Ad Tech & Ad Ops

What Ad Tech Looks Like in the GDPR Aftermath

Pinterest LinkedIn Tumblr

In the weeks following the GDPR deadline, ad tech went through a period of turbulence which made one thing quite clear: No one was completely prepared for the D-day. 

Spoiler alert: Nothing really happened. The Internet continues to function as usual, but with more popups asking for user consent across EU than before. Most users continue to click ‘accept’ and get back to consuming content.

That doesn’t mean nothing changedThis is a post about the changes vendors in digital supply chain went through, in a short period of time considering everyone tried to forget about GDPR until April.

1. Publishers: Interpretations and Implementations

Some media-sellers were fumbling in the dark trying to get to the correct interpretation of the regulations. “Does it mandate explicit opt-ins for each purpose on each vendor’s behalf? Would a blanket opt-out be enough? How am I supposed to implement anything?

By the time 25th May rolled around, everyone did what they thought was best when it came to consent. This took the following forms:

 a. Block ads / targeting (until better alternatives are available)

Some US-based news sites like Los Angeles Times and Chicago Tribune shut down their European sites. Others like USA Today and New York Times continued to avail content in Europe but stripped their sites of all ads / stuck to house ads. (Source)

Most small-to-medium publishers simply stopped serving personalized ads to users in EU to comply with GDPR. A lot of them are even now looking for viable ways to collect and pass consent down the supply chain—to try and recover some ad revenue lost from blocking ad targeting across the site.

Recommended reading: How to Estimate GDPR Impact on Your Google AdSense Earnings

Most Google Display Network publishers (AdX/AdSense users) had to resort to blocking personalization across EU. This is because they had two options to collect and pass consent: a.) via Funding Choices (which many didn’t have) or b.) by updating their ad codes (which many didn’t want to poke into for fear of botching it up).

Since Google’s integration with IAB Consent Framework won’t be finished until August, GDN publishers couldn’t use a 3rd party CMP to pass consent to AdX or 3rd party demand sources/analytics partners.

b. Consent Solutions: Custom, Paid, and Open Sourced

Most large publishers based in EU pulled off custom consent notices really well. The Guardian, Axel Springer, Telegraph, et al. are some names to go with it. Those without in-house developer teams/time relied on paid CMPs like Evidon, Cookiebot, etc.

For many others, open-source solutions like the AppNexus CMP saved the day. While it needs to be tweaked/hosted/registered with IAB for a network of sites, there’s no need for the pomp and paperwork if you’re just doing it locally (on a site by site basis).

We recommend that everyone who builds their own CMP register it with IAB. While not technically necessary yet, buyers will likely eventually start auditing what CMP is creating the consent signals. We have no plans to register ourselves just yet.

— Steve Truxal, Product Manager, AppNexus

Another open-source solution came from Axel Springer. The custom-built solution—nicknamed OIL (short for Opt-in and Transparency Layer) is easy to use, customizable, and free. The CMP is also registered with IAB’s Consent Framework, so it will work with every other vendor in IAB Framework’s Global Vendor List, which contains ad networks and exchanges that are GDPR compliant.

Some did botch it up though. Case in point: Tumblr’s legally solid but extremely lengthy consent notice.

Tumblr does not include a blanket opt-out. You have to uncheck each box, one by one. Also there are 322 of them. Also you will have to do it on your iPhone.

The number of people who wrote to me and told me that this thing got them stuck, too long, had Javascript errors, or just plain didn’t work was ludicrous, many of whom just slammed ‘accept’ to get around it (or did so by accident). I assume it was just a bungled rollout, but ouch.

(via GDPR Hall of Shame)

2. Ad Exchanges: Brief Bout of Misery

What: Programmatic revenue took a nosedive across Europe, on all exchanges except Google AdX.

Why: Google began warning DoubleClick Bid Manager (DBM) users that they should expect short-term disruption in their campaigns on third-party European inventory, starting May 25. This was because Google couldn’t confirm if those third-party exchanges were GDPR compliant.

This spelled brief trouble for 3rd party exchanges since DBM users buy a majority of all impressions bought via programmatic. When DBM users couldn’t buy impressions on other ad exchanges, they had only one option – buy from Google’s own AdExchange.

Result: Most exchanges saw as much as 50% drop in demand volume because everyone using the biggest DSP on the planet – which is Google’s – could only buy Google’s inventory (on AdX).

Google integrated other major exchanges (like AppNexus) in its vendor whitelist days after May 25th.

3. Demand Side Platforms: To Bid or Not to Bid

DSPs have been just as subjective in their GDPR interpretation.

Last week, a user on r/adops posted that some DSPs, like The Trade Desk and MediaMath, are currently bidding only on impressions which are passing some form of consent – even if it’s a negative on any data use – back to them via a custom or paid CMP.

GDPR: DSPs ONLY bidding when there is explicit consent from adops

The OP comments, “I can say that if a site doesn’t have a CMP in place, there are literally zero bids going to that site from some of the major DSPs.”

Note that this is applicable even if publishers are serving exclusively contextual ads that don’t need additional consent, or if they went with Legitimate Interest as the legal basis for gathering users’ data. We’ll update with more information.

The Aftermath: “All’s Well, For Now”

We spoke to a few European publishers to see the impact of GDPR D-day.

A German media-seller told us that all major ad tech players in Germany are currently going with Legitimate Interest as their legal basis for data collection. “That’s why everything is pretty relaxed so far,” he says.

To comply, most German publishers simply updated their privacy policies. “Germany has had cookie alerts, privacy policy, and double opt-ins for newsletters as requisites even before GDPR,” our source tell us. “There is not much to change besides updating the paragraphs from TGM to DSGVO (GDPR in German) within the privacy policy, and cutting down on embeds/external images,” he says.

This approach isn’t for everyone though. EU member states can interpret and enforce the regulations as they see fit. Despite the collective stance on their legal bases, some German media-sellers also have backup measures ready.

“Some publishers signed-up/developed CMPs – they aren’t using them unless forced to do so by regulatory authorities. I think the biggest fear here is that our regulatory bodies would follow the lead set by US publishers/vendors. They are all going for ‘consent’ as legal basis – using CMPs to gather consent or blocking access to their sites in EU – because they don’t want to risk being in violation.”

In UK, publishers seem less concerned with interpretation and more with the implementation of consent mechanisms. A UK-based sell-side executive says, “We had a bit of a Y2K moment; nothing really happened – revenues dropped a little over the weekend but soon recovered. We had to tweak our Prebid setup. Apart from that, everything’s good. Now, we’re just waiting for Google to fully integrate with the IAB framework and we could put this out of our mind.”

Google’s IAB framework integration would let publishers use a CMP to serve Non-Personalized ads (from Google’s own demand) by early June. Consent granularity and 3rd party vendor support should be ready by August.

Publishers and vendors alike know that it’s still early days – GDPR enforcement could get considerably strict. Then there’s the ePrivacy Directive to cope with, which is slated to come into effect sometime this year. For now, serve Non-personalized ads and know what not to do, as archived at GDPR Hall of Shame.