The Post-GDPR Digital Advertising Industry

(1)

Faculty of Humanities

The Post-GDPR Digital Advertising Industry

Dana Lamb

Toronto, Canada

Danalamb96@gmail.com

Student Number: 12186899

Master Thesis

Master of Arts (MA) in New Media and Digital Culture

Supervisor: Thomas Poell

Second Reader: Niels van Doorn

(2)

Abstract

This thesis explores perspectives from the digital advertising industry, regulating authorities, non-governmental organizations (NGOs) and academics, on privacy and its associated regulation in European domains. This research will take place in the context of the General Data Protection Regulation (GDPR), which was first enforced in May 2018, and is focused on legally protecting all personal data belonging to EU residents. This thesis aimed to develop an understanding of the current configuration of actors in the post-GDPR ecosystem and uncover the tensions between advertisers in digital industries and the governments and privacy advocates that work to enforce regulations upon these bodies. The importance of this research is in illustrating how effectively the GDPR was integrated into the digital advertising industry, and whether regulator’s goals with its implementation were reached. The theoretical perspectives were drawn from scholars that have focused on the amplification of privacy concerns from the datafication of users lives, as well as antitrust concerns from platform companies, advertisers and other stakeholders involved in data collection. Other perspectives were examined on the social and political effects for these various stakeholders from regulatory frameworks enforced on digital industries, specifically in Europe. Data was collected from online sources and then analyzed qualitatively through content-analysis of reports, blogs and conferences from industry professionals, as well as NGOs

advocating privacy reform, academics and regulators. Ultimately, this research discovered that while many industry professionals are focusing on incorporating ethical principles into their practices, there are still inequalities in digital ecosystems that have not effectively been combated as anticipated by the GDPR.

(3)

1. Introduction

Digital platform companies, data intermediaries, and advertisers are constantly looking for new ways to gather more data about consumers to profile and target them with personalized

advertising and services. As critical media scholars have pointed out, this constitutes a major invasion of personal privacy and threatens a range of key public values. Turow (2012) explains that users are developing an awareness of businesses profiling their data, creating possible social tensions as advertisers assign value to users without them knowing what personal information was used or how it was collected. From Turow’s (2012) perspective, privacy concerns usually revolve around individuals’ lack of knowledge over how their personal information is collected and stored, stemming from a lack of transparency from companies. Similarly, McStay (2012, p. 599) states that “while our mediated lives become increasingly transparent, those who seek to profit from our data are incredibly opaque.” Therefore, Kennedy (2016 notes that while data-mining practices have propelled advertising businesses forward, they have also received backlash from advocates of individual privacy that are concerned over the possibilities of surveillance, privacy invasion, and advertising discrimination. The main problem with the lack of

transparency according to Van Dijck et al. (2018) is that public values are not clearly articulated in digital industries and this, accompanied by the lack of accountability in governing data, threatens the order of democratic society. For Van Dijck et al. (2018, p. 139), “If societies want to create a platform structure that reflects and constructs a democratic order, they need to strive to implement public values and collective interests in the ecosystem’s design.” Generally, what threatens democracy from these perspectives is the lack of fairness in governance when

addressing potential privacy violations in advertising processes that has led to an absence of control and autonomy for users over their personal data.

Public concern has, however, especially been triggered by scandals, such as the Cambridge Analytica controversy. While there are constant headlines about data breaches in large companies, this was a particularly striking event as millions of user’s data was unknowingly taken, by a third-party provider, from one of the largest social media companies in the world (Tieu, 2016). What made Cambridge Analytica’s data breach even more concerning, was that Facebook failed to warn any of their users that their data had been accessed without consent

(5)

(Tieu, 2016). The magnitude of this controversy demonstrated how digital companies may not adhere to ethical standards in ensuring transparency of their practices and can therefore fail to uphold accountability for their audience’s privacy and security. Data breaches such as

Cambridge Analytica’s have not only increased public concern but has also pressured governments to challenge personal data processing and develop legal reform that can protect citizens from the consequences of such practices. According to McStay (2010), governments have become more attentive to privacy invasions in the digital industry as it is their role in a democracy to protect its citizens freedom of both their personal lives and from coercion by the state, including surveillance. Echoed in a statement by the United Nation (2001); “Democratic governments around the world have unequivocally declared that protection of citizen privacy is essential to the robust development of e-commerce.”

One legislation in particular was enforced in May 2018 by the European Union (EU) and is known as the General European Data Protection Regulation (GDPR). This law was set in motion to protect EU citizens from potentially threatening uses of their personal information in business practices by increasing transparency of data collection activities (Sarathy & Robertson, 2003). Yet, while EU officials have taken steps toward regulating data collection processes and protecting individual’s privacy, advertisers have also needed to take responsibility and work alongside these laws to protect the privacy of their consumers. Privacy controversies are potentially damaging businesses that collect user data for their services by reducing consumers trust and therefore decreasing their will to invest in companies’ products. One of the goals of the GDPR is that by being mindful of consumers democratic rights, businesses will build trust and loyalty among their customers. Importantly then, the GDPR is focused on businesses success, just as much as it is on individual’s protection. A fundamental component of the privacy

regulations then is for advertisers to gain users trusts, as a lack of trust is what drives consumers away (Sarathy & Robertson, 2003). The GDPR therefore aims to reinforce the trust of users in companies’ practices by providing individuals with increased control and management over their personal information online (Tikkinen-Piri et al., 2018). Along with building trust in consumer-business relations, the GDPR’s standards are meant to benefit consumer-businesses by deconstructing monopolistic structures to create more opportunities to enter the EU digital market (Bohmecke-Schwafert & Niebel, 2018). Therefore, by regulating the market, the EU is hoping to equalize

(6)

opportunities for businesses, allowing them to compete on a more level playing field. While new privacy laws have propelled advertisers within Europe to be more mindful of users’ privacy, the hope of these regulations is that they will motivate an industry-wide movement towards

increased transparency and user-control over personal data.

While new regulation is in place, the question is whether it will adequately address the concerns over privacy and other public values and prohibit major data breaches in the future, while at the same time establishing a flourishing and trustworthy business environment. Over the past decades, the advertising and data industry has continued to find new ways to gather more data about consumers. Hence, a vital question is whether this industry is willing to comply with the stricter data protection laws. To examine this issue, this thesis analyzes the key claims advanced by data industry professionals about the GDPR. In addition, the research will look at the

assessment of the current situation by Non-Governmental Organizations (NGOs) that advocate for user’s privacy and academics who have researched the digital ecosystem in relation to privacy and data protection regulations. This analysis provides insight in the key tensions and concerns that characterize the current European data protection regime.

