The two most important considerations for the impact of GDPR are 1) how to get consumers’ "consent" to use their data and 2) whether a given company is a "data processor" or a "data controller."
Very roughly speaking (remember, don't tweet at me!), you are a data controller if you own the data in some form or decide how to use the data. You are a data processor if you just move the data around for your customers and take no control. If you are a data controller, you need explicit consent from the end user and have much higher standards for security and control.
Here's a quick scientific diagram showing the relationship between the ability to get consent and whether your business model requires you to be a data controller or processor:
Let's rank different technology sectors from least affected to most, measured using my proprietary scale, the Flaming Euros™:
Brand advertisers: 🔥€ (one Flaming Euro)
The truth is that brand advertisers often have surprisingly little first-party data about their consumers, and the new requirements to get consent are unlikely to change their programmatic buying habits. Business as usual.
Mar tech: 🔥€ (one Flaming Euro)
Mar tech is a very big sector, so at the risk of overgeneralization I'll say that most companies in this area are clearly data processors and take orders on how to process customer data from their customers.
If you are an email provider, a social metrics dashboard or a CRM-like system, you are primarily working with first-party, permissioned data. Further, your customers are usually in direct contact with the end user and can viably ask for consent. For these companies, surely there will be increased security and regulatory hassle, and the total volume of data may take a hit, but the fundamental business remains sound.
Attribution and analytics vendors: 🔥€ (one Flaming Euro)
Attribution and analytics vendors fall within the same rough outline as mar tech vendors, and they should be fine. There may be more gaps in the data as consumers deny consent, but the fundamentals are intact.
Publishers: 🔥€🔥€ (two Flaming Euros)
The reduction in data available to buyers should reduce programmatic media prices, which should reduce revenue to publishers. However, the countervailing point of view is that buyers will have fewer media options and will have to turn to publishers’ second-party data or contextual data to achieve their goals, thus increasing revenue to publishers.
Among all the players, the effect on publishers is the most unclear.
Ad servers: 🔥€🔥€ (two Flaming Euros)
Similar to mar tech vendors, typical ad servers process data on behalf of their customers, who will likely have to ask consumers for consent. Sell-side ad servers likely are not affected much at all since the publishers they work with will have a relationship with the consumer.
Buy-side ad servers and rich media companies, however, regularly collect personal data on sites and users for which they do not have direct consent. In a strict reading of the regulations, activities such as delivering log files, cross-site frequency capping and collecting user information could be seriously degraded.
Data management platforms (DMPs): 🔥€🔥€ (two Flaming Euros)
DMPs collect, process and analyze first-party customer data. If the first party has consent, they're in the clear. But similar to ad servers, collecting passive data from ad delivery and other sources will be degraded by the need for consent.
Supply-side platforms (SSPs): 🔥€🔥€ (two Flaming Euros)
I've personally spoken to two leading SSPs/exchanges that gave radically different points of view. One leading exchange boldly told me, "We're a processor, so nothing to worry about." Another asked me to sign a new and onerous 10-page contract.
The bottom line: If an SSP is just executing auctions on behalf of publishers, they should be minimally affected. If an SSP is also overlaying data, they could be prevented from doing so in Europe – but who gets data from an SSP anyway?
Demand-side platforms (DSPs:) 🔥€🔥€ (two Flaming Euros)
Core DSP services are in the same bucket as SSPs – processing trades on behalf of customers – so there is little need to get direct consent. However, many DSPs have developed proprietary data sets or cross-device graphs, and these will be very hard to maintain under the new regime unless you're Amazon or Google. DSPs may also be required to curtail services, such as log delivery and lookalike modeling, in the same way as buy-side ad servers.
Data exchanges: 🔥€🔥€🔥€ (three Flaming Euros)
So, your business collects user data from lots of different online and offline sources, then combines and sells it to different parties across the ecosystem? I think we've found patient zero for GDPR compliance. Sure, you can get all your data sources to obtain consent, but when the data is literally the lifeblood of the business, any degradation in collection will hit the bottom line linearly.
Direct-response advertisers: 🔥€🔥€🔥€ (three Flaming Euros)
Like retargeters, direct-response advertisers rely on data to get results, so a reduction in data is not in their favor. However, they can employ many channels and strategies to drive their KPIs and may be able to shift spend to retain ROAS in this more difficult environment. Unclear overall.
Retargeters: 🔥€🔥€🔥€🔥€ (four Flaming Euros)
Content recommendation engines: "We are the most hated sector in ad tech."
Retargeters: "Hold my beer."
A lot of hot air is coming from the retargeting sector in advance of GDPR, probably because they know that every consumer who denies consent is directly tied to revenue loss. Regardless of the interpretation of consent, it is a sure bet that some retail customers in Europe will choose to stop working with retargeting vendors to avoid risk, and some (or many) customers will opt out. No bueno.
Ad networks not owned by Google, Facebook or a telecom: 🔥€🔥€🔥€🔥€ (four Flaming Euros)
They say you shouldn't watch sausage get made, and ad networks are like, "Don't worry about it, have a currywurst." Well, we're going to regret it tomorrow when the opaque data filling the delicious natural casing goes missing and we're left with nothing but offal and spicy sauce*.
* This is clearly the last time I'll be invited to write for AdExchanger.
Location vendors: 🔥€🔥€🔥€🔥€🔥€ (five Flaming Euros)
Hey dude, where'd you get that location data from? Did you get consent? I didn't think so.
Cross-device vendors: 🔥€🔥€🔥€🔥€🔥€ (five Flaming Euros)
"Probabilistic graph" becomes a euphemism for "no consent."
And The Winners Are ...
It is worth noting there will be some real winners from GDPR, worthy of a positive award, which I call the GDPR baguette™:
Blockchain vendors: 🥖 (one baguette)
Really not sure how blockchain is relevant here, but if you've read this far I'm sure you'll buy my coin; I call it ICOnsent™.
Consent vendors: 🥖🥖 (two baguettes)
Nothing like ad tech to bring out the new vendors. There's definitely upside for vendors managing cross-vendor consent, but they only get two baguettes because, ultimately, it's not that large of an opportunity.
Contextual targeting vendors: 🥖🥖🥖 (three baguettes)
No consent needed to tell me I'm on a site about cool stuff. As user data declines in ubiquity, site data increases in value. This is a no-brainer.
Google, Facebook and Amazon: 🥖🥖🥖🥖 (four baguettes)
While the GDPR movement was largely meant to tamp down the power of the American tech giants, it will likely have the opposite effect because their direct consumer relationships allow for meaningful dialogs about obtaining consent.
The lawyers: 🥖🥖🥖🥖🥖 (five baguettes)
I bet you can't wait until the first multimillion-dollar lawsuit is filed for GDPR violations. Neither can they.