The Mad, Mad Rush to Conform With GDPR: Could Greater Trust in Digital Be the Ultimate Outcome?

Opinion: The industry might be forced to act in ways it might not have otherwise done

GDPR may be a catalyst for the kind of change that leads to greater trust in digital Tanaonte/iStock
Headshot of David Doty

As companies struggled to meet Friday’s deadline to comply with the European Union’s General Data Protection Rule, the digital advertising industry has been venturing outside of its comfort zone—the legal liabilities it now faces are more immediately measurable than other recent concerns about such advertising-based issues as measurement and attribution.

Aligning to the law could well have the additional benefit of aligning digital with consumers’ own expectations around trust and safety—and even greater control of their own data.

In the end, then, GDPR might force the industry to act on trust in ways it might not have otherwise done.

None of that lessens the anxieties and activities companies are undertaking, nor are all digital players “ready.” While Facebook CEO Mark Zuckerberg professed during his grand apology tour of Europe that Facebook would be GDPR-compliant by the deadline, the fact is that people are trying to interpret not just the legislation, but also the guidance, and many are confused.

Given how deeply interconnected and interdependent companies are in this sector, the last-minute muddle about who is responsible for what under a new law is predictable, as much as is the whispered math presuming to calculate which companies will benefit and which won’t.

At this point, though, finger-pointing—a favorite game in digital—doesn’t equate to the preparation that each company is bound to take on its own, as its individual responsibility, not just to GDPR but to consumers’ expectations. The regulation is here, the industry doesn’t have a choice, and complaining doesn’t create compliance.

New businesses arise—again

As with every other disruption in digital, whenever there’s a wrinkle in the industry—whether it’s been measurement, or viewability (remember that?), or attribution and, now, this new legal threat—smart people have developed solutions that make them rich, even if their technologies last for only a moment and wind up confusing things even more. It’s no surprise then that some hope remains, even this late in the game, for the unicorn tool or service provider that will make this complex compliance challenge easier to deal with. Just make it all go away, if just for now.

Indeed, there is a burgeoning industry of consent-management platforms, as well as agency consulting opportunities, but relying on any outside force to deliver on time and complete compliance may be optimistic.

IAB Europe and the IAB Tech Lab stepped forward with a Transparency and Consent Framework that various players have had the foresight to adopt, including Quantcast. And IBM has offered to help companies comply with its own technology with the rather defense-department-speak name, “Resilient Incident Response Platform.”

Some data-driven companies have realigned their businesses, like Acxiom, which announced that it would revise its online portals in Europe, as well as the U.S., and potentially realize the value of its acquisition a few years ago of LiveRamp, a data-onboarding company. Two marketing tech firms have taken more drastic steps and pulled out of Europe altogether: Cross-device identity specialist Drawbridge decided to do so in March, followed by location-data company Verve.

Let’s take a look here, gathered in one place, at some solutions industry players have released:


Many marketers are rightly spooked by their potential exposure via data that sits outside of their immediate control in the nether regions of their supply chains. They’ve been pushing on their ad tech vendors to assure them they’re in compliance, and that seems to be an advantage to some of the larger suppliers of data sets.

Duracell, according to a recent Digiday report, “has told data resellers that they will need to prove they will do so in a way that’s compliant with the regulation; otherwise, it will notify the rest of its supply chain that they have been cut off.”

Heineken’s recently reported moves to take its ad verification in-house might well have the added benefit of providing some of the transparency needed for GDPR compliance of its vendors.


We’ve all been inundated with notifications, such as those from Twitter, about new privacy controls, mostly befuddling consumers who have not been as keenly aware as the industry of what GDPR means.

Axel Springer—the German company that is the largest digital publishing house in Europe and owns Business Insider and the German edition of Rolling Stone, among many other titles like Bild—is making news with its activist approach to GDPR compliance. The company has spoken with lawmakers, been open with results of its tests of consent messages and published a whitepaper about how it is technologically lessening its advertising dependence on Google—a move assumedly related to its desire to be more independent ahead of the GDPR.

Now on to Google: The advertising giant has made proactive moves ahead of the GDPR deadline to adhere to the new law. There have been lots of screaming voices asking, oddly, for Google to take sole responsibility for complying with consent obligations. Wouldn’t publishers naturally wish to obtain consent and reinforce their first-party relationships?

Google—for better for worse, as history will tell us—has in fact taken responsibility for what it sees as its obligations under the GDPR, and it has helped publishers do so, as well. It has produced a collection of products including consent tools for publishers, improved privacy controls for users and open-source code for developers to enable easy data transfers.

Applause goes to all of those stepping forward to find their own way in this confusing time. Of course, the industry must answer to the regulators, even as it is grappling with some inconsistency in the guidance coming from the regulators and attorneys. But soon enough, the rules will be clear, and compliance will not be a choice.

Although the focus now is on regulators and industry actions, the ultimate outcome might be that GDPR is a catalyst for the kind of change that leads to greater trust in digital. If we get there, not only the industry, but consumers, could well be the winners—the true harbinger of success.

David Doty was most recently executive vice president and chief marketing officer of IAB, and he currently advises The 614 Group, digital ad-tech companies and digital publishers, including Google.

@daviddotynyc David Doty was most recently executive vp and CMO of IAB, which he joined in 2007 after seven years at Booz Allen Hamilton. Today, Doty advises The 614 Group, digital ad tech companies and digital publishers including Google. His views are his own.