take effect, when there was some expectation the two regulations would take effect at the same time. Two years on, Croatia has had a pretty good run at revising it, although Germany (who next take the reins of the EU Council) will probably rehash it again.

While GDPR has unified things in many ways, it’s not completely smooth. The appetite and resources of DPAs (data processing agreements), combined with the legal wrinkles of different jurisdictions, mean things are still somewhat piecemeal. Germany unilaterally took some big steps on acceptable consent (pre-ticked boxes, for example) which then led to EDPB acceptance of those new standards; more recently, Belgium’s DPA decided the DPO (data processing officer) role couldn’t be shared with, say, the Head of Compliance at a company. So for companies to plan their compliance, there’s a lot to consider — country-level (times 27!), EDPB-decision and ECJ (European Court of Justice)-ruling.

The aspect which I fear is here to stay, despite offering no benefit (the opposite) to users, intermediaries or regulators, is the idea that consent is the ultimate legal basis for data processing.

Consent is not king. It is surely no accident that other global, GDPR-clone laws introduced after May 2018 have adopted many of the GDPR’s principles — but never consent as such an explicit opt-in mechanism (even Canada’s PIPEDA accepts that consent online may quite reasonably be implied and even opt-out). Do the plethora of CMP (consent management platform) dialogs improve the data privacy of users? Even if so, is it commensurate with the hassle involved for those users? I don’t hold any hope that the ePrivacy Regulation will substantially alter this (Croatia had a stab at injecting some sanity, but got widely slapped down), so it’s something we all have to live with.”

James Avery, Kevel
James is the founder and CEO at Kevel, an API platform that enables brands to build custom ad servers

“GDPR has morphed into just another button users have to click to get to the content they want (like cookie notifications before it). These consent dialog boxes are designed to force consent while making it hard to deny it. Diving into the consent details can be cumbersome and confusing.

Because of this, most users will just blindly give consent, which then gives publishers the ability to sell their data and drop third-party cookies. Does this really address the privacy concerns of European citizens? I don’t think so.

While it is an important first step, GDPR’s reliance on the consent prompt doesn’t fully address the situation. It actually looks like it’ll be tech players who will do what regulations can’t, such as Safari with its ITP and Google Chrome killing off third-party cookies.”

Francesco Arillotta, Sovrn
Francesco is an Implementation Engineer II at Sovrn Holdings, Inc., which provides products and services to thousands of online publishers that help them grow, operate their business, understand their readership, and manage consumer data

“From a user and legislative perspective, GDPR is a step in the right direction. The perception of online advertising and user tracking is at an all-time low (following scandals such as Cambridge Analytica); this is reflected in how the legislature decided to approach it: giving data ownership to each user is a milestone in privacy controls.

Naturally, from an industry perspective, this is a massive challenge. The whole premise of programmatic advertising is to allow brands to target users as opposed to contexts. The advertising industry is just now starting to see things under the user's perspective: the cookiepocolypse is nothing more than a result of that.

I believe, ultimately, the light under which we see programmatic advertising will change drastically — although I am not sure how — as privacy becomes a priority for many more countries all over the world; the real problem is going to be finding an industry standard that will fit most of those.”

Panagiotis Giannakouras, Project Agora
Panagiotis is a Product Director at Project Agora, a fully automated solution that empowers top local publishers and retailers in EMEA to get the maximum value out of their visitors

“GDPR is perhaps the most globally celebrated piece of EU legislation in the recent past. While two years have passed since its application, it still seems like yesterday that we were trying to figure out the best course of action.

While GDPR offered the right direction, many of its provisions were left unclear when it was enforced. This is still the case today, although significant progress has been made.

From a practical standpoint, GDPR initially generated a huge load of paperwork, with the common characteristic being the push of responsibility further down the supply chain (i.e., from advertiser to publisher). It was a race trying to meet the deadline (May 25, 2018) and those who had the power (i.e. media budgets) dictated the terms.

Although publishers took a big hit (consider the hours spent figuring out what to do, or the drop on ad spend the first days following its activation), over the long-term they have benefited, and so has the rest of the ecosystem.

GDPR, for all its flaws, forced the online advertising industry to rethink its relationship with the end user, revisit its long-standing practices, and seek to innovate.

From a user perspective, GDPR provided an element of control and transparency. As a user I now have control over who collects, analyzes and utilizes my data. The degree to which this control is real or just an illusion is still being contested. The average website visitor is not always able to actually understand the many terms and choices they are presented with.

Therefore, although the hype around GDPR was substantial, at the end of the day it spurred developments which, if continued and further improved, will be ultimately helpful for both publishers and end users.”

Mike Chowla, PubMatic
Mike is the Senior Director of Product Management at PubMatic, a digital advertising technology company empowering app developers and publishers to maximize their programmatic advertising

“The GDPR is a regulatory challenge, both because the user experience has been altered, and because it has affected the competitiveness of the Ad Tech marketplace. Internet users must contend with endless consent dialogs. Deciding whether to consent to data collection is only marginally important to the public, but having to click-through consent dialogs stretches their cognitive capacity. Thousands of UX professionals go to work every day trying to make websites and apps easier to use and less cognitively demanding, but the GDPR has required interruptive consent collection. When I've traveled to the EU, it's always noticed how much more intrusive cookie banners and consent dialogs are. Personally, I want a global opt-in that says: Collect my data as you wish, but never ask me about data collection again.

The evidence says the GDPR has been a boon for the walled gardens, who have increased their share of ad spend post-GDPR. This isn't a surprising result. Complex regulations that are difficult to comply with almost always benefit large incumbents. The large players have the most resources to comply, and by the nature of being large organizations are adept at dealing with bureaucracy and complexity. Complex regulations make life difficult for startups that lack the resources to deal with complex regulatory regimes.

The focus of consumer privacy should be on sensitive information (precise location, health status, genetic and biometric data). Mishandling of sensitive data can cause real harm. Privacy advocates have never been able to identify the harm from marketers using behavioral data.

My passion for this issue stems from my belief that access to news, information, and opinion is vital in free societies. Content creators need income, and advertising has funded most of the Internet since its earliest days. If well-intentioned but misguided elected officials and regulators (and now browser vendors) hobble Internet advertising in an attempt to solve a non-problem, consumers will end up paying for that change. The big media organizations will be fine regardless. It's the mid-sized and smaller publishers who produce great niche content, and tomorrow's upstarts who haven't even started yet that we need to worry about.”

Ari Paparo, Beeswax
Ari is the CEO of Beeswax, a New-York based start-up building the next generation of real-time bidding software

“The overall effect of GDPR on programmatic advertising has been modest, with a portion of European traffic becoming more-or-less unusable for targeting, and certain techniques (hyper-local ads) falling out of favor.

On the positive side it forced all ad tech companies to really understand and control the way personal data is used and retained in their systems.

The big question remains on how aggressive enforcement will be, and the UK's efforts in this area have been postponed indefinitely due to COVID.”

Jane O'Hara
Jane O'Hara

Jane is the Senior Marketing Manager at Kevel. She enjoys discovering user-first ad platforms and articulating the value of Kevel's ad serving APIs.