The Strategic Impact Of GDPR (With Emoji)

Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Ari Paparo, CEO at Beeswax.

Let’s start with a disclaimer: I’m no expert in GDPR (General Data Protection Regulation). If I were, I’d be billing by the hour for my advice and making a killing. So feel free to stop reading now.

But I do know a thing or two about ad tech and how different kinds of companies use data. And I’ve been a bit frustrated reading all the “GDPR kills ad tech” articles that claim doom but don’t really go into any level of specifics about how, exactly, the apocalypse will play out.

So, let me be so bold and call out some of the strategic implications of GDPR and discuss the likely winners and losers as Europe moves to a much stricter regulatory environment.

Another disclaimer: This is meant to paint with broad brushes, so please don’t tweet about how I got the definition of “consent” wrong in Luxembourg or how “ePrivacy actually changes all of this.”


The two most important considerations for the impact of GDPR are 1) how to get consumers’ “consent” to use their data and 2) whether a given company is a “data processor” or a “data controller.”

Very roughly speaking (remember, don’t tweet at me!), you are a data controller if you own the data in some form or decide how to use the data. You are a data processor if you just move the data around for your customers and take no control. If you are a data controller, you need explicit consent from the end user and have much higher standards for security and control.

Here’s a quick scientific diagram showing the relationship between the ability to get consent and whether your business model requires you to be a data controller or processor:

The Ranking!

Let’s rank different technology sectors from least affected to most, measured using my proprietary scale, the Flaming Euros:

Brand advertisers: ????€ (one Flaming Euro)

The truth is that brand advertisers often have surprisingly little first-party data about their consumers, and the new requirements to get consent are unlikely to change their programmatic buying habits. Business as usual.

Mar tech: ????€ (one Flaming Euro)

Mar tech is a very big sector, so at the risk of overgeneralization I’ll say that most companies in this area are clearly data processors and take orders on how to process customer data from their customers.

If you are an email provider, a social metrics dashboard or a CRM-like system, you are primarily working with first-party, permissioned data. Further, your customers are usually in direct contact with the end user and can viably ask for consent. For these companies, surely there will be increased security and regulatory hassle, and the total volume of data may take a hit, but the fundamental business remains sound.

Attribution and analytics vendors: ????€ (one Flaming Euro)

Attribution and analytics vendors fall within the same rough outline as mar tech vendors, and they should be fine. There may be more gaps in the data as consumers deny consent, but the fundamentals are intact.

Publishers: ????€????€ (two Flaming Euros)

The reduction in data available to buyers should reduce programmatic media prices, which should reduce revenue to publishers. However, the countervailing point of view is that buyers will have fewer media options and will have to turn to publishers’ second-party data or contextual data to achieve their goals, thus increasing revenue to publishers.

Among all the players, the effect on publishers is the most unclear.

Ad servers: ????€????€ (two Flaming Euros)

Similar to mar tech vendors, typical ad servers process data on behalf of their customers, who will likely have to ask consumers for consent. Sell-side ad servers likely are not affected much at all since the publishers they work with will have a relationship with the consumer.

Buy-side ad servers and rich media companies, however, regularly collect personal data on sites and users for which they do not have direct consent. In a strict reading of the regulations, activities such as delivering log files, cross-site frequency capping and collecting user information could be seriously degraded.

Data management platforms (DMPs): ????€????€ (two Flaming Euros)

DMPs collect, process and analyze first-party customer data. If the first party has consent, they’re in the clear. But similar to ad servers, collecting passive data from ad delivery and other sources will be degraded by the need for consent.

Supply-side platforms (SSPs): ????€????€ (two Flaming Euros)

I’ve personally spoken to two leading SSPs/exchanges that gave radically different points of view. One leading exchange boldly told me, “We’re a processor, so nothing to worry about.” Another asked me to sign a new and onerous 10-page contract.

The bottom line: If an SSP is just executing auctions on behalf of publishers, they should be minimally affected. If an SSP is also overlaying data, they could be prevented from doing so in Europe – but who gets data from an SSP anyway?

Demand-side platforms (DSPs:) ????€????€ (two Flaming Euros)

Core DSP services are in the same bucket as SSPs – processing trades on behalf of customers – so there is little need to get direct consent. However, many DSPs have developed proprietary data sets or cross-device graphs, and these will be very hard to maintain under the new regime unless you’re Amazon or Google. DSPs may also be required to curtail services, such as log delivery and lookalike modeling, in the same way as buy-side ad servers.

Data exchanges: ????€????€????€ (three Flaming Euros)

So, your business collects user data from lots of different online and offline sources, then combines and sells it to different parties across the ecosystem? I think we’ve found patient zero for GDPR compliance. Sure, you can get all your data sources to obtain consent, but when the data is literally the lifeblood of the business, any degradation in collection will hit the bottom line linearly.