Therefore, this paper will look at how digital advertising professionals have been challenged by the GDPR’s enforcement and how they have responded to these barriers. The questions posed throughout this research are as follows: are industry professionals focusing more on

individuals’ democratic rights and freedoms since the GDPR’s implementation? Has the GDPR helped level-out uneven power structures in the digital ecosystem? Have businesses proposed solutions that are more ethical than the practices the industry had been reliant on before the GDPR? Resources for this research will be collected in Europe as it has much stricter

regulations for these digital practices than other countries around the world. It is then important to understand how advertisers, publishers and others within the digital advertising industry, and their work, are impacted by such regulations. Moreover, the focus on digital advertisers as key actors will hopefully encourage more serious evaluations of their work, rather than simply demonising them as capitalist hungry businesses, and hopefully prompt them towards more ethical practices.

(7)

The following sections will therefore explore how advertisers can engage with the challenges posed by the GDPR, along with users’ democratic expectations of privacy, in an effort to

develop advertising strategies within these constraints. This will include a systematic analysis of how to resolve the tensions between advertising, regulations and democratic citizenship. By examining these tensions and how advertisers can confront them, this research will lay-out the current configuration of digital advertising practices in Europe from the perspectives of all parties with a stake in this issue. These perspectives include actors from within the digital advertising industry, regulators, privacy organizations, and academics. The following theoretical framework will provide an overview of the previous research into digital businesses and the GDPR, as well as scholars views on certain areas that have gained focus since its

implementation, such as citizens democratic rights and power hierarchies. The subsequent chapters will then include qualitative analyses on GDPR perspectives from digital marketing industry professionals alongside those of EU regulators, NGOs and academics. This research will analyze all these stakeholders’ views through content-analysis of blog posts, industry reports, and conferences. Ultimately, the goal is to demonstrate how digital advertising practices and mindsets have changed to adapt within Europe’s current legal, cultural and technological configuration.

(8)

2. Theoretical Framework

The globalized development in digital technologies and services has been accompanied by the progression towards a digital economy that has been centered around capitalizing on individual’s personal data (Bohmecke-Schwafert & Niebel, 2018). Within this economy, businesses

associated with the advertising industry have grown accustomed to the free flow of personal data that can be collected, processed and used in a wide variety of services, including personalized and targeted advertising. While this reliance on ‘Big Data’ has provided businesses working in digital markets with a competitive advantage to support their growth, it has also simultaneously amplified privacy concerns from the public (Hartmann et al., 2016). Many scholars have examined a range of problems associated with data collection processes, which leads to an examination in the following literature of whether these issues can be combated by regulation, more specifically the GDPR.

Many advertisers claim that consumers are willingly trading personal information for their services because they have the option to opt-out if they wished to do so (McStay, 2012). However, this was challenged by an empirical study conducted by Turow (2003) into why the public often exchanges their privacy for services provided by online platforms. Turow (2003) found that his participants were generally confused with what companies do with their data and how they profit off of its use, as well as how to protect their personal information. Therefore, while users are given the option to opt-out, most are either not given information on how to do so or were not aware they could even do so in the first place. Participants in the study also became unhappy when they were told about the techniques employed by online organizations for data processing (Turow, 2003).

This lack of transparency on the part of organizations and inability to control personal

information about oneself has threatened to undermine democratic rights of citizens. Similarly, Couldry and Turow (2014, p. 1710) came to the conclusion that “big data’s embedding in personalized marketing and content production threatens the ecology of connections that link citizens and groups,” which has implications on individuals’ democratic freedoms. This claim is based on marketers use of big data to place users into categories that are used to determine how they are treated online and what personalized content they will be shown. While marketers

(9)

constantly justify this use of data by emphasizing their ability to connect relevant content with individuals, the repercussion is that people’s constructions of reality are manipulated by the different ways in which they are categorized (Couldry & Turow, 2014). This is harmful to the democratic rights of individuals by giving them limited control over how their personal data is used and subsequently how they are treated online (Couldry & Turow, 2014).

Specifically, within the general importance of democratic citizenship, there are a range of public values that are threatened users lack of control over their personal data. Van Dijck et al (2018) understood the importance for digital business models to focus on articulating public values pertaining to both individual consumer rights, as well as maintaining an open and reliable internet. In particular, Van Dijck et al (2018, p. 140) made a claim about one of these values stating that, “without privacy, citizens can no longer be assured that they have control over their own lives; the right to autonomy and sovereignty of individuals, of course, should always be weighed against the interests of communities.” Another key issue is the public value of

transparency which “applies not just to flows of data and algorithms but also to business models and the ownership status of platforms” (Van Dijck et al., 2018, p. 140). While these public values are important to every individuals’ lives, Van Dijck et al. (2018) explain that the problem is a lack of universal guidelines for articulating these values and ensuring digital ecosystems claim responsibility for public concerns. Therefore, Van Dijck et al.’s (2018) research looks at how techno-commercial strategies and user practices of digital platforms can co-evolve with the focus of promoting public values and the common good.

Moreover, Draper and Turow (2019) conceptualized consumers inability to do anything about companies’ surveillance tactics that take advantage of individuals privacy to generate revenue for their businesses. This condition was defined as ‘digital resignation’ and used to shed light on the dynamics of corporate practices that take control over consumers personal information and “shape uneven power relationships between companies and publics in the digital age” (Draper & Turow, 2019). What Turow (2015) was concerned about in the issue of privacy was citizen’s belief that they have no agency in commerce, which is a central area of democratic society. Therefore, citizens feel that they cannot change government or business policy or learn about and manage their personal information when they want to (Turow, 2015). This is the point where

(10)

consumers experience digital resignation, the feeling that while they want to gain control over their personal data, they will never achieve this (Turow, 2015).

Therefore, Turow et al. (2015) emphasizes that corporate organizations need to be held

accountable by public organizations, such as public interest groups and governments, in order to encourage openness and transparency. Theoretically, if activists and government agencies develop a clear definition of transparency, they can create a standard that all businesses need to be held to or otherwise will be called out so that the public can stay away from businesses with bad values (Turow et al., 2015). Similarly, Kennedy and Moss (2015) argued that data mining and analytics need to be democratised in order to enable agency in users when dealing with their data. One of the steps they say needs to be taken to achieve this aligns with Turow’s (2015) statements that in order to address the negative effects of data mining, it needs to have greater public supervision and regulation (Kennedy & Moss, 2015). It is therefore important for this research to focus on whether the GDPR has been able to protect individuals’ democratic rights and create active agents in issues concerning their personal data.

