GDPR countdown 8 - will GDPR and EPR eat ad-tech’s lunch?

David Reed, knowledge and strategy director, DataIQ

Ok, so just as you are getting your organisation ready for the General Data Protection Regulation, you now need to get it focused on the new ePrivacy Regulation. If your business has any kind of digital footprint - which is to say, every business - then this could require a degree of change nearly as big, and certainly as complicated, as GDPR. And if your business is ad-tech (or you rely on it), things are about to get really complicated.

Elated from its success at getting GDPR adopted back in 2016 - no easy task when you consider it faced 3,000-plus amendments - the European Commission announced that it would be reviewing the ePrivacy Directive, adopted in 2003 as the Privacy and Electronic Communication Regulations. (The name is somewhat confusing since it is not technically a Regulation, which has to be enforced identically across the European Union, but a Directive, which can be - and was - interpreted individually by each Member State.) 

As was already clear from the five preceding updates to PECR, the most significant of which was the “Cookies law” of 2011, the pace of technological advance has meant keeping this law relevant has been challenging. But the EC was on a high and announced it would not only refresh what would become a new ePrivacy Regulation(ePR), but that it would be ready at the same time as enforcement of GDPR on 25th May.

So difficult has the task proven to be that some commentators have now taken to suggesting that ePR will never be passed. That seems pessimistic (or optimistic, depending on your stance), but in the meantime, digital brands are having to calibrate their digital presence and ad-tech solutions to fit both existing PECR rules and new GDPR requirements.

“Mind the gap! EPR is not ready and the arbitrage between existing laws is very challenging,”

As Peter Galdies, director of DQM GRC, warns: “Mind the gap! EPR is not ready and the arbitrage between existing laws is very challenging, not least around things like granular consent. Any current solution for the ad-tech space is also only likely to be temporary and may have to be done in one or two years when the new Regulation finally becomes enforceable.”

As there was at the heart of GDPR, the Commissioners formulating ePR have a clear intention of reining in the power of Facebook, Google and their associated platforms. “They currently are seen as the biggest problem, but their activities dominate the opaque space between GDPR guidance and existing PECR-type regulations” notes Galdies.

Nowhere is this problem of how to understand the blind spots between existing laws more apparent than around the use of cookies, consent and ad-tech solutions. Google recently announced that it wants to operate as an independent co-controller of the cookies data dropped by first-parties, such as brands and website publishers, while also tracking web users via its own consented cookies. 

With advertisers and publishers being asked to agree to its terms (and also indemnify Google), it looks set to reinforce its dominance in digital ad spend (some 44% of global digital ad spend according to WARC), while also building a phenomenally valuable behavioural data set. All before ePR has been introduced and efforts made to unbundle digital data streams.

Consent mechanisms need to be unambiguous - continued use is not agreement

Meanwhile, digital brands are having to wrestle with the complexities of GDPR consent guidance, such as that issued recently by the Article 29 Working Party.  One of its most challenging requirements is that consent mechanisms need to be unambiguous and that continued use of a web site can not be inferred as agreement to data processing. 

“The increased requirement for granularity means that for many the most practical approach you can take to that is the creation of a privacy centre,” argues Galdies. “Make it visible to users where they can update their preferences and make it as easy as possible for them to do so.”

When ePR finally crosses the line and becomes law, he believes there will be a significant shift in how ad-tech will respond in order to become compliant. “Ultimately, those indications of consent will probably move away from being the responsibility of the publisher and become embedded into the functionality of the user’s browser with web sites then able to trigger requests for changes, such as allowing personalisation of content or advertising” he says.

For now, that level of technological change is still several years off, but that is no solace for digital brands who find themselves caught between non-aligned regulations and ad-tech solutions providers using their power to capture both revenue and data. Faced with a threat to their food chain in the mid-term, they are treating digital data as an all-you-can-eat buffet right now.

GDPR countdown 1 - changing the balance of favour

GDPR countdown 2 - a river that runs deep, so make sure your compliance isn’t shallow

GDPR countdown 3 - this time it doesn't have to be personal

GDPR countdown 4 - why training staff, not deploying IT should be your next best action

GDPR countdown 5 - why the data role you need is a protection officer, not a scientist

GDPR countdown 6 - six degrees of separation from the truth about consent

GDPR countdown 7 - straight-talking about consent


This article is the eighth in a ten-week series by DataIQ in association with our GDPR partner, DQM GRC. For more information on the solutions it offers, visit

Knowledge and strategy director, DataIQ
David is developing the framework for soft skills and career development among data and analytics practitioners. He continues to be editor-in-chief and research director for DataIQ.