It’s a new world post-rollout of the General Data Protection Regulation (GDPR), a European digital privacy law with global economic impact. An enormous amount of time, energy, and expense has been spent across the digital advertising industry “ from SSPs and DSPs, to publishers, marketers, and networks “ to integrate these new consumer privacy protections into their businesses. And with good reason too, as we review publisher GDPR decisions and the costly impact on fill, CPM, and revenue.
A Quick Summary of GDPR
On May 25, 2018, GDPR pushed the digital advertising industry to comply to stricter regulations around how they handle personal data and privacy from European Economic Area (EEA) citizens. And it wasn’t only businesses based in France or Germany. While the new data privacy law was aimed at aligning different legislations and interpretations across European countries, publishers based outside of the EEA, including Canada and the US, were also accountable. All companies offering goods or services to EEA buyers or who tracked their online activities were now required to obtain consent from users with respect to what data they collect and who they shared it with. Implied consent as an advertising business model became obsolete.
Costly to Publishers
Everyone scrambled into the final hour to understand and meet compliance while some ad tech monoliths like Google waited until after the go-live date to fully clarify their position around the IAB Framework. Why? Because the cost of GDPR was mounting in every direction.
- Fines: Publishers found using data without consent are liable for up to 4% of annual global revenue or €20 million in fines.
- Dirty vendor chain: Publishers who retain vendors outside of the Global Vendor List risk revenue in the short and long run.
- Consent options with varying costs: Publishers have several implementation options for desktop and mobile web consent. Each carry a level of risk to revenue and require integration efforts. Publishers who try to avoid the intensive process of communications, audits, and platform integrations do so at the expense of their programmatic ad revenue. Serving untargeted ads, or serving no ads to visitors, result in a performance dip for publishers with an EEA audience base.
Observed Trends in Publisher Decisioning
We’ve reviewed data from over 200 sites and hundreds of millions of impressions and we’ve analyzed how CPM, revenue, and fill are affected by consent, by CMP, and by vendor lists.
1. A standardized CMP (consent management platform) approach positively impacts revenue trends.
Aggregate data from publishers who chose not to implement a CMP (Figure 1) shows that CPMs or impressions drop off significantly after May 25, 2018, when GDPR went into effect.
The red line shows the CPM trends for the same group of publishers in non-EEA countries, which indicate that the lack of a CMP is significant. The CPM trends are not a result of normal month-to-month and seasonal cycles.
Figure 1. Net CPM in GDPR versus non-GDPR Countries
Aggregate data from publishers shows the impact on fill rate in GDPR vs. non GDPR countries when no CMP was initially implemented (Figure 2). On May 25, there’s an immediate impact on fill from not having a CMP. Note that EEA traffic remains consistent. Once a CMP was implemented for GDPR countries on May 28, fill rate recovered back to pre-GDPR levels.
Figure 2. Fill Rate GDPR and CMP Implemented
2. An increase in the number of vendors who were in compliance with GDPR and part of the Global Vendor List positively impacts revenue trends in the form of higher CPM for publishers.
Traffic data shows the effect on CPM for a group of sites broken out into GDPR and non GDPR countries (Figure 3). For GDPR countries, at first there was a targeted list of known vendors in the CMP. Around May 28, more vendors were added to the CMP and finally on June 9, the full list of all appropriate vendors was applied to the CMP.
Figure 3. Net CPM in GDPR versus Non-GDPR Countries
3. CPMs are higher where users have provided consent.
Data from the end of June shows the impact on CPMs post-GDPR based on whether or not consent was provided for just over 16 million impressions (Figure 4). Overall, CPMs are higher where users have provided consent. The CPM values, as compared to pre-GDPR, are either approaching pre-GDPR ranges, or have surpassed pre-GDPR values¹.
Figure 4. CPM Values (When Consent is True versus False, versus Pre-GDPR)
Conclusion
Our data show that having a clean vendor chain, implementing an IAB-compliant CMP, and gaining user consent, all work towards positively impacting the bottom line. GDPR implementation and fallout aren’t quite over, based on daily headlines coming from industry publications. And like it or not, publishers with a large EEA audience have witnessed the rollercoaster effect of protecting“or abandoning“that high-value base.
¹ This graph excludes the volume of a given bidder or the participation drop. The total impact on revenue can be quite extreme for certain bidders and ultimately on revenue as you can see some bidders do very poorly without consent.