What GDPR costs digital media and technology companies

With the May 25 start date for GDPR enforcement approaching fast, companies across the digital media, tech and data ecosystem are in overdrive to finalize product changes and prep their data governance and legal teams for scrutiny by the European Union.

Tech takeover:

Technology upgrade costs will likely remain high for a couple of years as GDPR enforcement and the finalization of ePrivacy regulations clear up ambiguity in the market, said Andrew Katz, co-founder and CTO of customer data platform (CDP) mParticle.

To an extent, GDPR is an opportunity for new vendors who can build their stacks from scratch. But the upfront investment in engineering time and new talent is particularly difficult for legacy vendors who have already invested in non-GDPR-compliant tech and must therefore spend disproportionately on GDPR maintenance and compliance.

Refitting ad tech to operate in GDPR is a serious task, Katz said, because companies never had to think about challenges like accumulating or deleting a person’s historical data.

Take the demand-side platform (DSP) MediaMath, which in the past six months has dedicated 30% of its engineering and product management, about 60 engineers, to GDPR implementation. The biggest overhaul has been EU data deletion and retrieval rights, which mandate tech and media companies provide mechanisms to erase or hand over an individual’s data.

And Tapad’s engineering team spent months working to change how the company processes data, opt-ins and opt-outs and to allow user-level data retrieval, said CEO Sigvart Voss Eriksen.

Some vendors will find the tech overhaul easier than others. For instance, CDPs, which categorize data around individual profiles, will have an easier time organizing their data flows than a DSP, where data comes in a messy stream.

But even a CDP like mParticle had to invest in a platform overhaul.

At the DSP Beeswax, product teams have worked on updates ranging from trivial changes like adding new fields to indicate consent to more complicated overhauls of how the company transfers data between parties without exposing information.

And these investments aren’t one-time fixes – they are ongoing investments.

“It won’t be a situation where we get to the May deadline this year and we’re done,” said Beeswax founder and CEO Ari Paparo.

Many GDPR costs are front-loaded, said mParticle’s Katz, with some baked-in investments like the initial tech overhauls and salaries of data governance and legal executives. And more costs will nip at the bottom line as data portability and erasure requests mount in the EU.

Tapad’s Eriksen said GDPR will continue to exert a major influence on product and internal investments.

If the industry’s general compliance efforts and initiatives like the IAB’s consent framework stand up to regulatory scrutiny, costs in Europe will no longer be so disproportionate to the returns.

“My hope is as we move into the second half of the year the groundwork will be laid and there will be ongoing monitoring, but the hard work will be behind us,” said Doug McPherson, OpenX’s VP and general counsel.

But that comes with a major asterisk. EPrivacy regulations, which are still in a drafting process, could reset product work on user opt-ins and establish much higher investment levels to participate in EU data-driven advertising.

And publishers may trim their partner rosters, limiting the potential dollars for tech intermediaries.

McPherson expects many name-brand publishers to continue reducing their supply chain vendors from an average of three or more to just one or two.

That’s a sentiment shared by Meredith Chief Data Officer Alysia Borsa.

From conversations with other publishers and Meredith’s marketing technology partners, Borsa expects some US-based publishers to opt to block traffic and some tech businesses to exit the market instead of bearing the cost of GDPR.

Meredith’s European traffic ranges from single digits to 10-15%, and it briefly considered discontinuing operating EU-based media tech services, Borsa said, but the publisher has committed to standing up those subsidiaries under GDPR.

“We approach [GDPR implementation] under two different scenarios: evaluating our EU-based media or technology services and the traffic to US sites coming from the EU,” said Borsa.

Scarce resources:

Besides the tech burden, GDPR also requires vast human resources.

Meredith has a team of 10-15 senior executives across legal, IT, marketing, product, engineering and account management who meet weekly on GDPR compliance and have teams under them executing changes, Borsa said.

And all those additional legal services, privacy consultant and employee hours cost at least a few hundred thousand dollars in the past year, said Beeswax’s Paparo.

The company is “working with lawyers to revise our contracts, which isn’t cheap because in RTB there are so many contractual relationships with different partners,” he said.

Also, GDPR-affected companies must have a data privacy officer (DPO), which is a difficult, expensive position to fill.

OpenX recently assigned McPherson to be its DPO.

Beeswax is relatively small and doesn’t have one, but it shares an independent privacy contractor who functions as DPO for a group of tech companies too small to merit a full-time hire.

This month, MediaMath hired a new VP of government relations, Danny Sepulveda, who previously worked on telecommunication initiatives with the US State Department, tasked with outreach and influence in other global markets.

And Tapad tripled its privacy team and it and its parent company, the Norwegian telco Telenor, added specialist legal counsel for GDPR.

Is it worth it?

The costs of compliance may be high and the payout may be thinning, but the specter of GDPR fines of 4% of total revenue (which for an ad tech company means total media sales on the platform, not just on profit) is a powerful stick keeping tech companies in line.

The threat forces vendors to consider whether they should invest at all or simply start reducing their business.

“We had a moment where we thought, ‘Is it worth the trouble?’” said MediaMath President Michael Lamb regarding its European business under GDPR. Considering European business is about 20% of MediaMath’s revenue, it clearly was essential despite the cost, he said.

Companies semi-committed to GDPR may end up pulling the plug on the EU depending on ePrivacy regulations and enforcement actions, especially if inventory value goes down – as many expect when less data can be applied for targeting – pinching companies between higher baseline investments and decreasing returns.

Tapad, for instance, offloaded its media business earlier this year and got out of the higher-risk practice of buying ads, refocusing as a CDP.

Drawbridge, a direct competitor to Tapad, abandoned its EU media business and is considering whether it can operate its cross-device graph in the bloc.

But GDPR expenses don’t fall into a pure cost-benefit analysis of the EU business.

“Looking forward we expect privacy standards to be much more important globally,” Lamb said, pointing to national markets in Asia and states like California experimenting with GDPR-like regulations.

“We look at these investments more as opportunity costs,” Lamb said, as global brands and agencies start to base account decisions on data standards.

And there’s opportunity as GDPR washes away some competitors, said Tapad’s Eriksen: “There’s a big business opportunity in being compliant.”

Tapad will keep an eye on European startups, because companies that don’t have to retrofit existing data platforms and can build specifically for GDPR have a good shot to seize market share.