The intent for regulators in the EU with the enactment of the GDPR has been to combat the uneven power dynamics in the digital economy and protect citizens democratic rights. Therefore, this research will compare regulators goals with the implementation of new privacy laws to perspectives on this heightened regulation from within the digital advertising industry. This will help to uncover whether EU policies or privacy initiatives have ignited more concern in

companies’ strategies for individuals’ democratic rights, potentially leveling out some of the uneven power structures.

1.1 Purpose of the GDPR

Due to the potentially invasive aspects of data mining, some countries have taken action to protect their citizens. The United States and Europe both deal with significant amounts of consumer data yet have considerably different approaches to regulating their privacy. To illustrate the divergent methods of privacy protection, in the US, current privacy laws do not intervene through regulation, rather they depend on self-regulatory measures and have different statutes for public and private sectors (Tikkinen-Piri et al., 2018). The US believes that privacy

(11)

disputes should be handled at the level of companies and their customers rather than requiring governmental intervention to police these issues (Sarathy & Robertson, 2003). Europe, on the other hand, has taken a firmer stance when it comes to protecting consumers data privacy and regulating digital marketing practices (Sarathy & Robertson, 2003). Europe takes this approach as they see how privacy is integral for the protection of human dignity and fostering personal relationships for all EU citizens (Newell, 2011). Comparing these two countries, Newell (2011, p. 7) argues that “European-based privacy laws focusing on the right to a private life, viewing privacy as a respected aid to relationship building and as a vehicle to protect personal dignity, more accurately reflect the realities of the digital age and properly protect individual privacy on the Internet.” Further, to ensure these protections can stay on top of evolving technologies that possibly threaten user’s privacy, the EU is constantly updating data protection regulations. Therefore, researchers have noted, “Europe’s system of regulating digital advertising is considered much more robust than that of the US (Serazio & Duffy, 2018, p. 490).”

The developing regulations imposed on the EU digital market have produced many differing opinions, which is what will be analyzed in this research. The contribution of this research will therefore be through collecting perspectives on the current regulation (GDPR) that is enforced on the digital advertising industry and determining how these views diverge and connect with one another. The intended result is to produce an outline of perspectives that incorporate the most commonly reported views from actors with a stake in the issue of the GDPR. In order to analyze how digital advertising organizations are adjusting to new regulatory frameworks, it is important to first overview how these businesses are currently governed in the EU. The General Data Protection Regulation (GDPR), which was first enforced in May 2018, is the newest form of legislation that covers personal privacy in the EU (Tikkinen-Piri et al., 2018). The main purpose of the GDPR is to legally protect all personal data belonging to EU residents, based on the premise that “personal data is information that, directly or indirectly, can identify an individual, and specifically includes online identifiers such as IP addresses, cookies and digital

fingerprinting, and location data (Goddard, 2017, p. 703).” With this EU regulation, new basic principles of privacy protection have been enforced which include transparency, consent, data minimization, purpose limitation, the rights of data subjects (information, access, rectification, right to be forgotten and erasure, data portability) as well as restrictions on profiling (Kerber,

(12)

2016). In a report published by the European Commission (2018), the official aims for the GDPR were as follows: clear language, consent from users, more transparency, stronger rights, and stronger enforcement.

Another goal of the GDPR was to standardise data protection laws across the EU, so organizations do not have to waste time and expenses on complying with several different industry protocols and trade rules (Tikkinen-piri et al., 2018). The birth of this European-wide legislation dates back to the 1970s when EU countries, including Germany, Sweden, France and Denmark, started introducing local legislation for privacy protection in each country (McStay, 2010). Methods of electronic trade then became difficult as the local protection laws in the various countries differed greatly, making it necessary to create an EU-wide data protection policy (McStay, 2010). Therefore, the current regulation (GDPR) is tasked with enforcing the fundamental rights of EU citizens through the protection of personal data, while simultaneously overcoming the fragmentation of national data protection laws to create a more effective and harmonious digital market (Kerber, 2016).

In order to balance competing individual and public interests in Europe, the implementation of this new privacy law was grounded on the promotion of individual autonomy and greater control over personal life, as well as greater transparency of individuals roles in business practices (Newell, 2011). Respecting individual autonomy also enhances rights to self-determinations, which is at the basis of informed consent (McStay, 2012). In the past, the advertising industry has argued that users who use services and platforms without opting out of data collection methods, particularly through tracking cookies, were granting tacit consent (McStay, 2012). However, the GDPR perspective understands that most users are unaware of the presence of these web cookies and therefore taking no action against them cannot be considered consent. Businesses often use tracking cookies to identify people online and categorize their behavior, which are “commonly described as providing the web with a memory” (McStay, 2012). “Cookies are small text files placed on a user’s computer by a web browser that stores credentials that identify each session between a browser and a server and the interactions between a user’s terminal and a given website (Mcstay, 2012, p. 597).” Under the GDPR, cookies can only be used if a user has given explicit consent and they must first be fully aware

(13)

about the information being stored in the cookies and why they are shown particular advertisements (Frenkel, 2018).

Another provision of the GDPR is the “right to be forgotten,” which allows individuals to ask companies what personal information has been stored in their profile and to request the removal of any of this data pertaining to themselves (Frenkel, 2018). Therefore, the GDPR requires marketers to secure explicit permission for data-driven activities within the EU and increase transparency on their use of data. Essentially, the main purpose of this new EU data protection legislation is to safeguard consumers privacy and give them greater control over how their data is collected and used. Along with protecting citizens privacy, the GDPR was also implemented to benefit businesses in digital markets by tackling monopolistic structures, increasing the quality of consumer data and digital provisions due to increased competitive pressures, as well as fostering consumer trust (Bohmecke-Schwafert & Niebel, 2018). This research will therefore seek to establish whether working professionals in the digital economy are more focused on the beneficial intentions that regulators had when implementing the GDPR or if they are focused on how this law has interfered in the status quo of their previously relied upon data-driven business models. In other words, has the digital advertising industry accepted the GDPR and used it to develop new strategies that focus on citizens democratic expectations of privacy? or are industry professionals still recovering from the GDPR’s impact on their businesses?

One of the main targets for the GDPR was to act as a regulatory tool for challenging the dominating market power of some companies, mainly technology platforms, in the digital advertising industry (Van Dijck et al., 2019). Importantly then, Van Dijck et al. (2019) analysed current regulatory frameworks and the need for them to address the issue of platform power in its operations within digital ecosystems. Their analysis contributes to efforts for governing the future platform society by suggesting that governments should look beyond a single regulatory framework by considering “the articulation of a comprehensive set of principles that can be applied to the platform ecosystem” (Van Dijck et al., 2019, p. 17). Alternatively, the research of this thesis seeks to understand how the EU has enacted a single regulatory framework,

(14)

technology platforms, as well as advertising networks and advertising technology companies, advertisers, publishers and media buyers.

