4 Ways AdTech Adapts in the Post-GDPR World

The General Data Protection Regulation (GDPR) was adopted in 2016 and finally enforced on May 25, 2018. This is a European privacy law that regulates, among other things, how organizations can collect, store, and use the personal data of EU citizens. Essentially, GDPR has redefined the relationship between companies and consumers, empowering the latter with control over their personal data.

Once the law was adopted, the first headlines — and eye-watering fines — suggested all doom and gloom for advertisers. Companies used to have easy access to abundant customer data, from tracking a user’s browsing behavior to purchasing third-party databases. These rich insights opened new avenues for creating highly targeted offers with the granular level of personalization.

GDPR, however, has significantly transformed the way brands interact with consumers. Although the law is very nuanced, here are the key points of GDPR AdTech impact in 2024:

• Under the GDPR, personal data is broadly defined, covering any information that can identify or relate to an individual. This includes cookie identifiers, location data, IP addresses, device identifiers, and digital fingerprints. This expanded definition has a significant impact on how companies must handle data, focusing on transparency and limiting data processing to lawful, clear, and legitimate purposes.
• The principle of purpose limitation ensures that data is collected only for specific, clear, and legitimate purposes. If the purpose changes, marketers must seek fresh consent.
• GDPR’s data minimization rule restricts marketers to collecting only the information that is adequate, relevant, and essential for the stated purpose. Furthermore, data sharing should be limited to the minimum number of entities necessary for processing.
• To comply with the principles of lawful, fair, and transparent processing, marketers must clearly define and communicate the legal basis for data collection, specify the types of data being processed, explain the purpose, and provide all other required disclosures.
• The storage limitation rule requires that personal data be retained only for as long as necessary and securely deleted or anonymized once it is no longer needed.
• Lastly, GDPR strengthens individual rights by granting people the “right of access” to their personal data. Individuals can submit a Data Subject Access Request (DSAR) to review their data at any time. Businesses must offer a simple, accessible way to make these requests and ensure identity verification. Upon receiving a valid DSAR, marketers are obligated to provide a full record of the personal data they hold, including consent history.

Indeed, adapting to the new cookieless environment is not easy, but AdTech companies are making strides, especially with the challenge of ensuring GDPR AdTech consent is properly obtained and managed across diverse digital platforms.

Intensified oversight

In 2024, Data Protection Authorities (DPAs) in both the EU and UK have intensified their scrutiny on cookie consent compliance, with a particular focus on ensuring that companies are properly obtaining user consent before using cookies to collect data. This follows a surge of enforcement actions in recent years, responding to concerns over non-compliant cookie practices.

In the EU, the European Data Protection Board (EDPB) has been active in clarifying cookie rules, particularly focusing on consent mechanisms. The EDPB issued guidance on cookie consent banners, underscoring the need for clear and freely given consent, especially for non-essential cookies like those used for advertising.

The consequences for failing to comply are significant. For instance, in 2024, the Croatian DPA fined two gambling companies a combined €35,000 for improper use of cookies without clear consent. Moreover, the French DPA fined Yahoo! €10 million for similar violations, emphasizing the serious financial consequences that companies face for non-compliance.

The push for better compliance is also evident in the technological shift towards platforms like Google Consent Mode v2, which has been mandatory for UK and EU advertisers since March 2024. This tool helps ensure that consent preferences are properly communicated to advertising networks, enforcing user control over their data.

With such regulatory pressure, businesses are now more incentivized than ever to audit their cookie practices, update consent mechanisms, and avoid costly penalties.

GDPR and AdTech: How companies adapt to privacy-first environment

1. Zero-party data

Advertising is all about data — namely the mix of first-, second-, and third-party data that marketers use to build effective, highly targeted campaigns.

