Why GDPR May Cripple EU Ad Spend - And How Ad Tech Can Prepare
Please note that this article is for informational purposes and is not legal advice. We encourage you to work with a legal counsel to determine how the GDPR applies to you.
In less than six months, the European Union will start enforcing the EU General Data Protection Regulation (GDPR), and it’s important that those in ad tech - from publishers to vendors to advertisers - are preparing for it now.
For an overview of GDPR, please visit our write-up here. This article assumes you are acquainted with GDPR and focuses instead on its implications for ad tech.
GDPR WILL Significantly Impact OpenRTB European Ad Revenue
There's no way that the GDPR doesn't lead to both a short-term and long-term downtrend in European programmatic RTB ad revenue, as:
1. Getting consent to use PII for advertising will be extremely difficult
It is unlikely that publishers will get consent to use and share PII but from a small percentage of EU users, because:
a. According to the GDPR, publishers need to state the names of who they/their partners share data with, such as DFP (ad server), Index Exchange (ad exchange), MediaMath (DSP), Lotame (DMP), and so on. It's unfeasible - if not impossible - to know everyone in the chain. Additionally, when a new bidder is added, the publisher would have to get new consent for that vendor, which is untenable.
It's possible that companies can be compliant by saying a vague statement like, "We will be sharing this data with various advertising partners" - however, it's unclear if this will be detailed enough, and the below complications will still arise.
b. Publishers must be explicit about how the data is used. If your consent form focuses on data collection for ad targeting, it's unlikely many users will find this a compelling reason to give consent.
c. It's opt-in, so publishers will be fighting against the power of default. Moreover, publishers can't deny non-consenting users any services, so even sites with registration forms cannot force an opt-in to finish signing-up.
d. Web publishers and app developers generally avoid obtrusive user experiences, so asking for consent may be deemed too intrusive to justify the low opt-in rates.
2. No consent = no user matching = lower CPMs
Given that consent will be the exception not the norm, programmatic RTB ads will have to survive without user matching (the method SSPs/exchanges and DSPs use to identify a user). This is done via cookies on the web and mobile IDs (IDFAs, GAIDs) in apps. Some exchanges won't even bid on traffic that isn't matched; others will bid just pennies.
For instance, a major heading bidding exchange Adzerk works with bids on just 13% of unmatched requests, compared to 35% of matched requests. Lower bid rates and lower eCPMs will be a dangerous combination for publishers.
3. Advertisers will likely take a conservative approach
The GDPR also makes advertisers liable if they use illegally-procured data for ad targeting, even if done unknowingly. We can expect a short-term squeeze in European ad spend as advertisers mitigate risks by limiting their EU programmatic spend. They may instead push money toward safer, direct platforms like Google, Facebook, and Twitter.
This may not be long term, and spend may eventually oscillate back to OpenRTB, but, at least initially, large advertisers will likely be risk-averse and take a "wait-and-see" approach. As the fine can be 4% of yearly revenue, brands such as, say, Coca-Cola, P&G, and Heineken can't afford to be wrong. A temporary pullback in EU spend is the most logical course, and less competition will further depress publisher eCPMs.
4. Header bidding Prebid.js wrappers aren't compliant by default
While they don't have EU stats, ServerBid's Header Bidding Industry Index shows that 35% of the Top US Publishers use a Prebid.js header bidding wrapper to manage programmatic ad spend. Unfortunately, the Prebid wrapper is not GDPR-compliant by default, as it doesn't have any logic for blocking cookies for EU residents (this is why ServerBid is releasing a GDPR-compliant, consent-honoring wrapper).
And if publishers don't update their wrappers in time, they may be forced to temporarily pause their ads as they look for an alternative.
How You Can Prepare
1. Work only with GDPR-compliant ad tech vendors
We recommend you:
- Have conversations with your partners about what data they are collecting and why
- Ask them if they have a way to honor consent and manage the "data rights" (i.e., consenting users have the right to see, edit, and delete stored data)
- Review contracts to make sure you aren't liable if they break the law
- Understand how your partners will be blocking PII collection for EU citizens who haven't given consent
- Sign Data Processing Agreements (DPAs) with data processors
- Get a list of who your partners share data with (DSPs/DMPs/exchanges), so you can add those companies to the consent form
2. Update your ad serving platform so you don't share PII / do user matching for EU-residents
How you implement this will depend on your system, but at minimum you'll need to identify where users are coming from and not collect data or drop cookies for anyone in the EU.