Therefore, the GDPR falls under a variety of other regulatory proposals that aim to challenge the power of large technology platforms and according to Gorwa (2019), question the appropriate balance of responsibilities between actors such as platform companies, users, advertisers, and governments. To determine who social and political responsibilities fall to, Gorwa (2019) used the concept of ‘platform governance’, which encompasses the many governance relationships that structure interactions between the aforementioned actors. The approach of platform governance is important to this thesis’s research as it is focused on the governing structures surrounding technology companies. More specifically, how platforms are governors that make political decisions in their engineering of technologies that are deeply integrated in users lives, while also being subject to state-governance mechanisms themselves (Gorwa, 2019). These worries over platform power are central to the framework of the GDPR as Van Dijck et al. (2019, p.4) note that it “extends beyond mere economic concerns and pertain not just to markets but to society as a whole.”

Due to growing concerns from citizens, policymakers and scholars, Gorwa (2019) and other academics emphasize the importance of evaluating the influence that platform companies, such as Facebook and Google have in public and political life to ensure that such corporations are held more democratically accountable. In a similar way to how the politics of platforms are guided by navigating the contrasting interests of users, advertisers and regulators, this thesis seeks to demonstrate how the GDPR has intervened in the interactions of the many stakeholders in the digital advertising industry, with the goal of challenging unethical practices. In other words, how the set of guidelines and norms that have been enforced with the GDPR have fit into the

contrasting interests of all actors associated with the digital advertising industry. What Gorwa (2019) and Van Dijck et al.’s (2019) analysis does not cover is the other areas of the digital advertising industry that were impacted by the GDPR that are not related to platform companies. While this research will explore power structures of all stakeholders in the industry, it will also look at how public values, such as privacy and control over personal life, have been impacted by the GDPR’s intervention in digital practices.

(15)

Therefore, the importance of this research is to demonstrate how the GDPR has impacted the digital advertising industry and how the various actors involved have responded to it. This is especially important in the wake of EU’s proposal for stronger regulations in the upcoming year. Data protection policies are set to become even more strict as the EU has announced a new ePrivacy Regulation that would replace the current ePrivacy Directive in either 2019 or 2020 (Meyer, 2018). The EU government favour more tightly regulated corporate practices which is why it is no surprise to see that they are following the GDPR with newer and more detailed regulatory standards. These future regulations are proposing to broaden the requirements for end-user consent to “electronic communications networks,” which targets mobile applications such as Facebook, Whatsapp, Instagram, Snapchat, etc (Meyer, 2018). The ePrivacy Regulation

specifically focuses on the issue of location data, which was not well-defined in the GDPR, as applications which track individuals’ movements over time through WIFI or Bluetooth

connections introduce “high privacy risks” (Meyer, 2018). The proposed regulations would require providers to display notices located on the edge of the area of coverage that can inform end-users prior to entering the defined area that a technology is operating with a given parameter, the purpose of tracking, the person responsible for it and the existence of any measure the end-user of the terminal equipment can take to minimize or stop the collection (ePrivacy Proposal, 2017, Recital 25).

As the EU continues to strengthen their regulations over data-driven businesses, certain

challenges and tensions are evolving from the digital advertising industry. This section will look at how previous scholars have studied these challenges and tensions and how this current

research will provide more systematic insight into the post-GDPR digital advertising industry.

1.2 Post-GDPR Tensions and Challenges

Companies have shown significant distress over European privacy regulations, mainly due to them seeing it as a deterrent to innovation, as well as the efficiency of online advertising by inhibiting the ability to target the right information to specific customers (Goldfarb, 2013). From an industry perspective, tensions have grown mainly due to data-mining being a core feature of digital advertising based on its ability to shed light on consumers buying habits. Users’

(16)

movements across different online sites, both their clicks and shared content, are tracked and placed in a file in order to determine how they should be targeted. From a marketer’s

perspective, surveillance and collection of user’s data is beneficial to their work as well as a business’s success. This data can be used by companies to determine their interests and satisfy consumers with the content they are shown. In order to target an audience, advertisers need to know who they are and what specific interests they may have, which makes data so important “because it is about people, what they do, what they buy, how they feel, and what their habits and interests are” (McStay, 2017, p. 75).

As privacy concerns revolve around the use of data, businesses claim that regulatory action to protect user’s personal information will potentially undermine the effectiveness of digital advertising due to data being essential to targeting (Goldfarb, 2013). From an advertiser’s

perspective, consumers receive compensation in the form of relevant content and a smoother web experience in exchange for handing over their privacy. Using personal data is what allows digital marketers to reach audiences associated with their products and facilitate long lasting

relationships with customers. Therefore, these new privacy laws have created tensions between industry professionals and regulators as marketers see “adware and other cookies-based

technology are legitimate business tools that enable customization and personalization of advertising” (McStay, 2010, p. 136). According to Turow (2005), one of the emerging logics amongst media firms and advertisers is to cultivate consumers’ trust so that audiences are less likely to object when companies want to track their activities. However, with these advertisers not being transparent as to what personal information is being extracted and stored and how exactly this data is being used, consumers grew confused and anxious. Therefore, the European Union intervened to make these practices more transparent and ensure the protection of their citizens personal lives.

Many digital businesses, mainly platform empires, have challenged privacy regulations because they can make billions off their users’ personal information by selling it to third-party advertisers that use their services. However, protection laws are put in place to protect individuals when these data collection processes become unsafe. While the privacy laws make digital advertising practices more difficult, they also ensure they will be carried out ethically and in consideration of

(17)

citizens’ rights. For instance, in the case of Facebook Cambridge Analytica, the data breach allowed third-party applications to access close to 146 million users’ private data, 87 million of which had not given their consent (Unbox Social, 2019). Therefore, laws such as the GDPR work to give control back to the users, allowing them to decide what information they wish to share with companies.

As digital advertising practices rely heavily on user data, they have had to make significant changes since the GDPR has been implemented. Furthermore, it is not only European companies that are affected by the new provisions as all companies that handle EU resident’s personal data, regardless of what country they are based in, are governed by the GDPR (Tikkinen-Piri et al., 2018). Therefore, while most well-known social networking platforms are based in America, those that have operations in Europe will have to comply with their own national legislation as well as the GDPR (Tikkinen-Piri et al., 2018). The result of this for any online platform with operations in Europe, is that they have to invest in the redesign of consent and privacy agreements in order to comply with the new regulations and find new GDPR-compliant

businesses models. Facebook, for example, has their international headquarters in Ireland and are therefore is directly impacted by the GDPR (Ingram, 2018). This is why, following the GDPR, Facebook attempted to give its users greater access to their own privacy settings by producing a new ‘global data privacy center’ – a page that lets users organize who sees their posts and what kinds of advertisements they are shown (Frenkel, 2018). Although it is a large investment for companies to ensure they are in full compliance with the regulations, it is in their best interest as those who do not comply with the GDPR guidelines can face fines that total up to 20 million Euros or four percent of their total revenue (Sarathy & Robertson, 2003).

