GDPR enforcement began on May 25, 2018. The first week has produced a picture that is messier and more chaotic than even the pessimists predicted — and more contained than the catastrophists feared. The damage is real, concentrated in specific areas of the programmatic stack, and in some cases revealing operational problems that were present long before GDPR arrived.

The headline facts are coming into focus. Major US publishers — the New York Times, USA Today — chose to serve non-targeted advertising to EU users on day one rather than navigate the consent management complexity. The IAB Europe’s consent management framework, which was supposed to provide technical infrastructure for propagating consent signals through the programmatic supply chain, hit enforcement day in a state of incomplete implementation. DSPs saw double-digit drops in available EU inventory in the first 48 hours. And the consent management platform market produced a proliferation of different implementations, many of questionable legal adequacy, that created confusion rather than clarity in the consent signal.

Six days in, this is the ground truth of GDPR’s first week in programmatic.

Which Vendors Went Dark in EU Markets

The most dramatic immediate impacts came from data providers and DMPs who chose to stop processing EU audience data on May 25 rather than continue under uncertain legal basis. Several significant third-party data providers announced that they were suspending or restricting EU data processing pending legal review of their consent mechanisms. Buyers who had been relying on third-party behavioral segments for EU targeting found those segments suddenly unavailable.

Some DSPs and exchanges implemented geo-level restrictions on EU inventory, either as a precaution or in response to uncertainty about their consent infrastructure. Buyers saw available EU impression volumes drop significantly in campaign dashboards. One major programmatic buyer reported a 50 to 60 percent drop in available EU inventory in the first 48 hours across their programmatic buys, with recovery beginning as exchanges clarified their consent approaches.

The New York Times decision to serve contextual-only advertising to EU readers — stripping audience targeting data from EU ad calls — produced an immediate inventory quality effect: without behavioral targeting data in EU bid requests, DSPs had less signal for bid price optimization. Effective CPMs for EU inventory on publishers making this choice fell as a result, as buyers bid lower without audience data to justify premium pricing.

Several smaller adtech vendors announced business continuity communications acknowledging that full GDPR compliance was a work in progress, a classification that will not survive regulatory scrutiny but reflects the practical reality that the compliance work was not completed before enforcement began.

The IAB Europe’s Transparency and Consent Framework (TCF) was meant to solve the hard technical problem of GDPR compliance in programmatic: how do you propagate a user’s consent signal, collected by a publisher’s CMP, through the entire downstream programmatic supply chain — SSP, exchange, DSP, data provider — so that each party knows what processing is permitted for a specific user on a specific impression?

The TCF v1.0, the version that entered enforcement week, is a legitimate attempt to solve this problem and represents meaningful technical work. What became apparent on May 25 is that the framework’s implementation was incomplete. Exchange adoption of the framework was uneven. DSPs had varying levels of TCF signal parsing capability. Many CMPs — the user-facing consent dialogs that publishers deploy — had been built to the framework spec but with implementation details that ranged from adequate to clearly non-compliant.

The IAB Europe’s TCF documentation is publicly available and describes both the technical architecture and the governance framework. The gap between the specification and the enforcement-week reality reflects the challenge of coordinating adoption across hundreds of supply chain participants in a compressed timeframe.

The user-facing consent dialogs deployed by publishers using CMPs ranged from genuine informed consent presentations to dark patterns designed to maximize opt-in rates at the expense of meaningful choice. A popup that presents “Accept All” in a large prominent button alongside a hard-to-find “Manage Settings” link is not clearly GDPR-compliant under the regulation’s standard of “freely given, specific, informed and unambiguous” consent. Data protection authorities are taking note of these patterns.

For buyers, the CMP chaos has a practical dimension: consent signals arriving in bid requests reflect not just user preferences but the quality of the consent collection mechanism. A consent signal collected through a dark-pattern CMP is legally unreliable and, if a publisher faces regulatory action over its CMP practices, the buyer may have exposure for acting on that consent signal.

What DSPs Saw in Their EU Inventory Data

The dashboard picture for buyers running EU-targeted programmatic campaigns in the first week has been consistently grim, though the severity varies by channel and inventory type.

Open exchange display inventory in the EU saw significant volume drops as publishers implementing consent management struggled with the operational transition and as data providers restricted data processing. Buyers running EU open exchange campaigns saw impression volumes fall 30 to 70 percent depending on campaign configuration, targeting parameters, and which exchanges and publishers the campaign was drawing from.

Audience targeting dropped more sharply than contextual targeting. EU inventory that was available without audience data overlays remained relatively accessible — the supply problem is concentrated in the audience segment targeting that depends on consent-covered data processing. Buyers who had configured EU campaigns to run contextual-only saw less dramatic inventory drops than those relying on behavioral audience segments.