This will dry up EU programmatic ad revenue, so you'll still want to find a partner who can handle European traffic in a compliant manner.
3. Work with your vendors to pass more data in the RTB request
Without user syncing, your EU ad impressions will be worth less, but you can fight this by giving exchanges/DSPs more information about the impression. For websites, this could entail sending the
search parameters in the
site object. For apps, it could be
paid in the
It will, however, take time for demand partners to incorporate this data into their buying algorithms (if they don't do so already). See here for a full list of OpenRTB parameters.
4. Start testing work flows for getting consent (or not)
Do you want to ask consent from all users? Or just those with an EU IP Address? Do you ask with a pop-up box, welcome mat, or scrolling banner? Do you ask as soon as they land or after 10 seconds? How will you share this consent info with your partners?
These questions are why it'll be difficult to procure consent. That said, it may be easier for app developers to get it, since many already, upon first open, prompt users to consent to push notifications and other features.
5. Prepare for a decrease in ad revenue
It's not all doom and gloom long-term, as the industry will learn to adapt to no user matching. However, there will be a short-term crunch.
So, if your business can't handle a short-term (6-12 months, maybe) contraction in EU revenue, it's important you start preparing now for alternative sources of revenue. For instance, you could pursue a direct-sold sales strategy, as touched upon below.
6. Invest in Direct Sales
As mentioned above, EU ad revenue will dip, partly because of diminished user matching rates and partly because advertisers will likely pull back their programmatic spend. But that doesn't mean advertisers want to spend less, and they will look for alternative ways to allocate their budgets. This will mean moving to safer, non-PII targeting methods, such as contextual and search targeting via direct buys.
It may be beneficial, then, to (1) build out your pricing media kit, (2) add a dedicated salesperson/people to sell inventory, and (3) improve your ad placements. Maybe now is the time to replace your programmatic ads with direct-sold native ads. Not only could they help regain lost EU traffic, but doing so will lead to faster pages and less obtrusive ads, improving the user experience. You can learn more about the pros and cons of native ads here.
Of course, this strategy comes with its own risks: new salespeople, new ad op hires, engineering time, etc, but if the alternative is a crippling loss of EU ad revenue, it may be worth it.
Exchanges/Ad Tech Vendors
1. Ensure your tech is GDPR-compliant
This involves security audits, breach action plans, and blocking all PII collection/sharing for EU residents.
Additionally, you'll want to think about:
- Using logic to block the ingestion of information from EU residents
- For IP addresses, truncating the full address and storing a dummy IP that reflects the user's general location (like, their city)
- Not storing the whole user agent string, and instead keeping just salient data like device type and OS
2. Work with demand partners to increase the value of non-user-matched impressions
Again, without cookies or mobile IDs, the value of an individual ad impression greatly decreases. The ad tech industry must therefore find ways of identifying impression value via other means (like context, search terms, additional non-PII RTB fields, etc).
3. Enable consent tracking, consent honoring, and ways to rectify or delete data
Some publishers will still seek consent, so it's important your tech can accommodate that. Additionally, because of GDPR's "data rights", you must offer users a method of seeing and changing the data you have on them.
4. Rework your contracts and/or offer a Data Processing Agreement (DPA) if applicable
If you're sent data illegally, you could be on the hook if you use it. Therefore, you should have agreements in place with your publishers/partners/advertisers that indeminify you from their actions.
1. Work only with GDPR-compliant programmatic partners
This pertains to exchanges, networks, and DMPs. A lot happens behind-the-scenes with ad tech vendors, so remember that one bad partner could lead to a fine.
2. Accept and optimize against additional, relevant OpenRTB parameters
Without user matching, you'll need other ways of identifying the value of each EU ad impression. See here for a full list of OpenRTB parameters.