While the data protection policies have created barriers to services that require personal data, there have been responses from the industry with how to work alongside the GDPR to create new and more ethical advertising strategies. Facebook’s ‘global data privacy center’ is just one

example of how businesses have transformed to ensure they are GDPR-compliant. This thesis will delve deeper into the digital advertising industry’s responses and proposed solutions following the GDPR to understand whether the regulation has been able to upend the current

(18)

industry and re-work it to be centered around individuals’ democratic rights and protecting privacy for all.

The International Association of Privacy Professionals (IAPP) is a resource for professionals in the industry that helps organizations manage risks and protect data. The IAPP (2017) conducted research involving close to five hundred privacy experts to assess the risk of not complying with various articles of the GDPR. The conclusions of this research found that the number one action that companies took in order to mitigate GDPR compliance risks was to invest in training employees on data protection and privacy (IAPP, 2017). The second most common response to the GDPR was for companies to invest in technological solutions (IAPP, 2017). Moreover, when they assessed the main barrier to GDPR compliance, IAPP (2017) found that 40 percent of respondents said the complexity of law, 22 percent said a lack of qualified staff, 17 percent said an inadequate budget, 14 percent said too little time, and 7 percent said a shortage of technology tools. The IAPP’s (2017) research was beneficial as it determined what privacy experts viewed to be the biggest challenges posed by GDPR compliance. Alternatively, the research in this thesis will look at these challenges from the advertising industries point of view as well as NGOs and academics. Therefore, the IAPP’s (2017) research can be used to compare privacy experts’ perspectives with the views of stakeholders analysed in this thesis to determine where they coincide and differentiate in terms of the GDPR’s outcomes.

Another group of researchers (Bohmecke-Schwafert & Niebel, 2018) evaluated the GDPR’s effects on data-driven business models by providing a case study of how the social media platform Facebook was implicated by the features of the regulation. These researchers focused their Facebook case study on the GDPR’s right to data portability which gives individuals “the right to have their personal data transmitted directly from one controller to another” [GDPR, 2018, 17, Recital 68]. With this GDPR feature, users are no longer locked-in to platforms that held their data as they previously did which preventing them from moving their data between platforms, such as switching from Facebook to Google (Bohmecke-Schwafert & Niebel, 2018). This not only protects user’s rights to their personal data but from a regulators point of view it also diminishes the lock-in effect which can distort competition by creating market barriers (Shapiro & Varian, 1998).

(19)

Furthermore, Bohmecke-Schwafert and Niebel (2018) also hypothesized the GDPR’s right to data portability would spur innovation. While user’s can now transfer their data to other digital companies, whether it is established platforms like Google or start-ups seeking to establish new business models, this also means that new users can bring their data to Facebook’s platform. The researchers predicted that this more streamlined method of exchanging information would

provide opportunities for companies like Facebook to increase the quality and value of their data, as well as their analytic tools. This would therefore improve the quality of consumer targeting on their advertisements, subsequently increasing revenues through these activities (Bohmecke-Schwafert & Niebel, 2018).

Bohmecke-Schwafert and Niebel’s research has therefore shown that there are both benefits and complications to the GDPR pushing companies to discover new business models. However, the researchers concluded that advertising-based companies should consider transforming their revenue models in light of more stringent data protection (Bohmecke-Schwafert & Niebel, 2018). Facebook for example, has talked about creating a second version of Facebook that is ad-free and subscription-based in order to reassure individual’s that their data is not vulnerable to leakage (Bohmecke-Schwafert & Niebel, 2018). This case study has demonstrated that although companies have had to make large adjustments in the wake of the GDPR, some have chosen to pay greater attention to their users’ democratic rights and protection of privacy. However, what still needs to be determined is how other businesses that rely on advertising-based revenue models have incorporated the GDPR’s guidelines into their practices to illustrate the configuration of the industry currently. The research in this thesis will therefore build on

Bohmecke-Schwafert and Niebel’s (2018) findings for the impacts of the GDPR on platforms by incorporating perspectives from other domains within the digital advertising industry.

While Bohmecke-Schwafert and Niebel (2018) focused research on the GDPR in private media, Sørensen and Bulck (2018) contributed to this field of research by analysing the use of third-party services before and after the implementation of the GDPR by public media websites. The results of their analysis found that while there were certain public service media organisations that maintained a very low level of involvement with third-party servers, those that tend to show

(20)

advertising on their website had a much higher engagement with third-party servers (Sørensen & Bulck, 2018). However, while there appeared to be a general decline in third party servers, Sørensen and Bulck (2018) claimed this may reflect the inability to measure exposure of user data as the bidding technology used for selling advertising is no longer taking place on user’s computers, but rather between media servers and advertising servers.

What Sørensen and Bulck (2018) concluded from this was that the GDPR did not necessarily change the issue of users being tracked as public service media firms are deeply integrated in international networks that help with not only the buying and selling of advertising, but with analysing user behaviour to do so and investing in the newest technologies for such practices. The regulation then created what Sørensen and Bulck (2018, p. 23-24) considered as a public service media dilemma where they are dependent on commercial outsider in content production and dissemination and must choose between “maintaining their integrity or participating in the exposure economy increasingly managed by international companies.” Therefore, Sørensen and Bulck (2018) had the impression that the GDPR led to the general tendency of a greater extent of media websites using external web services for delivering content and analysing user behaviour, initiating the formalisation between web partners involved in the production of media pages.

The interest for this research is in Sørensen and Bulck’s, (2018) conceptual insights into the relationship between the legal and the ethical when looking at how the media deal with third party servers and their implications on the industry. The contribution of this research was in questioning whether public service media should use the same tools as commercial media to commodify user’s attention, or as if they should have an ethical obligation, as trusted institutions, to uphold transparency in their operations for legitimate interests and trust (Sørensen & Bulck, 2018).

