Ray of sun through clouds - narrow.jpg

The Next Phase of Marketing Under the Specter of GDPR

By Greg Sobiech  9.7.18

Shortly prior to and after May 25, 2018, the day the new EU regulation came

into effect, GDPR was one of the most-searched topics on the internet. And for good reason—businesses in the U.S. and the EU alike felt the regulators simply hadn’t provided enough clarity around how GDPR compliance should be enacted or enforced.

Living with GDPR so far feels strikingly similar to how living in a pre-GDPR world felt. Digital media’s great walled gardens remain firmly walled-up. The EU regulators have made a show out of coming after the highest-profile digital companies possible, Google and Facebook, which were both sued for non-compliance on the first day the regulation went into effect. But the actual penalties in this case seem designed to be about as lenient as possible. It appears that this case is less about punishing the Duopoly and more about warning everyone

else in digital.  


That’s why you’d be hard pressed to find industry insiders who believe we’re through the woods. The next GDPR milestone—the one-year anniversary of the regulation—will likely bring additional soul-searching for businesses wondering what it really means to live with GDPR. By then, the Duopoly may have tangled with regulators again. But the way business is done in digital is changing, and with what appears to be an international shift in the zeitgeist, business has to change.


Before and after

Without clear direction from the EU regulators, it was challenging to figure out how to prepare for GDPR. Instead, we’ve seen a lot of deflection. The practices of blocking content from EU users, or of shutting down ad campaigns in the EU, are not sustainable solutions. Don’t think we’ve dodged a bullet. GDPR is part of our future as an industry, not a one-time event.


It’s especially important to think about long-term solutions when we consider how several U.S. states and the federal government have been considering similar regulations. Our business on the Internet is global. It doesn’t make sense for companies to comply with two different sets of privacy regulations: one in the EU and one everywhere else. Like it or not, it’s more efficient to follow the more stringent policy by default. As such, it’s reasonable to expect that the U.S. will follow the EU’s lead.


One major challenge is that adopting across-the-board standards in digital is a slippery proposition, as long as money can be made without complying to those standards. We’ve heard much discussion about how someone needs to “take the lead,” whether it be one of the major platforms or a consortium of influential businesses. Google and Facebook at least tried to take a lead—but we see how that’s played out. Providing a box for users to check for wide access to Google’s services was not sufficient.


Now every company that hoped a single “check-the-box” solution would do the trick needs to take heed. The next round of enforcement could be much wider and more severe.


As we approach six months in, we as an industry need to get away from hoping we can comply by enacting surface-level solutions. The quick fixes were too facile for an issue as complex as what happens to user data online. Some companies have attempted to brief their users in how data drives advertising that monetizes the content they come to the web for. Clearly, the public needs to be better educated on the Internet’s business model—but it’s hard to summarize that model quickly, without standing in the way of that valued content. And checking a box on the landing page is not enough, considering a digital company might provide several different services or experiences that collect and process data in different ways. The EU regulators are signaling that companies need to obtain user consent for specific actions.


Those “check-the-box” type solutions essentially show that companies are trying to dictate user behavior, or at least direct user behavior in the future to whatever is more amenable to the company’s bottom line. And that’s not fair to users.


Instead, companies need to look closely at user habits and expectations. The next phase of living with GDPR will involve specific consent for specific actions. Yes, it's more time-consuming than blanket consent. But it’s also what the regulators want—and laying down the groundwork now will help the industry build for a future where something like GDPR becomes universal.


Building for this kind of future is critical in providing the best experience for users. Data around users’ interests and behaviors can and does improve the relevance and timeliness of the content and ads they’re shown. We need users’ participation—their willingness to share data—in a post-GDPR world.


It’s up to brands and publishers to communicate to their audiences that they’re active participants in digital media, not just passive consumers. In the next phase of GDPR, we’re all in this together.

Greg Sobiech - trimmed.jpg

About the Author

Greg Sobiech is founder and managing partner of Delve. He launched the company more than nine years ago to help clients make sense of their data to execute efficient media buying. With nearly two decades of experience in digital marketing, he understands how to deliver high ROI for his clients through programmatic media buying with a unique analytics approach.


Prior to founding Delve, Greg held senior marketing positions at Digitas, Bath & Body Works, Community Connect, and ooVoo.