‘A knife edge of what is legal’: Six years on from GDPR, marketers are still taking data privacy risks

With the demise of the cookie being delayed yet again and growing privacy concerns beginning to affect tech giants, what can the industry expect from the recently introduced UK version of GDPR, and the ever-changing regulatory landscape?

The General Data Protection Regulation (GDPR), the landmark European Union (EU) law designed to protect citizens' personal data and privacy, came into force six years ago. 

The law has brought significant changes in how personal data is handled and protected. 

Most visible in its website consent pop-ups, GDPR is widely acknowledged improving data protection standards not just across the EU, but prompting similar implementations across other regions.

But with new threats from AI and the added complication of Brexit in the UK, is regulation able to keep up with the changing way consumers access digital services? 

PMW spoke to 10 experts for their take on the future of GDPR as it enters its sixth year in operation.

“Privacy credentials have become a competitive differentiator”

Sarah Lawson Johnston, CRO at Covatic 

“The GDPR has been a benchmark for data privacy over the past six years – inspiring other global legislation and prompting many businesses to rethink how they protect themselves and their customers. It has also raised consumers’ awareness of how their personal data was collected, stored, and used.

“In the advertising industry, we’ve seen some stalling in the adoption of new practices for this privacy-first era. Google may have pushed back its cookie deprecation deadline once again, but it’s important that the sense of urgency is not lost. Privacy credentials have become a competitive differentiator, as consumers gravitate towards companies aligned with their privacy values as well as their personal ones. Media owners and brands must therefore phase out outdated solutions while simultaneously expanding the adoption of effective privacy-first technologies (e.g. on-device ad-tech solutions). This will help foster positive advertising experiences and offer the additional advantage of future-proofing their businesses.”

“Meta hasn’t aligned its data sharing standards across its social media platforms”

Oren Poleg, CTO and Co-founder at ViewersLogic

“Many companies are still unclear on which data to share with consumers when they receive a GDPR data subject request (DSR). There is a large variance in both the data you get back and how you can request it. For example, Meta hasn’t aligned its data sharing standards across its social media platforms. Where Facebook provides data on any content that users interacted with but no ad data, Instagram offers both content data and ad data, but only on ads seen in the week up until the GDPR request. 

“Unlike the ongoing delays of third-party cookie deprecation, there’s no room for manoeuvre when it comes to GDPR regulations. Businesses are legally required to produce subject data in a machine readable format. Currently only a handful of companies make this an easy process, whereas others either make it intentionally difficult or simply haven’t invested in the process at all. 

“We need to be working towards a transparent data economy where consumers can access their subject data without scrutiny or difficulty, especially as we’re seeing a growing concern from consumers about how their data is being used and stored. Businesses that don’t act in the spirit of the law, need to be held accountable for exasperating what should be a simple DSR.”

“There are still corners of the industry that prefer to walk the knife-edge of what is legal”

Marko Johns, UK Managing Director and International Head of Agency, Seedtag 

“GDPR established the standards for data and privacy regulations, serving as a template for similar legislation that has since rolled out — or is in the process of rolling out — across the globe. 

“Within digital advertising, it set into motion the transition towards solutions that do not rely on personally-identifiable information, though there are still corners of the industry that prefer to walk the knife-edge of what is legal to keep invasive targeting operating beneath a new coat of paint. GDPR may have been exhaustive at the time, but it needs to be updated to fill exploitable gaps in its reach, particularly around fingerprinting and AI, where a lack of guardrails around data handling puts both individuals and organisations at risk.”

“Many marketers are relying on outdated targeting methods and confused consent messaging”

Angelique Whittaker, UK Sales Director, Azerion

“After six years of GDPR — and the subsequent rollout of other global regulations — privacy-centric advertising really should be the norm by now. However, the industry still struggles to push forward with its own bold moves and many marketers are relying on outdated targeting methods and confused consent messaging. 

“To go a step further than simply being regulation-compliant, advertisers should be embracing cookieless tools, with a combination of contextual and behavioural targeting, to dig deeper into the privacy-friendly data and power curation methods; this will deliver more effective targeting and build better brand connections for consumers.”

“Companies [are] beginning to see privacy as an opportunity to… drive efficiencies, create new revenue streams and foster customer loyalty" 

Nicola Newitt, Director of Legal, InfoSum

"Six years after the full implementation of the General Data Protection Regulation (GDPR), it is still setting the global standard for privacy. The publicity around the GDPR increased consumer understanding of their right to control their personal data within the EU and in the UK. Additionally, it's influenced regulators in many other jurisdictions; 75% of people around the world now have data protection rights enshrined in law, up from just 10% in 2020. 

"The GDPR has provided European legislators with a powerful framework with which to hold organisations who fall foul of its terms accountable; for example, when Meta received a €1.2bn fine from the Irish Data Protection Commission (DPC) in May 2023.

"While this provides a huge incentive for businesses to ensure their privacy practices are in good order, it’s also part of a bigger mindset change; with companies beginning to see privacy as an opportunity to build platforms, processes and products that drive efficiencies, create new revenue streams and foster customer loyalty." 

“This shift is no longer simply driven by legislation, but by consumers”

Lawrence Horne, UK Country Manager at Ogury

“The introduction of GDPR was an important milestone in the transition towards a more privacy-first online landscape. However, this shift is no longer simply driven by legislation, but by consumers. Around two-thirds (65.5%) of UK consumers have concerns surrounding data privacy when interacting with brands online, and it's clear they are willing to exercise their right to avoid being tracked or sharing their personal information for advertising purposes. This has led to a consistent decline in opt-in rates since the implementation of the GDPR.

“For the advertising industry, being compliant with the GDPR, the CCPA or any of the other numerous privacy laws alone is not enough; consumers have spoken, and as a collective we need to tackle this issue at a global level. If the GDPR represented the first step towards a new privacy paradigm, the phase-out of the third-party cookie in Google Chrome is the final part of this journey. Brands must stop clinging to the old world and embrace a privacy-first approach if they are to continue to effectively reach their audience.”

“[GDPR] groundwork is now the basis that the post-cookie marketing landscape is being built upon”

Jason Warner, Director UK & EMEA, SBS

“GDPR sparked the formation of a new generation of technological data providers focused on compliance whose groundwork is now the basis that the post-cookie marketing landscape is being built upon. Ultimately, it has enabled data-driven strategies to be refined for even greater precision, effectiveness, while privacy compliant.

"However, the intricate and highly technical complexities of GDPR still catch out those unprepared technically. Currently, when a company's legal team lacks a clear understanding of these mechanisms, the fear of potential investigations and fines can stifle technological advancements. This gap between theoretical rules and practical application poses a significant obstacle to progress.”