Today, however, many marketers won’t touch third-party data with a barge pole out of fear of violating GDPR. Third-party data is considered the least privacy-compliant because it is collected and distributed by an outside vendor that has no direct connection with the users. This is because third-party data aggregators may not always comply with GDPR, making their use risky for marketers. This has brought the focus on the first-party (the data you collect directly from your users) and second-party data (someone else’s first-party data) as the most trustworthy and compliant sources.

But in 2018 Forrester Research introduced the AdTech world to zero-party data. The new kid on the block, zero-party data is the data that a user provides to the company willingly and intentionally. It can include such personal characteristics as gender, age, purchase intent, style preferences, and more and can be acquired through quizzes, polls, website activity, and customer profiles. Zero-party data is similar to first-party in terms that it is consent-based, but it differs in that it is actively volunteered rather than passively collected.

Many brands now actively seek this type of data through strategies such as:

• Interactive experiences like quizzes, surveys, and polls.
• Personalized offers or loyalty programs in exchange for volunteered information.
• Consent-driven customer profiles created during onboarding or through ongoing engagement.

In an example below, a user voluntarily shares their personal info in exchange for a free offer.

Source: The future of customer engagement and experience

Need help with your AdTech challenges?

From programmatic advertising solutions to advanced data management platforms to intelligent audience targeting systems, we offer AdTech software development services to help industry players maximize return on ad spend.

Talk to an expert

2. Consent management platforms

User consent is one of the most pivotal concepts of GDPR. The law prescribes that in order to collect and use personal data, organizations need to get consent — specific, freely given, informed, and unambiguous.

Consent management platforms (CMP) streamline the process of requesting, receiving, and storing consent. To present the opt-in and opt-out information, CMPs employ a pop-up, widget or banner, which allows a user to see for what purposes their data is being collected and what companies will have access to it.

Source: Header Bidding

3. Alternative identifiers

With the planned deprecation of third-party cookies in major browsers like Chrome in 2025, tech firms are rushing to bring in cookie replacements — alternative identifiers that would support AdTech privacy needs. These alternative or universal IDs are mainly based on first-party cookies and permanent identifiers like email addresses, phone numbers, etc.

There are already a handful of universal ID solutions that publishers and programmatic vendors can use to support a better understanding of their audiences:

• The Trade Desk Unified ID 2.0. The Trade Desk, a demand side platform (DSP), offers a solution that uses hashed and encrypted email addresses. Although the solution is built on personally identifiable information, it provides the necessary transparency and privacy controls for users. Also, some big name publishers like Buzzfeed, the Washington Post, the Los Angeles Times, have signed up for integration.
• LiveRamp ATS. LiveRamp, a data enablement platform, has launched Authenticated Traffic Solution (ATS) that uses first-party data to help publishers recognize users in real time and enable data-driven targeting.
• Google’s Privacy Sandbox. Google’s solution is basically a set of open standards — TURTLEDOVE, SPARROW, Dovekey, PARRROT, Fledge, and Topics — aimed to improve user privacy while maintaining an ad-supported web. The Privacy Sandbox is still in development and the jury is still out on long-term viability of the solution.

4. Contextual advertising

GDPR has also brought contextual advertising back on brands’ radar as a more privacy-friendly alternative. In fact, almost half of marketers in the USA and a third in the UK consider contextual targeting and advertising their preferred format.

Contextual advertising is pretty straightforward — it is about placing the most relevant ads in the most appropriate settings. And although the mechanism is simple, it yields great results because it allows you to reach consumers at the right moment in their journey. But to bring efficiency to the next level, contextual ad targeting solutions can be spiced up with machine learning. These algorithms analyze page content and extract meaning from text to find the optimal place for ad insertion, which helps to deliver an uninterrupted user experience and boost engagement.

The bottom line

At the end of the day, GDPR does not mean the end of AdTech. What it means is that publishers and advertisers need to put customers first and find new, privacy-first strategies. In addition to a major comeback from contextual advertising, today we also see great interest in zero-party data, sophisticated consent management platforms, and universal ID solutions.