Private marketplace deals with publishers who had implemented consent management were more stable than open exchange buying, as the direct publisher relationship meant buyers could get clearer information about the publisher’s consent approach and data processing status.

The Trade Desk has published programmatic market data reflecting what buyers are seeing across their platform, and similar transparency from other major DSPs would help the industry calibrate the scope of the GDPR impact more accurately.

IAB TCF Reality vs Expectations

The TCF’s first enforcement week revealed several gaps between design and reality. The consent string format — a binary encoding of the user’s consent signals for specific purposes and vendors — was in theory a standardized mechanism that all supply chain participants could parse. In practice, DSPs had varying maturity levels in their TCF parsing capability, exchanges had incomplete vendor lists registered in the TCF’s Global Vendor List, and the consent string handling in bid requests was inconsistent across publishers and SSPs.

Publishers faced an immediate operational tension: deploy a consent management platform quickly to have some consent mechanism in place, or delay deployment until a legally robust and well-implemented CMP was ready. Many chose speed over quality, resulting in the proliferation of questionable CMP implementations noted above.

The IAB Europe’s Global Vendor List — the registry of adtech vendors who have registered to participate in the TCF consent framework — had significant gaps in the first week, as many vendors had not completed their registration process. A DSP receiving a TCF consent string that doesn’t include a vendor it needs to process data for faces a compliance decision in real time: suppress the bid, proceed without clear consent, or apply a different lawful basis.

The realities of first-week enforcement are producing rapid TCF iteration. TCF v2.0 is already in development, with significant changes to the consent architecture, vendor accountability, and user-facing consent requirements. The first week of GDPR has functioned as a stress test that is surfacing every implementation gap in the framework.

What Buyers Should Do Now

For buyers running EU campaigns, several immediate actions are warranted based on the first week’s data.

Review your EU campaign performance data from May 25 onward and understand what changed. If you saw significant drops in impression volume or audience targeting performance, understand which publishers, exchanges, or data providers drove those drops. This inventory analysis will inform which supply relationships you need to clarify GDPR compliance status with.

Evaluate your CMP vendor if you’re a publisher using third-party consent management. The range of CMP quality in the market is wide, and deploying a non-compliant CMP creates legal exposure that doesn’t disappear once you have a consent mechanism in place. Independent legal review of your consent collection approach is prudent.

Build EU campaign configurations that can operate in a consent-limited environment. Contextual targeting strategies, PMP deals with publishers who have robust consent infrastructure, and whitelist buying approaches will be more reliable than open exchange audience targeting as the TCF implementation settles.

GDPR compliance is not a one-time project completed on May 25. It is an ongoing operational requirement. The enforcement actions from data protection authorities — which will begin to materialize in the second half of 2018 — will shape the compliance interpretation landscape significantly.

Frequently Asked Questions

Why did some US publishers choose to serve non-targeted ads to EU users on May 25? Publishers like the New York Times and USA Today made a risk management decision: rather than implement consent management infrastructure they weren’t confident was fully GDPR-compliant, they chose to strip audience targeting data from EU ad calls on enforcement day. This meant EU inventory was sold without behavioral targeting capability, which reduced CPMs, but avoided the risk of continuing data processing under uncertain legal basis.

What is the IAB TCF and how does it work in a programmatic bid request? The IAB Europe Transparency and Consent Framework (TCF) provides a technical standard for encoding user consent signals in programmatic bid requests. A publisher’s CMP collects user consent, encodes it in a standardized binary consent string, and passes that string in ad calls. SSPs and DSPs read the consent string to determine what data processing a specific user has consented to for each adtech vendor in the chain. The framework requires both publisher-side CMP implementation and DSP-side consent string parsing.

What is the difference between “consent” and “legitimate interests” as lawful bases under GDPR? Consent requires an affirmative, specific, informed, and freely revocable agreement from the user for each specific processing purpose. Legitimate interests allows data processing without consent when the controller’s interests are balanced against the data subject’s rights and the processing is not overridden by the data subject’s expectations. For programmatic advertising, the lawful basis question is contested — most DPAs have not confirmed that legitimate interests adequately covers behavioral profiling for advertising without user consent.

How long does it take for GDPR enforcement actions to materialize? Data protection authorities investigate complaints and can initiate investigations on their own initiative. Enforcement actions — formal investigations leading to potential fines — typically take months to years to resolve through the regulatory process. The first major GDPR enforcement actions against adtech companies are not expected to conclude in 2018, but the investigation pipeline is beginning to develop. The French CNIL and the UK ICO have both signaled interest in adtech consent practices.