News from the open internet

Data Privacy

British advertising leaders on 5 lessons from 5 years of GDPR

A opened lock with the European Union stars sits upon crushed cookies as a crowd looks on.

Illustration by Holly Warfield / Getty / The Current

Europe’s General Data Protection Regulation (GDPR) turned five at the end of May. “Large, far-reaching, and fairly light on specifics,” GDPR was created to protect European consumers and define how companies could handle their data in the modern internet age.

The landmark legislation has been behind some of the global advertising industry’s most onerous fines to date for privacy violations. Meta was hit with a record 1.2 billion euro fine just days before GDPR’s fifth birthday.

British advertising leaders who witnessed their industry’s evolution after five years of GDPR paint a picture of cascading changes brought on by the need to rethink how to acquire customer data. Challenges still abound, they say, none less important than the potential disruption brought on by the rise of generative AI, which people are pouring untold amounts of personal information into.

“It’s in part due to GDPR that people are now so keenly aware of being tracked and the data trails they leave behind them,” says Steve Taylor, joint chief strategy officer at VCCP Media, an advertising agency. “Nevertheless, it can be credited with a role in driving marketing innovation.”

GDPR’s restrictions on data also brought on a realization for some that more data doesn’t necessarily equal better — or more effective — advertising.

“People just like to see good ads. The entertainment that sparks something in their imagination or their emotions,” says Paul Thompson, U.K. and Netherlands country manager at Seedtag, an ad tech firm. “We became stressed with having all of this data and knowing where you lived and what you did and how often you did something else. … I think a lot of that is actually irrelevant.”

A chance to rebuild fractured customer relationships

The golden opportunity of GDPR was reestablishing relationships with customers, says Chris Shadrick, chief strategy and growth officer at Collective World, an advertising agency. “Building and fostering those relationships that may have fallen away because brands were talking to a broad database.”

While first-party data has emerged as somewhat of a savior for the industry — connecting brands to consumers while providing marketers with the utility of soon-to-be-obsolete cookies — Shadrick points to direct-to-consumer (D2C) brands as an example of how to do more when it comes to leaning into the new world of consented data.

“Every brand, in Europe anyway, has a GDPR and data policy … nobody reads it,” he says, adding that brands should “actively promote what they’re doing to be ethical with the use of [people’s] data.” This means explaining the value exchange clearly, but also making it easy to understand. “It goes a really long way,” he adds.

But Taylor implies that not everyone is impressed with the way advertisers have tried to work around the guardrails imposed by GDPR. “All sorts of new ways to identify and target people have been summoned into being, from what we can only imagine were heavily fevered dreams,” says VCCP Media’s Taylor.

“Google has led the charge with what you might call aggregated anonymized behavior-based targeting,” continues Taylor, referring to Topics and FLoCs (Federated Learning of Cohorts). “The problem with the Google solutions for the ad tech industry seems to be, well, Google.” He adds, however, that attempting to divide people’s interests from aggregated patterns — with the help of AI — “is at least in tune with the direction of travel for a privacy-respectful ad tech world.”

Data acquisition strategies need to evolve

Diversifying the kinds of data used in marketing isn’t the only thing brands are — or should be — working on because of GDPR, some industry leaders say. The way that data is collected is undergoing a transformation too.

“The problem is if you don’t have a data acquisition strategy, because first-party data is the best kind of data,” says Collective World’s Shadrick. “It’s a lot better than third party, because you can be more personalized and once you have someone’s email address, you can control the relationship across all channels.”

Seedtag’s Thompson adds that GDPR was part of a shift away from using data as a safety net for marketing effectiveness, and from the lack of interoperability in walled gardens’ data, which likely contributed to marketers’ hopeless pursuit of “perfect data sets.”

The recent ruling against Meta is also a reminder for advertisers that companies should be mindful of where their users’ data gets sent to or accessed.

“The nuance is that any company that operates in Europe should ring-fence the data in Europe. I don’t think many organizations have fully understood that yet because this is still seen as a Big Tech problem,” says Femi Taiwo, head of consultancy at ad agency Europe at Assembly. “Once the legal disputes are over for the large enterprises, it will surely fall to the large brands and publishers to also become compliant.”

Creativity is back in the mix

One of the potentially unintended effects of GDPR has been the resurgence of creativity as a central consideration for marketers. Devising enticing new ways to obtain consented data can be the catalyst of an innovative advertising campaign, says Collective World’s Shadrick.

“The assumption is that GDPR means that creativity is limited. And that’s not really the case. What you have to do is find more interesting ways to obtain that data,” he adds. “It amazes me why so many brands still don’t do that and just give me 10 percent off on my first purchase to get my email address.”

To aid marketers in achieving creativity at scale in a post-GDPR privacy-conscious internet, especially in an inflationary environment where media costs are increasing and marketing budgets are feeling the pressure, Seedtag’s Thompson points to generative AI.

Advertising conglomerate WPP’s recent linkup with chipmaker Nvidia shows just this: WPP is effectively outsourcing a lot of the creative work to AI, which will likely dramatically increase the personalization factor for ads.

“Before, I would target you with one ad, because I have lots of data on you. Now I don’t have any data on you, but I’m just going to target you with lots of really cool ads, until I figure out which one you like,” says Thompson.

Regulation is always changing to accommodate for technology

The rise of generative AI doesn’t just look set to disrupt advertising processes. It could also negatively interact with the requirements for GDPR, says Steve Richards, head of data strategy and consulting at Wunderman Thompson, an advertising agency. “If data and consent are not properly managed and AI could pick up this data, train, and learn from it, user data could be used and propagated around the world very quickly with no proper controls.”

GDPR is only a five-year-old piece of legislation, and it took 27 countries years of discussion to arrive at the common framework. But the pace at which it could become obsolete, or at least necessitate an amendment because of powerful new technologies, underscores the realities of working in an industry that thrives on technological progress.

“You don’t stifle innovation at the very beginning. You try to let it grow to the point where a government may need to step in and agree [on] a framework for how it works,” says Seedtag’s Thompson.

But as regulators grapple with how to regulate AI, Collective World’s Shadrick says people will have to start policing themselves on the data they put into tools like ChatGPT.

The stakes are high.

“In the next two years, it’s either going to go well, in terms of more people adopting [GDPR] around the world because they feel like they need something, or it’s going to have the opposite effect, that it’s not possible to regulate anymore, so we’ll have to self-regulate” Shadrick says.

Embracing change is the way forward

Whether GDPR stifles or encourages AI innovation remains to be seen, but its track record in ushering in a better advertising experience for consumers bodes well for the industry.

Indeed, a range of micro and macro innovations have been driven by GDPR regulations, says Wunderman Thompson’s Richards. For example, “where 2015 was all about attribution modeling, nowadays performance teams are spending their time building geo-based experiments and synthetic controls,” he says. He points to clean rooms as an example of macro innovation.

For marketers wading through today’s uncertain landscape, there might be only one way forward, based on lessons learned from five years of living and working with the landmark legislation.

“Embrace it,” says Pedro Mona, global director of martech and data at Assembly. “Understanding users’ motivation and matching it within the context of ad placements — followed by modeling the factors that might trigger demand, partnerships with platforms and publishers — present us with ways to be more targeted and efficient with our advertising and comply with legislation. There are great opportunities out there.”