Direct-response advertisers: ????€????€????€ (three Flaming Euros)

Like retargeters, direct-response advertisers rely on data to get results, so a reduction in data is not in their favor. However, they can employ many channels and strategies to drive their KPIs and may be able to shift spend to retain ROAS in this more difficult environment. Unclear overall.

Retargeters: ????€????€????€????€ (four Flaming Euros)

Content recommendation engines: “We are the most hated sector in ad tech.”

Retargeters: “Hold my beer.”

A lot of hot air is coming from the retargeting sector in advance of GDPR, probably because they know that every consumer who denies consent is directly tied to revenue loss. Regardless of the interpretation of consent, it is a sure bet that some retail customers in Europe will choose to stop working with retargeting vendors to avoid risk, and some (or many) customers will opt out. No bueno.

Ad networks not owned by Google, Facebook or a telecom: ????€????€????€????€ (four Flaming Euros)

They say you shouldn’t watch sausage get made, and ad networks are like, “Don’t worry about it, have a currywurst.” Well, we’re going to regret it tomorrow when the opaque data filling the delicious natural casing goes missing and we’re left with nothing but offal and spicy sauce*.

* This is clearly the last time I’ll be invited to write for AdExchanger.

Location vendors: ????€????€????€????€????€ (five Flaming Euros)

Hey dude, where’d you get that location data from? Did you get consent? I didn’t think so.

Cross-device vendors: ????€????€????€????€????€ (five Flaming Euros)

“Probabilistic graph” becomes a euphemism for “no consent.”

And The Winners Are …

It is worth noting there will be some real winners from GDPR, worthy of a positive award, which I call the GDPR baguette™:

Blockchain vendors: ???? (one baguette)

Really not sure how blockchain is relevant here, but if you’ve read this far I’m sure you’ll buy my coin; I call it ICOnsent™.

Consent vendors: ???????? (two baguettes)

Nothing like ad tech to bring out the new vendors. There’s definitely upside for vendors managing cross-vendor consent, but they only get two baguettes because, ultimately, it’s not that large of an opportunity.

Contextual targeting vendors: ???????????? (three baguettes)

No consent needed to tell me I’m on a site about cool stuff. As user data declines in ubiquity, site data increases in value. This is a no-brainer.

Google, Facebook and Amazon: ???????????????? (four baguettes)

While the GDPR movement was largely meant to tamp down the power of the American tech giants, it will likely have the opposite effect because their direct consumer relationships allow for meaningful dialogs about obtaining consent.

The lawyers: ???????????????????? (five baguettes)

I bet you can’t wait until the first multimillion-dollar lawsuit is filed for GDPR violations. Neither can they.

Follow Ari Paparo (@aripap), Beeswax (@BeeswaxIO) and AdExchanger (@adexchanger) on Twitter.

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!


  1. Nice summary. Emphatically agree with the expected windfall to contextual targeting vendors…bring back the vertical ad networks!

    I think GDPR, combined with a general frustration with the growing complexity of what it takes to execute and validate a display ad buy is going to strongly push marketers to revisit how they spend their dollars and begin re-embracing quality publishers offering targeting based on the nature of their content.

    Simplicity isn’t a dirty word.

  2. Great article Ari! Very entertaining & informative in the same time.

    However, I wonder how Consent Vendors will look like & how will they operate. Does such companies exist now? If somebody will manage to create Consent Vendor, how will they sell “Consent”? Right now, such companies, and such idea for a company, looks like a “target” of the next iteration of GDPR 🙂

  3. Nailed it Ari. Sign me up for an ICOnsent. Another layer that concerns me is not just the initial targets of enforcement, but who they bring down with them. Most of the approaches that I have seen have dumped responsibility on the publisher (or the third party one step closer to the publisher). I expect that some businesses with more than 3 flaming Euros will choose breaking the law over taking the revenue hit from compliance. As a representative of smaller publisher who are mostly ill equipped to enforce compliance on their partners, I’m most concerned that the threat to them comes from the contractual finger pointing once the bad actors get fined.

  4. joe kapp

    Well said, and I agree with much of this. The one thing you overlook, in mentioning contextual, is that (crazy though it is) even contextual ads will require consent because GDPR applies its crazy strict consent standard to the ePrivacy Directive, which in turn applies to contextual ads too — unless you avoid any cookies for frequency capping, etc., which becomes a pretty crappy user experience and will thus devalue THAT inventory, too. Maybe all platforms should shut their EU offices, move their employees to the US, and tell EU regulators to come and get them here –which they won’t do.