The General Data Protection Regulation was formally adopted by the European Parliament in April 2016 and will become enforceable on May 25, 2018. That is 20 months away. For an industry whose business model is built on collecting, processing, and leveraging personal data at massive scale, 20 months is not a comfortable runway — it is the minimum time necessary to rebuild consent infrastructure, audit data partnerships, and restructure audience practices that were never designed with meaningful user consent in mind.
The industry’s instinct will be to wait. Compliance projects are expensive and disruptive. Legal interpretations are still being debated. The enforcement mechanisms are untested. There will be pressure from every direction to monitor the situation, collect guidance documents, and do the real work in Q1 2018. This is the wrong approach. The organizations that will manage the GDPR transition with least damage are the ones that begin structural work now, not the ones that scramble in the 90 days before enforcement.
What does structural work actually mean for the adtech industry? It means confronting the gap between how the programmatic ecosystem actually processes data and what GDPR’s consent and lawful processing requirements will require.
What GDPR Actually Requires for Programmatic Data Processing
GDPR is not simply a stricter version of existing data protection law. It reframes the legal basis for personal data processing. Under GDPR, processing of personal data requires one of six lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests. For the programmatic advertising ecosystem — behavioral tracking, audience segment construction, retargeting, lookalike modeling — the relevant lawful bases are consent and legitimate interests.
Consent under GDPR requires that it be freely given, specific, informed, and unambiguous. “By continuing to browse this site you accept our use of cookies” is not valid GDPR consent. Consent must be an affirmative action, not an inferred acceptance of buried terms. The user must understand what they are consenting to — which data, for which purposes, by which parties. Consent must be as easy to withdraw as to give.
For the typical programmatic data flow — a publisher sets cookies, an exchange reads them, a DSP matches them against an audience segment built from third-party data, a DMP extends the profile across touchpoints — the consent question is not simple. Whose consent obligation is it? The publisher’s? The exchange’s? The DMP’s? The answer GDPR implies is: all of them, and each in relation to their specific processing activity.
The full GDPR text is the authoritative source. Article 7 covers conditions for consent. Article 13 and 14 cover information to be provided to data subjects. Recital 47 addresses legitimate interests, including the specific context of direct marketing. The regulation runs to 261 pages including recitals — anyone claiming to understand GDPR from a two-page trade press summary is understating the complexity.
What Consent Requirements Mean for DMP Data Onboarding
Data management platforms are where the consent problem becomes most acute in the programmatic stack. A DMP’s value proposition is building rich audience profiles by combining publisher first-party data, third-party behavioral data, offline CRM data, and cross-channel identity signals. Each of those data sources carries its own consent question under GDPR.
First-party data onboarding — loading CRM data from a client’s customer database into the DMP — requires that the customers whose data is being onboarded understood, at the time they provided their data, that it would be used for targeted advertising. Most B2C data collection — email sign-ups, loyalty programs, purchase records — was not collected under consent language that explicitly covers programmatic targeting use. This is a retroactive consent problem with no easy solution.
Third-party behavioral data is even more exposed. The data brokerage industry’s consent practices have been opaque at best. Many of the behavioral segments available through DMP data marketplaces were assembled under consent language that a GDPR interpretation of “specific, informed” would likely not accept. The working assumption should be that third-party behavioral data for EU audiences will require comprehensive re-consent under GDPR-compliant frameworks, or will not be usable for programmatic targeting of EU users after May 2018.
Lookalike modeling — taking a seed audience of known customers and modeling out to a broader population of similar users — raises a related question. The EU users in the expansion audience have not consented to being identified as similar to a brand’s customers. The modeling uses data that may have been collected with inadequate consent. This is a practice that needs legal review against GDPR standards before continuing to run on EU audiences.
Legitimate Interests: What It May and May Not Cover
GDPR’s legitimate interests lawful basis is the mechanism that some in the adtech industry are positioning as an alternative to consent for programmatic data processing. The argument runs: advertising enables free content; users broadly understand this; therefore targeted advertising can be justified as a legitimate interest without requiring per-user consent.