3. Warn your advertisers there will likely be a decrease in spend and/or performance
In the short-term, EU traffic may be cheaper for advertisers (not necessarily a bad thing). For instance, if a pre-GDPR impression is worth $1.00 CPM to multiple DSPs, but without user matching is valued at $0.20, then the winning DSP gets the same impression at a fifth the price.
That said, many advertisers have fixed campaign spend goals. If DSPs start bidding on fewer impressions - or it becomes harder to spend allocated budgets due to lower prices - advertisers may be upset. Plus, without user matching, post-impression performance like click-through-rates or conversion-rates could suffer.
4. Work directly with large publishers
Many DSPs already do this, but GDPR may push them to further pursue direct deals with publishers, cutting out the ad tech middlemen, where data leakage could occur. You can learn more about how to do that here.
1. Don't spend money with non-GDPR-compliant partners
This pertains to DSPs, exchanges, networks, and DMPs. A lot happens behind-the-scenes with ad tech vendors, so remember that one bad partner could lead to a fine.
Make sure to review your contracts with your vendors to ensure that you won't be held liable if they break the law.
2. Expect EU spend levels and ad performance to take a hit
It's likely that your programmatic partners will find it harder to achieve your ad goals without user matching. Additionally, the pull-back may be of your own choice as you play it conservatively. Expectations are key here - don't be caught off-guard.
3. Find alternative ways to direct your ad spend
Without user-targeting, contextual and search targeting will become more attractive. For instance, spending more on Google Search may be a smart idea (search terms are not PII). Contextual targeting - where the content of the page is what you target against - can be seen in platforms like Reddit, which allows one to target specific subreddits.
Negotiating direct deals with large publishers - while more time consuming - may also be a way to keep spend levels where they were. These ad prices will likely be higher than going through programmatic channels, but the traffic will be of higher quality.
Data Management Platforms that rely on data brokering will be hit hard by the GDPR, as the buying and selling of data behind-the-scenes is explicitly forbidden by the GDPR. Even if it's first-party data, they cannot sell this data without explicit consent from the user.
Given that consent will be the exception not the norm (and their current data isn't magically grandfathered in), we should expect DMPs to have very little sellable data on EU-residents.
Adzerk aims to make the transition to GDPR-compliance as easy and intuitive as possible for our clients. In the coming months we'll be providing step-by-step guidance, and our expectation is that there will be minimal engineering work needed on your end.
Our approach has multiple pillars, including:
- Handling European Traffic Conservatively: Adzerk will extend the "Do Not Track" feature to not track or write cookies for EU-based traffic (by default) unless consent is given.
- Providing Consent Tools: Adzerk will provide consent-tracking tools that will enable publishers to track PII for consenting EU residents. Additionally, we will provide tools for revoking and deleting this information.
- Getting Certifications: Adzerk began gathering privacy & security certifications in December 2017 and will continue doing so in 2018.
- Isolating Client Data: Adzerk will move all customers to their own CNAMEs, which helps ensure there's no mixing of customer data.
- Data Minimization: Adzerk will reduce the amount of data collected on users, such as not retaining IP addresses in raw logs.
Additionally, we'll have a Data Processing Agreement and clear policies around continuous risk assessments and data breach notifications. If you're an Adzerk client, you should expect to hear from us soon about next steps.
GDPR isn't the death of digital advertising, but it will deal a major short-term blow to EU programmatic ad spend, which relies on PII targeting. Publishers will make less money and advertisers will spend less, which will hurt all ad tech vendors.
Long-term, the industry can adapt by (1) focusing on direct deals versus programmatic ads, (2) pivoting to search/contextual targeting, and (3) adjusting bidding algorithms to factor in additional non-PII OpenRTB parameters.
The good news for global brands is that the EU is only about 510M users - a sizeable number, of course - but just 13% of the world's internet population.
Regardless, publishers, advertisers, and ad tech vendors need to prepare for a crunch in EU ad revenues come May. It's inevitable if cookies and mobile IDs go away, and it'll be exacerbated by advertisers pulling spend out of fears of a fine.
Granted, it's not clear what the magnitude of the decline will be, but those who are taking a "wait-and-see" approach will have a rough second half of 2018.
Like the article?
Get notified of future blog posts. Don't worry - we won't make it hard to get to inbox zero: no more than 2 e-mails a month. We promise.