On GDPR’s 5th Anniversary, Fragmentation Remains Biggest Privacy Challenge
The more things change, the more they stay the same. Although the privacy landscape is quite different in 2023 than it was five years ago, when the European Union’s GDPR went into effect in May of 2018, the adtech industry in the U.S. remains in a state of flux, struggling to deal with fragmentation caused by the current state-by-state approach to privacy legislation.
While they deal with ongoing changes to privacy laws, agencies and brands today are also working to understand the true ramifications of investing in generative AI — an entirely new frontier in digital marketing. In the U.K., a full one-third of adults say they haven’t used AI because of data privacy concerns. In the U.S., 87% say they are “deeply concerned” about the possible harms that could be caused by misuse of generative AI, and particularly tools like Google’s Bard and ChatGPT.
According to Adform Vice President of Legal and Privacy Compliance Elena Turtureanu, the lack of federal privacy legislation is holding back the adtech industry and potentially delaying the adoption of technologies, like generative AI, that could ultimately be beneficial for both advertisers and consumers.
Turtureanu believes the single biggest challenge to consumer privacy today — five years after the GDPR was enacted — is fragmentation, and she says the solution is for industry players to join standardized frameworks that provide a safer way to transact.
“The ad tech industry’s biggest challenge when it comes to privacy remains fragmentation. In the U.S. specifically, this fragmentation is proliferated as individual states put privacy legislation in place,” Turtureanu says. “And while many may feel defeated by fragmentation, our only way out is to transform our perspective and recognize the opportunity – a collaborative commitment to better consumer privacy.”
Turtureanu believes that regulatory enforcement is the key driver of accountability, and, inevitably, GDPR compliance. She also cites the so-called privacy paradigm as an issue, and says that while consumers have become more knowledgeable about their privacy rights, consent fatigue persists.
The Push for Standardization
At Captify, a search intelligence platform for the open web, Senior Vice President of Product Amelia Waddington shares Turtureanu’s viewpoint. She sees the GDPR’s passage as similar to the leadup to Y2K in 1999, with companies popping up to consult in the area or solve the problem.
Five years after the GDPR was enacted, federal privacy legislation in the U.S. is still far from reality.
Waddington says the U.S.’s state-by-state approach makes it harder for businesses to fully comply. Some state laws are contradictory, and it is impractical to have different processing for every state. She believes that a federal law will ultimately be necessary, and tech giants will lobby for this, because it’s much simpler to manage as a global business.
Fines for GDPR violations have been slow to roll out, and it’s taken regulators the full five years to crack down. Prior to last month’s $1.3 billion ruling against Meta for violating E.U. data privacy rules, most fines looked small in comparison to the cost of compliance. Those small fines did little to encourage the biggest players in the space to fully comply with regulations.
Although industry standards like the IAB Transparency and consent framework have proven to be challenging to develop — due in large part to the various interests and compliance appetite of publishers, advertisers, and ad tech players — Turtureanu says they bring a standardized and uniform setting that organizations can rely on as a robust tool.
“Industry players must come together to join standardized frameworks that provide a safer way to transact data while prioritizing consumer privacy and trust,” Turtureanu says. “It is impossible to scale and remain compliant with each and every unique U.S. State privacy law unless a unified standard exists — as they say, one swallow does not make a summer.”