Interviews, insight & analysis on digital media & marketing

Behind The Curtain: The Adtech Truth – can programmatic ever be compatible with GDPR?

Behind the Curtain is a monthly column from Redbud, the ‘adtech voice of truth’, digging deep each month to discover what’s really going on buried deep in the adtech layers around publishers’ sites.

By Chloe Grutchfield

GDPR. It’s one of our industry’s most talked about topics. In fact, it plays a big part in the history of RedBud, as my co-founder and I lost our previous jobs because of it. Coincidentally, GDPR opened up huge opportunities for us to finally launch RedBud, so it’s not all doom and gloom.

But I think it’s time we all faced the elephant in the room and asked if programmatic can ever be compatible with GDPR?

On the 11th April, Verve, my previous employer, decided to opt-out of its European operations, joining a flurry of other concerned organisations: ”Ad tech firms are quitting Europe, blaming the GDPR (often as a scapegoat)”.

It seemed I was plagued by the wrath of this looming data frenzy. My over-zealous GP finally diagnosed me with acute GDPR fatigue. A condition that is still spreading; A condition that is growing in a variety of symptoms.

To come to terms with it all, I decided to self-medicate, taking matters into my own hands and looking into the adtech industry (in particular publishers) who are “embracing” GDPR and whether our industry can ever be truly compliant.

Industry Initiative: The IAB Transparency and Consent Framework.

Last year I started my self-medication, by getting myself up to scratch with the IAB’s GDPR Transparency & Consent Framework.

We also ran a few CMP review projects for clients at a time when the IAB TCF was constantly changing and there were new CMPs popping up daily.

A couple of weeks ago the IAB Europe and IAB Tech Labs announced that a second version of the TCF will be ready in June or July, which will provide more “granular publisher controls for collecting consent and claiming legitimate interest.”

The TCF update is hoping to see Google to join the IAB-backed program. Publishers expected Google to integrate with the TCF last summer, but that never happened due to Google’s interpretation to the regulation being starkly different. “Google is committed to integrating with v2 and will announce timing soon after v2 is finalized,” according to a Google spokesperson.

I think the process is still flawed because of the very nature of programmatic advertising and the fact that some really big players are not yet part of it.

The elephant in the room: is programmatic compatible with GDPR?

Today there are around 600 vendors that participate in the IAB TCF and have their legal basis, purposes and features captured in the publicly available vendor list.

600 only. There are around 7,000 vendors involved in adtech. Since our inception, our proprietary tool DIAGNOSE has been scanning the top UK publisher websites. The open nature of programmatic advertising allows vendors to ‘sync cookies’ with their partners and enables organisations to piggyback 3rd party tags on creative (for legitimate and sometimes not so legitimate purposes).

We found that very, very few websites actually have an exhaustive list in their IAB CMP of all the vendors that may be dropping/reading cookies, even the publishers who apply the entire IAB vendor list in their CMP.

As far as I know, no TCF CMP in the market is able to block non-approved vendor redirects from firing. This is a very big flaw. One that would require the involvement of vendors to fix, I would imagine.

It would require them to adjust the partners they sync cookies with based on each publisher’s vendor list.  I can’t see this happening in the near future. Data from our DIAGNOSE tool reveals that:

  • Big adtech platforms are still syncing cookies with vendors with no privacy policy whatsoever via European websites
  • AudienceScience (a now extinct player since 2017) sync pixel is still being triggered by vendors.
  • Drawbridge, which exited the European market last year because of GDPR, is also being triggered

So, what’s next?

I think we’ll need to wait for the fines to hit adtech players to see anything substantial really change. Although we know that publishers are starting to have conversations with their vendors about non-compliant redirects. I would imagine vendors will feel the pressure to change their internal processes in the very near future:

Audit: A relatively easy thing to do would be to apply stricter audits on the cookie syncing they are triggering on European websites: does the vendor have a privacy policy, are they compliant with GDPR, are they part of the IAB TCF etc.?  Right now, when looking at the DIAGNOSE data we’ve collected over the last few months, it’s clear this audit is not taking place.

Site specific syncing: What will need to be done too is being able to adapt the list of cookie syncing partners to the publisher’s vendor list. Some publishers have opted for a conservative list of vendors and yet because of cookie syncing, that list is never ever exhaustive.

Watch this space. We’ve seen nothing yet. It looks like we’re all going to have to put up with the aftermath of GDPR for much, much longer. And my GDPR Fatigue is not going away anytime soon.

Want to find out more? Email us at