GDPR six years on: Adtech industry comments

original-Image-Pete Linforth-Pixabay
Photo edited by Jerome Paronneau.

Saturday 25 May marks the 6th anniversary of the implementation of the General Data Protection Regulation or GDPR system governing the way companies use, store and share the data of private individuals.

It’s not been an easy journey and much remains to be done, with Google having recently delayed its phasing out of so-called cookies on its globally used Chrome browser.

So we asked some of the leading players in the adtech sector for their pulse take as the system enters its 7th year… 

marko-johns-seedtagMarko Johns, UK MD & Intl Head of Agency, Seedtag

“GDPR established the standards for data and privacy regulations, serving as a template for similar legislation that has since rolled out — or is in the process of rolling out — across the globe.

“Within digital advertising, it set into motion the transition towards solutions that do not rely on personally-identifiable information, though there are still corners of the industry that prefer to walk the knife-edge of what is legal to keep invasive targeting operating beneath a new coat of paint.

“GDPR may have been exhaustive at the time, but it needs to be updated to fill exploitable gaps in its reach, particularly around fingerprinting and AI, where a lack of guardrails around data handling puts both individuals and organisations at risk.”

Sarah-Lawson-JohnstonSarah Lawson Johnston, CRO, Covatic

“The GDPR has been a benchmark for data privacy over the past six years – inspiring other global legislation and prompting many businesses to rethink how they protect themselves and their customers.

“It has also raised consumers’ awareness of how their personal data was collected, stored, and used.

“In the advertising industry, we’ve seen some stalling in the adoption of new practices for this privacy-first era. Google may have pushed back its cookie deprecation deadline once again, but it’s important that the sense of urgency is not lost.

“Privacy credentials have become a competitive differentiator, as consumers gravitate towards companies aligned with their privacy values as well as their personal ones.

“Media owners and brands must therefore phase out outdated solutions while simultaneously expanding the adoption of effective privacy-first technologies (e.g. on-device ad-tech solutions).

“This will help foster positive advertising experiences and offer the additional advantage of future-proofing their businesses.”

Nicola-newitt-infosumNicola Newitt, Director of Legal, InfoSum

“Six years after the full implementation of the General Data Protection Regulation (GDPR), it is still setting the global standard for privacy.

“The publicity around the GDPR increased consumer understanding of their right to control their personal data within the EU and in the UK.

“Additionally, it’s influenced regulators in many other jurisdictions; 75% of people around the world now have data protection rights enshrined in law, up from just 10% in 2020.

“The GDPR has provided European legislators with a powerful framework with which to hold organisations who fall foul of its terms accountable; for example, when Meta received a €1.2 billion fine from the Irish Data Protection Commission (DPC) in May 2023.

“While this provides a huge incentive for businesses to ensure their privacy practices are in good order, it’s also part of a bigger mindset change; with companies beginning to see privacy as an opportunity to build platforms, processes and products that drive efficiencies, create new revenue streams and foster customer loyalty.”

Ogury-Lawrence-HorneLawrence Horne, UK Country Manager, Ogury

“The introduction of the GDPR was an important milestone in the transition towards a more privacy-first online landscape. However, this shift is no longer simply driven by legislation, but by consumers.

“Around two-thirds (65.5%) of UK consumers have concerns surrounding data privacy when interacting with brands online, and it’s clear they are willing to exercise their right to avoid being tracked or sharing their personal information for advertising purposes.

“This has led to a consistent decline in opt-in rates since the implementation of the GDPR.

“For the advertising industry, being compliant with the GDPR, the CCPA or any of the other numerous privacy laws alone is not enough; consumers have spoken, and as a collective we need to tackle this issue at a global level.

“If the GDPR represented the first step towards a new privacy paradigm, the phase-out of the third-party cookie in Google Chrome is the final part of this journey.

“Brands must stop clinging to the old world and embrace a privacy-first approach if they are to continue to effectively reach their audience.”

Oren-Poleg-viewerslogicOren Poleg, CTO and Co-Founder, ViewersLogic

“Many companies are still unclear on which data to share with consumers when they receive a GDPR data subject request (DSR). There is a large variance in both the data you get back and how you can request it.

“For example, Meta hasn’t aligned its data sharing standards across its social media platforms. Where Facebook provides data on any content that users interacted with but no ad data, Instagram offers both content data and ad data, but only on ads seen in the week up until the GDPR request.

“Unlike the ongoing delays of third-party cookie deprecation, there’s no room for manoeuvre when it comes to GDPR regulations. Businesses are legally required to produce subject data in a machine readable format.

“Currently only a handful of companies make this an easy process, whereas others either make it intentionally difficult or simply haven’t invested in the process at all.

“We need to be working towards a transparent data economy where consumers can access their subject data without scrutiny or difficulty, especially as we’re seeing growing concern from consumers about how their data is being used and stored.

“Businesses that don’t act in the spirit of the law, need to be held accountable for exasperating what should be a simple DSR.”

Angelique-Whittaker-azerionAngelique Whittaker, UK Sales Director, Azerion

“After six years of GDPR — and the subsequent roll-out of other global regulations — privacy-centric advertising really should be the norm by now.

“However, the industry still struggles to push forward with its own bold moves and many marketers are relying on outdated targeting methods and confused consent messaging.

“To go a step further than simply being regulation-compliant, advertisers should be embracing cookieless tools, with a combination of contextual and behavioural targeting, to dig deeper into the privacy-friendly data and power curation methods; this will deliver more effective targeting and build better brand connections for consumers.”

jason-warner-sbsJason Warner, Director UK & EMEA, SBS

“GDPR sparked the formation of a new generation of technological data providers focussed on compliance whose groundwork is now the basis that the post-cookie marketing landscape is being built upon.

“Ultimately, it has enabled data-driven strategies to be refined for even greater precision, effectiveness, while privacy compliant.

“However, the intricate and highly technical complexities of GDPR still catch out those unprepared technically.

“Currently, when a company’s legal team lacks a clear understanding of these mechanisms, the fear of potential investigations and fines can stifle technological advancements.

“This gap between theoretical rules and practical application poses a significant obstacle to progress.”