Home Data-Driven Thinking An Evolution, Not A Revolution: Underscoring The Nuances Of GDPR
OPINION: Data-Driven Thinking

An Evolution, Not A Revolution: Underscoring The Nuances Of GDPR

By AdExchanger

SHARE:

Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Guillaume Marcerou, global privacy director at Criteo.

When General Data Protection Regulation (GDPR) goes into effect on May 25, it will unify the various data privacy laws that exist across all 28 member states of the EU, including the UK.

This is a nuanced but critical point. Major global corporations with EU offices are already accustomed to complying with country-level data privacy and security requirements and are thus already complying with key elements of GDPR.

As the clock winds down to the regulation, it is imperative that marketers understand the intricacies of the policies, beginning with the areas for interpretation most commonly misconstrued.

The True Purpose Of GDPR

The GDPR aligns data protection policies across EU member states while providing consistent application and enforcement by local data protection authorities in each EU member state. Its objectives are to:

  • Modernize the legal system to protect personal data in an era of globalization and technological innovation.
  • Strengthen individual rights while reducing administrative burdens to ensure a free flow of personal data within the EU.
  • Bring clarity and coherence to personal data protection rules and ensure consistent application and effective implementation across the EU.

User Consent Qualifications

Since 2009 and the amendment of the ePrivacy EU Directive – also known as the cookie directive – in-browser messages have been the rule to obtain cookie consent within the EU.

There is an important difference between unambiguous and explicit consent.

Explicit consent means the user must opt in. This applies to sensitive personal data such as race, religion, sexual orientation, political affiliation and health status.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

Daily Roundup

Daily News Roundup

What’s The Protocol?; It Might Be Time For X To See Itself Out

The GDPR requires companies to obtain unambiguous consent from users. For example, a message may be first shown to inform users, and then if users click any link on the page, they must acknowledge the use of cookies. This includes a user continuing to browse a website. Since online identifiers – cookies – alone are categorized as nonsensitive personal data, an explicit opt-in is not required.

This definition of nonambiguous consent is supported by numerous international governing bodies and agencies, including the guidance issued by the Spanish Data Protection Authority and other authorities.

Important Definitions

Consent can only be valid if it is “freely given,” where the data subject can exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if he or she does not consent. Ultimately, users must have the ability to refuse services directly from the cookie message without suffering any consequences.

For consent to be valid, it must be “specific” and “informed” by appropriate information. In other words, blanket consent without specifying the exact purpose of the processing is not acceptable. For example, an opt-out message that specifically informs users they are consenting to “cross-site tracking technology” would not pass muster.

Finally, consent must be “nonambiguous” and derive from an active behavior from which consent can be reasonably deduced. For example, a nonambiguous action would be when an individual continues to browse a website by clicking on a link on the page and accepting the use of cookies to monitor his or her browsing after specifically being informed by an in-browser message. By continuing to browse the website he or she accepts the use of third-party cookies for personalized advertising purposes.

The GDPR is a positive development that will foster trust in the digital economy and provide an environment of transparency, control and certainty for advertisers and customers. If GDPR provides efficient tools to reinstate trust in the ecommerce ecosystem, it comes with a shared responsibility for all actors to review their practices to effectively make this trust happen.

Follow Criteo (@criteo) and AdExchanger (@adexchanger) on Twitter.

Must Read

PODCAST: The Big Story

The Big Story: Live From CES 2026

Agents, streamers and robots, oh my! Live from the C-Space campus at the Aria Casino in Las Vegas, our team breaks down the most interesting ad tech trends we saw at CES this year.

Monopoly Man looks on at the DOJ vs. Google ad tech antitrust trial (comic).
antitrust

2025: The Year Google Lost In Court And Won Anyway

From afar, it looks like Google had a rough year in antitrust court. But zoom in a bit and it becomes clear that the past year went about as well as Google could have hoped for.

Measurement

Why 2025 Marked The End Of The Data Clean Room Era

A few years ago, “data clean rooms” were all the ad tech trades could talk about. Fast-forward to 2026, and maybe advertisers don’t need to know what a data clean room is after all.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Publishers

The AI Search Reckoning Is Dismantling Open Web Traffic – And Publishers May Never Recover

Publishers have been losing 20%, 30% and in some cases even as much as 90% of their traffic and revenue over the past year due to the rise of zero-click AI search.

CES 2026

No Waiting for May – CES Is Where The TV Upfront Season Starts 

If any single event can be considered the jumping-off point for TV upfronts, it’s the Consumer Electronics Showcase (CES), which kicks off this week in Las Vegas, Nevada.

Comic: This Is Our Year
Comic

Comic: This Is Our Year

It’s been 15 years since this comic first ran in January 2011, and there’s something both quaint and timeless about it. Here’s to more (and more) transparency in 2026, and happy New Year!

Popular

  1. CTV

    Interactive CTV Ads Were Mostly Talk – Until Now

    For years, interactive CTV advertising was the star of industry demos – promising, flashy and mostly theoretical. In 2025, they finally made the leap from proof of concept to practice.

  2. agentic AI

    AI Agents Are Taking Over NBCU’s Linear TV Buys

    NBCU is testing agentic systems that can automatically activate campaigns across its entire portfolio – including live sports on linear.

  3. CTV

    Amazon Ads Shares Interactive Video Best Practices At CES 2026

    Maggie Zhang from Amazon Ads talks interactive video strategy, including opportunities on Amazon Prime Video and which genres drive the most engagement.

  4. Measurement

    Why 2025 Marked The End Of The Data Clean Room Era

    A few years ago, “data clean rooms” were all the ad tech trades could talk about. Fast-forward to 2026, and maybe advertisers don’t need to know what a data clean room is after all.

  5. Daily News Roundup

    Who Would Grab The Live Wire?; AI, AI Everywhere

    Off Ramp Publicis signed a deal to license LiveRamp’s RampID and Authenticated Traffic Solutions (its alternative IDs to third-party cookies) on behalf of clients. This alone is hardly major news. After all, LiveRamp sells its cookieless identity products to all the major holdcos.  But Ad Age also reports that Publicis execs were “exploring” the idea […]