Further research analyzed the strategic implications of the GDPR as a data governance framework for businesses (Hoofnagle et al., 2019). Hoofnaagle et al. (2019) found that while many companies did not take privacy laws as seriously before the GDPR, their mindsets are quickly changing as strong enforcement mechanisms and penalties have forced executives to take privacy violations seriously. Many companies have invested in the revision of their data practices to ensure they take a professional approach to handling personal data (Hoofnagle et al.,

(21)

2019). This has also created opportunities for privacy officials to advance within companies in order to ensure full GDPR compliance (Hoofnagle et al., 2019). According to Hoofnagle et al., the GDPR is either viewed negatively as a “big data business killer,” or is viewed positively as imposing a “data governance approach, one where companies thoughtfully design business strategy to use data responsively and parsimoniously (Hoofnagle et al., 2019). This current research will help determine what kinds of negative or positive opinions on the GDPR have risen out of the digital advertising industry.

(22)

2 Methodology

The previous literature has examined a range of public values that have been implicated by data collection processes and possible solutions for remedying these concerns. Other scholars also analysed specific areas within the digital advertising industry, such as the platform economy, that have been challenged by the GDPR. The research in this thesis will expand on these past

findings by attempting to question whether the GDPR has effectively addressed concerns over privacy and other public values within the digital advertising industry as a whole. The goal is to not only determine if businesses have become more ethically accountable when dealing with users’ personal data, but to also gain an understanding of how actors within the industry have been affected by the GDPR. Further, this research will seek to understand how tensions between actors from within digital industries and the regulating bodies that work to enforce laws upon these bodies, have both developed and been tackled.

The following research will therefore explore possibilities for systematically resolving these tensions between advertising and data protection, or more generally the protection of democratic citizenship. In order to do so, divergent perspectives on the current state of digital advertising in Europe will be analyzed qualitatively. The method of data collection will take place through the analysis of reports, blogs and conferences from industry professionals, as well as NGOs

advocating privacy reform, academics and regulators. The central focus, however, will be on claims made from digital advertising professionals in order to determine whether the GDPR has effectively intervened in unethical practices and increased the incorporation of public values into business models.

In order to achieve the purpose of this research, a qualitative content analysis was developed. According to Fraenkel and Wallen (2006), content analysis provides a tool for researchers to study human behaviour in an indirect way, through an analysis of their communications. This makes content analysis a valuable form of research as it allows for the study of social events or phenomena without intervening in it (Dixon, 2008). In order to do so, a qualitative approach requires a thorough reading of the selected textual material as well as the interpretation of these texts into new narratives (Krippendorf, 2004). While there are many forms of content analysis,

(23)

this research will specifically focus on critical discourse analysis, which will help identify the presence of key themes in a sample of texts (Krippendorf, 2004).

Research began by determining which actors had stakes in the issue at hand and then was followed by conducting a Google search for blog posts, reports and other materials pertaining to each perspective. The beginning stages of research focused on collecting a list of top advertising agencies in Europe to determine whether they had commented on the GDPR in association with their businesses. In order to expand the perspective to encompass all actors in the digital

advertising industry, further research explored resources on views from web publishers, advertising technology firms, media buyers, as well as advertising networks and platform companies.

The relevant resources were found through Google search inquiries by looking up the actor’s position (advertiser, web publishers, regulator, etc…) alongside main keywords such as “GDPR” or “EU data protection”. Sources were not taken from the past and were only from the most up-to-date search results as this research focuses on a collection of perspectives from the current digital advertising industry based on which results appear now in association with the query. Once the sources were found in Google’s general search engine, the top ten results from each query were selected and analyzed. Not all results are included in this research as only those with claims about the GDPR in relation to the advertising industry were used. Sources for the

qualitative analysis were selected until their content began overlapping and it was found that new resources could not contribute any novel information to this current research.

Each source was analyzed for any occurrence of a particular theme. Each time an actor

commented on the GDPR it was noted to be later examined in order to create categories of the most note-worthy themes that appeared in each perspective. After all the sources were analyzed, a list of themes was found and used to compare each stakeholder’s perspective on the GDPR.

To address the research questions of this thesis, content analysis of both primary and secondary sources was conducted. Primary sources refer to regulatory reports, official policy documents, and law reviews. Secondary sources included blogs, industry conferences, social media pages, all

(24)

of which were written by reputable authors from within the advertising industry. This study examined sources from eight types of actors which are defined as follows:

- Regulators: this perspective was based on official documents and reports published by the EU government. The purpose of analyzing these sources was to determine the overall aim of the GDPR and how regulators perceived this new law would impact businesses and consumers.

- NGOs: In order to illustrate the perspective on the GDPR from non-profit organizations, this research looked at some of the most prominent voices on digital privacy protection from European collectives.

- Academics: sources for this perspective were either from scholarly research publications that had researched a similar topic on the GDPR or from theorists who wrote about the themes that were prevalent throughout the findings.

- Digital Advertising Industry Perspective:

Advertisers: collected from the top advertising companies in Europe, these professionals develop creative content in order to sell their product or service.

Web Publishers: sources from organizations that are responsible for building and uploading websites, updating the associated web pages, and posting content or

advertisements to these online webpages.

Advertising Technology Firms: also known as AdTech, these companies deal with finding connections between an advertiser and their target audience, such as through employing analytic systems.

Media Buyers: findings here focused on actors responsible for the placements and the negotiation of prices for advertisements.

Advertising Networks and Platform Companies: this includes views from those who purchase unsold inventory from publishers and manage this through their technology in order to sell to advertisers. This perspective mainly focused on Facebook and Google’s advertising networks due to their ubiquitous reach throughout the industry.

(25)

Content analysis is often recognized by its codification process that involves placing coded data into key categories (Dixon, 2008). The materials were categorized based on Krippendorf’s (2004) coding scheme that begins with a close reading of selected texts, then the identification of key themes, followed by the combination of overlapping themes. These procedures then help determine which themes should be excluded from the final coding scheme, and finally inferences are made from the most prevalent categories in the texts to claims made regarding the GDPR Krippendorf’s (2004). Therefore, while collecting resources on perspectives within the digital advertising industry, the findings in each source were organized in an excel document based on demographic characteristics along with three coded categories. The demographic information included the individual making a claim on the GDPR, their company and position, as well as the title, date and URL of the article. It was important to collect this information on each author as it ensures that all perspectives are drawn from opinions within relevant professions.

The coded categories were structured under three headings: goals, implications, and solutions. The sub-headings are then included under each category, which will be elaborated on throughout the subsequent findings’ chapters. The structure of these categories as well as their associated sub-headings are outlined below:

1. Challenges: these include the obstacles posed towards a business’s operation that each actor viewed to be associated with the GDPR. This was defined in order to create a collective source of which areas in the industry were thought to be impacted the most and what the main effects of the law were.

a. Technical Challenges

b. Uncertainty over GDPR-Effects c. Business Loss

d. Increase Uneven Power Structures

2. Proposed Solutions: solutions or suggestions to run a successful business in the post-GDPR advertising landscape that illustrated how industry professionals were responding to the new regulations. Whether the actor believed there were positive or negative implications, these solutions demonstrate how the industry changed and adapted to the GDPR.

