GDPR's impact on ad tech

Pippa Chambers
By Pippa Chambers | 25 July 2018

This is from the July issue of AdNews Magazine from our data and GDPR investigation. Subscribe to the magazine here  to read it first  - and to support AdNews and independent journalism.

With the GDPR shake–up also comes varying crackdowns and the need for due diligence on supply chain partners to ensure they are compliant.

As discussed in our June issue, Google’s new GDPR Consent Tool was said to limit publishers to 12 ad tech vendors, which many argued could harm publisher monetisation and cut buyers off from much of the supply they value. It has since backflipped on the move following backlash.

In terms of what conversations ad tech firms are having with clients, Samuel Tan, director of market development ANZ at AppNexus, said many local advertisers and publishers don’t think the GDPR really applies to them given it’s a European regulatory policy.

“Unfortunately this couldn’t be further from the truth as it impacts any business that engages with users located in the EU,” Tan said.
“For example, if you’re an Australian publisher with a news site that has users in the UK or France, you need to take note and act."

He said the wider ramifications are the impact Google’s policy will have on independent publishers and ultimately the fate of the open internet.

“Will publishers realise this is another example of Google forcing the rest of the industry to bend to its will, and give publishers a clear decision to take back control of their own destiny? Our concern is that for smaller to medium–sized publishers they may have no other option, given resource constraints,” Tan explained.

Eve Filip, deputy general counsel and data protection officer at Rubicon Project, revealed the company has been working with its clients, answering their questions about its own GDPR compliance plan and helping to support clients' efforts with compliance.

“We have also prepared various materials to help our clients understand the impact of the regulation and have been working with our buyers and vendors on the platform on their measures to adequately protect European personal data,” Filip said.

Matthew Joyce, country manager AU/NZ of programmatic software business, DataXu, said he is regularly asked questions along the lines of “Are you GDPR compliant?” and “What is your GDPR strategy?”.

See in print first - subscribe

“However, beyond these basic security and privacy concerns, I’m seeing sophisticated clients that want to explore how they can work together with their programmatic partners in a way that is both efficient and GDPR–compliant,” Joyce said.

“We’re not only focused on ensuring our compliance on behalf of clients, but also have a perspective on successfully operating under the GDPR and into the future.”

Readying the business

Filip said Rubicon’s’ preparation efforts for GDPR have been consistent across all global markets in which it operates.

“They included clear communication with our customers, building comprehensive data maps, maintaining a data transfer compliance policy, and updating our policies and procedures, including those that relate to personal data management and record keeping,” she revealed.

From the onset of the GDPR, Joyce said DataXu assembled a “cross–functional task force” to oversee the implementation of GDPR compliance in every aspect of its operation across regions, including Australia, to be ready and compliant by the time it came into effect.

“The real trick was making sure that our GDPR plan thoughtfully focused on not just compliance, but also forward–thinking privacy–by–design to accommodate new technology growth like DataXu’s connected television offerings, and the Internet of Things,” Joyce explained.

The arrival of the data protection officer

Tan said AppNexus believes end users should understand how their data is collected and used to ensure a more relevant and engaging advertising experience. That’s why it worked with other industry participants, he added, including being part of the IAB Europe GDPR Implementation Group (GIG), which provides publishers and advertisers with full optionality to comply with the EU ePrivacy Directive and the GDPR — according to local interpretations of each directive’s/regulation’s requirements.

“We made technology investments to increase data minimisation, reviewed our documentation, records of processing and processes, our security measures, and our mechanisms to facilitate international transfers, and ensured compliance with other requirements of the regulation, including the appointment of a data protection officer,” Tan said.

Specifically, its clients are able to choose which companies, such as DSPs and DMPs, that they will allow to receive and use data related to their end users (cookie ID; mobile advertising ID; IP address; precise geo and data associated with those), meaning end users visiting AppNexus’ clients’ sites/apps get more control over which companies they allow to use data about them.

“These changes set us up for maximum flexibility to implement the strictest interpretation of GDPR and ePrivacy, as it relates to data our clients ask us to share with third–parties, while also allowing us maximum flexibility to pivot quickly to less conservative and/or more flexible interpretations,” Tan explained.

The ‘spirit’ of the law

MediaMath VP of data policy and governance in the US, Alice Lincoln, said GDPR has simply heightened the emphasis on due diligence around its partners, with many companies now choosing to filter GDPR rules into other regions.

“I think a good way the industry should be looking at this going forward is to not only definitely comply with the letter of the law, but also comply with the ‘spirit’ of the law,” she said.

“For MediaMath, we are taking a very consumer–centric approach, which means while we'll meet the letter of GDPR compliance, we're aiming to honour the spirit of the law globally.”

Lincoln said that doesn’t mean what it's doing in Europe is what it’s going to do in the US or in Australia, but the principles behind it are principles it believes in and wants to apply regionally as appropriate.

She believes the biggest challenges are for companies that don't necessarily understand what data they process, how that data is processed, or who they are handing data back and forth to, and in which cases.

This article follows part one: Why GDPR matters and A Data Management Platform 101

AdNews is proud to deliver strong, independent and credible news 24-hours a day, almost 365 days a year. We know our free, online news helps power your career and knowledge. But, can we ask a small favour? To fund our ongoing commitment to delivering the best industry news, that you show your willingness to support us by taking a digital subscription to AdNews magazine? The cost is less than $50 for the entire year, and $4.94 per issue. Support AdNews. Support journalism.

Have something to say on this? Share your views in the comments section below. Or if you have a news story or tip-off, drop us a line at

Sign up to the AdNews newsletter, like us on Facebook or follow us on Twitter for breaking stories and campaigns throughout the day.

Read more about these related brands, agencies and people

comments powered by Disqus