Complying with the new EU data protection directive requires a top-to-bottom redo of the adtech industry

Back in 2016, the EU passed the General Data Protection Regulation, a far-reaching set of rules to protect the personal information and privacy of Europeans that takes effect this coming May.

The world's governments have spent decades failing to come to grips with the rise of ad-tech and online tracking, leading to the largest consumer revolt in human history (ad blocking!). Earlier EU attempts to deal with privacy have been farces sabotaged by industry, like that time they invented an imaginary category of "anonymized data" that could be handled as though it wasn't sensitive, or the absurd "cookie law" that said you could only track people if they clicked "I agree" on a banner that no one agreed with.

Under the new directive, every time a European's personal data is captured or shared, they have to give meaningful consent, after being informed about the purpose of the use with enough clarity that they can predict what will happen to it. Every time your data is shared with someone, you should be given the name and contact details for an "information controller" at that entity. That's the baseline: when a company is collecting or sharing information about (or that could reveal!) your "racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, … [and] data concerning health or data concerning a natural person's sex life or sexual orientation," there's an even higher bar to hurdle.

This is a very admirable set of goals, and it is entirely, totally incompatible with the way ads (including our ads) are served. The current ad-tech industry involves your data being used to hold realtime auctions that expose it to dozens, if not hundreds, of entities in a fraction of a second. Every one of those exposures would require consent dialogs that couldn't be pre-filled and would have to be clear enough that the person clicking them wouldn't be surprised later by what happened afterwards.

There is no obvious way the adtech industry in its current form can comply with these rules, and in the nearly two years they've had to adapt, they've done virtually nothing about it, seemingly betting that the EU will just blink and back away, rather than exercise its new statutory powers to hit companies for titanic fines, making high profile examples out of a few sacrificial companies until the rest come into line.

But this is the same institution that just hit Google with a $2.73 billion fine. They're spoiling for this kind of fight, and I wouldn't bet on them backing down. There's no consumer appetite for being spied on online (see above, re "largest consumer revolt in history") and the companies involved are either tech giants that everyone hates (Google, Facebook), or creepy data-brokers no one's ever heard of and everyone hates on principle (Acxiom). These companies have money, but not constituencies.

Meanwhile, publishers are generally at the mercy of the platforms, and I assume most of them are just crossing their fingers and hoping the platforms flick some kind of "comply with the rules without turning off the money-spigot" switch this May.

Pagefair, which covers the adblocking industry and debate, has an example of how a current adtech industry could comply with the GDPR, which involves a seemingly infinite number of dialog boxes that no one will ever, ever be willing to click through. It's a really clear example of the unbridgeable gulf between adtech and the rules it's going to have to abide by in a couple of months.

The scenario above assumes that all businesses in online behavioral advertising can agree to pursue tightly defined purposes without deviation. However, it is more likely that controllers will need granular opt-ins, because their purposes are unique.

Any individual controllers who intend to process data for their own unique purposes will need further granular opt-ins for these purposes. Since adtech companies tend to deviate from the common purposes outlined above, it is likely that most or all of them would ultimately require granular purpose consent for each controller.

However, even if all controllers pursued an identical set of purposes so that they could all receive consent via a single consent dialogue that contained a series of opt-ins, there would need to be a granular set of consent withdrawal controls that covered every single controller once consent had been given. The GDPR says that "the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers".[20]

GDPR consent design: how granular must adtech opt-ins be? [Dr Johnny Ryan/Pagefair]