(26)

b. Internal-Operation Changes c. Alternative Advertising Strategies d. Compliance Framework’s

3. Post-GDPR Goals: Based on the actor’s goal following the GDPR’s implementation, which is used to analyze what the actor sought to get out of the new protection laws. An example of such ‘goals’ were whether the company sought a global standard of

regulation in all countries, to ensure ethical practices within their business, increase revenue through customer relations, or to avoid the fines imposed by GDPR non-compliance.

a. Find New and Lucrative Business Strategies b. Respect for Consumers Democratic Rights c. Minimize Legal Liability

d. Global Data Protection Standard

The purpose of these categories is to use this research to determine how these industry

professionals were responding to the GDPR and developing a new perspective on the importance of citizens democratic rights and expectations of privacy. At the end of this paper, Appendix A includes a table of which actors fell into each category. The explanation of each actor’s

perspectives from within each category will be outlined in the findings below which is divided into chapters based on the four main themes and their sub-categories. By structuring the actor’s views within categories, a collective perspective from the advertising industry on the GDPR was created. Other stakeholders’ views were then incorporated into this ‘industry perspective’ to uncover how corporate actors are developing new strategies and norms that correspond with what regulators, NGOs and academics, are aiming for and expecting from the GDPR. What was made clear in the previous literature, academics agree that digital advertising practices need to be regulated to coincide with the values of a democratic society. In terms of enforcing such

regulation on digital environments, NGOs have advocated for privacy protection reform to keep businesses ethically accountable and the EU government has attempted to make this a reality through the GDPR. This thesis will therefore try to determine whether the advocacy and enforcement of data protection regulations has effectively mobilized digital businesses to promote ethical and transparent practices that focus on protecting consumers and their privacy.

(27)

4. Perspectives from The Digital Advertising Industry

4.2 Challenges Posed by the GDPR

Figure 2: shows the percentage that each challenge was mentioned in association with the GDPR

Technical Challenges

As seen in Figure 2, The most commonly noted implication of the GDPR fell under the category of technical challenges (10 actors; 42%). These challenges often were in reference to businesses finding it difficult to use technology they had previously depended on for data collection or employing new technical mechanisms to ensure GDPR-compliance. By-far the most commonly cited technical challenge was the decrease in programmatic spend and data-driven media buying due to the obstacles set against collecting and targeting data under the GDPR. A director at the World Federation of Advertisers (WFA) claimed that “one of the biggest challenges for

advertisers working with programmatic post-GDPR is having the ability to pick apart the many 42%

29% 17%

12%

Challenges posed by the GDPR

Technical Challenges Uncertainty of GDPR-Effects

(28)

complex layers of data collection taking place within the programmatic ecosystem in order to get a clear view of what data is being collected, how it is being used and whether or not it complies with GDPR.” Another perspective viewed the two main reasons that programmatic spend had dropped was due to publishers lacking the technology to secure consent for targeted advertising, and advertisers being cautious about throwing money into supply chains that were possibly unable to target advertisements safely or legally (DigiDay).

According to the Forbes Agency Council, a collective of agency executives, a large part of these technical challenges is the lack of GDPR-compliant advertising platforms that are currently available on the market. Therefore, programmatic advertising technology providers and

advertising networks are unsure of how to adapt their business to the post-GDPR landscape and are “clinging to phony marketing metrics like cost per click (CPC), click-through rates, cost per thousand (CPM) and more - all of which rely on cookies (Forbes Agency Council).” With the GDPR posing barriers to applying web-based cookies for collecting user data, many advertisers showed large concern for how this would impact their businesses. Large platform companies are also implicated by this GDPR change, as the media agency BoomTown stated that, web

browsers, such as Chrome and Safari, must “offer the option to prevent sites that use third party cookies from storing information on the equipment or URL of the person visiting or from using information already stored about that person.” If companies choose to continue using cookie data, they would now be legally required to tell consumers what cookies are placed on a website and how they are used for behavioural profiling. In order to stay compliant with the GDPR, businesses would either have to abandon the use of cookies altogether or obtain proper consent from their customers (Forbes Agency Council). Furthermore, many that did transition to GDPR-compliant business strategies were concerned over the technical challenges accompanied by a lack of investments in older, traditional forms of advertising that would replace audience-based targeting models (Essence).

Uncertainty over GDPR-Effects

The second highest challenge was uncertainty over the effects of the GDPR (7 actors; 29%) on businesses in digital advertising sectors. Many businesses were actually forced to stop their EU

(29)

practices would be impacted. Confusion over compliance creating barriers for businesses is demonstrated in reports that have risen about the many companies that have been effectively cut out of parts of the ecosystem, either temporarily or permanently. In this regard, Catherine Armitage, the director of digital policy at WFA, stated that “there are reports that a number of companies have been effectively cut out of parts of the ecosystem, either temporarily or

permanently, due to questions around GDPR compliance.” As companies are uncertain of how to comply or if they meet the GDPR standards, some decided it is a safer option to halt all

operations that fall in the EU jurisdiction.

Similarly, a survey published by the Direct Marketing Association (DMA), found that business-to-business marketers were the least prepared for the GDPR and the change they were most concerned about was consent. Unfortunately, businesses uncertainty over the GDPR-effects and concern over potentially losing access to consumer data has intensified the amount of

organizations that are behind schedule for compliance (Trunomi). One example of this is the advertising agency Kargo, which pulled their business out of the EU during the implementation of the GDPR as they were uncertain of how it would impact their revenue. According to Somer Simpson, the lead of product development around GDPR transparency and consent at Quantcast, the GDPR posed significant challenges to publishers, and especially to smaller ones. Simpson explained that many publishers are confused over whether the GDPR applies to their business or not and what they have missed is that “GDPR applies to where your traffic comes from, not where you think your audience is.” Therefore, what many publishers are unaware of is that if they receive any traffic from European users, the GDPR will apply to their business (Quantcast). This uncertainty of not only what the GDPR effects would be, but also how and if it would impact one’s business, was a major concern for many publishers, but also advertising technology firms whose businesses were centered on profiling user’s data.

Moreover, Since the GDPR made the use of cookies much more difficult and ineffective, companies have had to turn spending towards other methods of targeting (Zenith). One of the worries about how the GDPR would impact the industry was whether the new, alternative forms of advertising, would lead to a decrease in the quality of data. While new advertising strategies have been proposed, many media specialists fear that they will not provide high quality data like

(30)

audience-based approaches had (Essence). Samir Shah from the publishing agency Zenith, explained that older media advertising approaches had been “neglected until the concern around GDPR enforcement last year, prompted agencies to reprioritize.” The GDPR has since prompted agencies to focus on these alternative forms of advertising, however because they were on the backburner for so long, there have not been enough investments made into them (Zenith).