This argument is likely to fail scrutiny, and organizations building their GDPR strategy around a broad legitimate interests claim for programmatic advertising are taking significant risk. GDPR’s legitimate interests basis requires a balancing test: the interests of the data controller must be balanced against the rights and interests of the data subject, with particular attention to whether the data subject would reasonably expect their data to be used in this way.
The GDPR text and early regulatory guidance from European data protection authorities suggest that behavioral profiling for advertising purposes, particularly where users have no visibility into the extent of data processing or the number of parties involved, is unlikely to pass the legitimate interests balancing test. This is not a settled legal question — the regulation is new and enforcement case law doesn’t yet exist. But organizations that have received legal advice suggesting a broad legitimate interests claim for programmatic behavioral targeting should seek a second opinion.
The UK Information Commissioner’s Office guidance on legitimate interests provides useful practical guidance, though note that the ICO’s position may evolve as enforcement guidance develops over the next 18 months.
Practical Preparation Steps That Can Start Now
There are concrete actions adtech organizations can take today, well in advance of 2018, that will reduce GDPR compliance risk and cost.
Data inventory and mapping is the necessary foundation for everything else. Organizations processing EU user data need to understand what personal data they hold, where it came from, how it flows through their systems and to which third-party partners, and what processing activities it enables. This inventory does not require legal analysis — it requires operational discovery that can begin immediately.
Consent management infrastructure is a long build. The user-facing consent mechanisms, backend consent storage, consent propagation through the adtech stack, and consent withdrawal processing all require design, development, and integration work. Consent management platforms are beginning to emerge as a vendor category, but enterprise implementation takes time. Starting the procurement and build process in Q4 2016 is vastly preferable to starting it in Q4 2017.
Legal basis assessment for each data processing activity — documenting the lawful basis being relied on, the analysis supporting that choice, and the evidence of compliance — is work that requires legal resources. But it can proceed in parallel with technical work, and having it done allows organizations to make informed decisions about which practices can continue, which require structural modification, and which need to stop.
Data partnership audits are uncomfortable but necessary. Every data vendor, data exchange, and DMP partner in your stack needs to be evaluated for GDPR compliance posture. A data partnership built on inadequate consent becomes your compliance problem when GDPR is live. The data due diligence conversations need to start now, not 60 days before enforcement.
The two-year clock is an opportunity. Organizations that treat it as such will have GDPR-compliant infrastructure before enforcement begins. Organizations that treat it as a delay will have an uncomfortable spring in 2018.
Frequently Asked Questions
Does GDPR apply to US companies? Yes, if those US companies process personal data of individuals in the European Union, regardless of where the company is located. The territorial scope of GDPR (Article 3) applies to any controller or processor that offers goods or services to EU data subjects or monitors their behavior. For adtech companies running programmatic campaigns targeting EU audiences, GDPR applies.
What is the maximum fine under GDPR? GDPR provides for two tiers of fines. The higher tier — for violations of the most fundamental provisions, including lawful basis for processing and data subject rights — can reach €20 million or 4 percent of global annual turnover, whichever is higher. These are maximum figures; enforcement authorities have discretion in determining fine amounts based on severity and circumstances. The enforcement record will take years to develop, but the potential exposure for large adtech companies is substantial.
What is a consent management platform and does adtech need one? A consent management platform (CMP) is a system that presents users with consent choices, stores consent records, and communicates consent status to downstream systems. For programmatic advertising, a CMP needs to propagate consent signals through the publisher stack to exchanges and DSPs so that EU users’ targeting preferences are respected throughout the supply chain. The IAB Europe is working on a technical framework for consent propagation in the programmatic ecosystem; watch for that to develop over the next 18 months.
What is the difference between GDPR and the existing EU Data Protection Directive? The current EU Data Protection Directive (95/46/EC) has been implemented differently across EU member states, creating fragmented and inconsistently enforced data protection law. GDPR replaces it with a single regulation directly applicable in all member states, significantly strengthening rights (including the right to erasure and data portability), expanding territorial scope, introducing mandatory breach notification, and imposing substantially larger penalties. The practical effect is a much more robust and consistently enforced regime.