Therefore, as these older approaches were neglected, Shah claimed that “the growth of where the technology was implemented had stagnated, [which] creates a scalability issue (Zenith).

To illustrate these claims, the company Vibrant Media found that the anxiety caused by uncertainty over the GDPR is represented in the amount the law is mentioned on companies earning calls (Vibrant Media). In Vibrant Media’s analysis, more than 6000 earnings call transcripts from companies across the globe were reviewed to find that the number of times the GDPR was mentioned during these calls had increased from seven in 2017 to 177 in 2018. Specifically, for platforms, Facebook mentioned GDPR 18 times during its last earnings call, but it did not mention it a single time a year prior (Vibrant Media). This demonstrates the visibly high levels of uncertainty that businesses have felt when approaching the GDPR and the need to clarify how the regulation should be tackled.

Business Loss

The third most documented challenge was the loss of business (4 actors; 17%) which encompassed concerns over reductions in revenue and the disappearance of some business practices altogether. Perhaps one of the leading losses to business was the difficulty in obtaining consent from user’s for data collection. According to Florian Lichtwald, a partner at the media company Zeotap, some users are opposed to the GDPR since they “care more about a smooth browsing experience than differentiated consent.” Another concern raised by Lichtwald was that users are opposed to the regional filters setup by the GDPR that often block access for EU citizens to certain US websites (Zeotap). These filters are based on the GDPR’s requirement of all websites, including those that are non-EU sites, to meet its regulations if they want their business to be available in Europe (Raidió Teilifís Éireann). This is why the media company Raidió Teilifís Éireann noted that not only are many US websites unavailable to EU citizens, but

(31)

decline in advertising within mobile apps.” This has also led to many smaller American-based organizations having a tougher time expanding to Europe, resulting in some withdrawing their business from the EU altogether (Zeotap). Moreover, Kate Holton from the media division of Reuters, it is not only small businesses that are impacted, as “Facebook lost about 1 million European monthly active users after GDPR and it said a desire by some users to avoid targeted ads is likely to lead to a modest revenue hit.”

On the side of industry blogs, PageFair is a Dublin-based start-up that initially began to support publishers by providing them with technology that could measure and workaround adblockers. PageFair provides an interesting perspective as their firm has focused research in the last two years on trying to figure out how the GDPR will fit and work within the current digital

advertising environment. When commenting on the GDPR, Johnny Ryan, the head of ecosystem at PageFair, claimed that consent simply will no longer work for programmatic or direct-sold advertising. In contrast with many other advertising technology companies who have been focusing on obtaining consent from every EU consumer, PageFair’s strategy in their initiative is to focus on zero-tracking approaches. While many advertising technology companies diverted attention towards making their older methods of ad-targeting work under the GDPR, some were concerned that if they do not transition to alternative forms of advertising, they would face substantial economic impacts (PageFair). According to Ryan, where many advertising technology firms are going wrong is through their focus on how “GDPR compliance for ads based on personal data is all about user consent,” even though consent should not be seen as a solution (PageFair). What Ryan believes needs to change is for the advertising technology

industry to shift focus to advertising without collecting any personal data online at all (PageFair).

Increase Uneven Power Structures

Finally, the least cited challenge, but possibly most noteworthy, was the GDPR leading to an increase in uneven power structures (3 actors; 12%) with which the advertising industry is built on. Many companies, mostly smaller businesses, were uneasy over the fact that large platforms, such as Facebook and Google, were likely to benefit the most from the GDPR (Kargo). Harry Kargman, CEO of the advertising firm Kargo, claimed that large companies like Facebook and

(32)

Google “have deep pockets so can ensure they are compliant, throwing engineers and lawyers at the problem and reassuring brands at a time of uncertainty.” The international reach of these two companies was also seen to increase the likelihood of them receiving user consent as they both sit atop of a large and loyal customer base (Reuters). Similarly, due to their dedicated customers, “the two companies are likely to receive a high ratio of user consent given their loyal customer base while both own high-quality data because users post likes, dislikes and location, or search for areas of interest” (Reuters). On the other hand, due to the fact that some smaller businesses were unequipped for compliance with the GDPR, they tended to be cut out of the EU advertising ecosystem altogether. While platforms with deep pockets have made an easier transition into the post-GDPR advertising industry, this creates some evidence that the new law did not combat monopolistic structures as regulators had originally hoped it would.

Although advertisers and publishers have taken control of their data back from third-party vendors, this has also pushed some to rely on large advertising networks, mainly Google. This was referred to this as the ‘Google Effect’ – where some advertisers have no choice but to buy Google’s measurement systems and use its tracking data to understand their audiences

(DigiDay). One media buyer noted that alongside the decrease in programmatic spend, “Google’s share of money going into supply-side and demand-side platforms has grown”

(DigiDay). Google’s marketers and partners will now have to rely on more of its services if they wish to advertise on the platform. Since the GDPR, Google stopped providing easy access to information that allowed companies to evaluate the success of their advertising campaigns through user clicks and impression statistics (Reuters). What has changed is that advertisers now have to use ‘Google’s Ads Data Hub’ application to measure the effectiveness of campaigns. The downside here is that uneven power structures are increased as advertisers have to rely on

Google-controlled systems in order to uphold effective business practices under the GDPR, which hands greater control over to technology empires. The digital industry must therefore remain cautious over the walled-gardens built by companies like Google or Facebook, that lock-in valuable media and data lock-inventories and construct creative systems that work exclusively on their own platforms (MediaCom).

(33)

4.3 Proposed Solutions

Figure 3: shows the percentage that each proposed solution for combating challenges posed by the GDPR were mentioned

Software

As the challenges were outlined above, it is clear that businesses are searching for ways to bring their practices up to full GDPR-compliance. Therefore, the solutions proposed by advertising industry professionals to combat the aforementioned challenges will be explored below. Figure 3 demonstrates how software solutions (11 actors; 34%) were the second most cited way to combat the GDPR’s effects on advertising business. These included both systems to enable compliance as well as programs that could open doors to completely new ways of advertising. The main goal of these software solutions was to create innovative approaches that focus on consumers and increase transparency, while making strategies that are more secure, transparent and profitable for advertisers (Forbes Agency Council).

34%

9% 41%

16%

Proposed Solutions

Software Solutions Internal-Operation Changes

The Post-GDPR Digital Advertising Industry

Faculty of Humanities