Every couple of years, marketing observers play a parlor game called “The Ad Tech Shakeout Cometh,” in which they pontificate about the impending decimation of the ad-tech industry.

The invisible hand of economist and philosopher Adam Smith pushes markets in various directions. With a new policy and governmental regulation in Europe and major tech companies coming down hard on third-party vendors, it looks like The Ad Tech Shakeout is actually already here.

The day of reckoning

The EU’s General Data Protection Regulation (GDPR) threatens to wipe out significant portions of data on which marketers have heavily leaned to target online campaigns. At the same time, platforms like Facebook and Google are cutting out third-party vendors while bolstering their own data efforts to avoid potential GDPR snafus, which marketers may see as platforms creating bigger so-called walled gardens that block marketers from getting vetted data. And signs of an upcoming shakeout are already playing out.

The same day Facebook announced it was closing its Partner Categories program that allowed vendors like Acxiom and Oracle Data Cloud to plug into its platform, shares of Acxiom fell 19 percent, and the data firm lowered its 2019 revenue expectations by $25 million.

The narrative around data is changing for marketers. After years of demanding more and more stats, less is more in the world of GDPR, which has huge implications for ad-tech companies that control and manage digital data.

“Everyone knew there was going to be a day of reckoning,” said Andrew Sirotnik, co-founder and chief experience officer at Fluid. “All of these participants in this value chain around data had the opportunity to do the right thing [and] adjust their behavior so that when this day of reckoning did come, they fell on the right side.”

How did we get here?

As money moves from television and print to online advertising, amassing troves of data that can be used to retarget consumers with contextual targeting is central to the ad-tech industry’s pitch.

The ad-tech industry has ballooned in recent years, with hundreds of companies specializing in helping advertisers fine-tune digital ad targeting by collecting and aggregating pieces of data.

Before getting into the specifics of GDPR, a look at the size of the ad-tech industry should put the landmark regulations in perspective: GDPR puts thousands of jobs in specialized tech on the line. A search for “ad-tech” on LinkedIn pulls up 2,241 open positions at firms like Foursquare, Spotify and Starcom. Four companies—AppNexus, The Trade Desk, Criteo and Index Exchange—collectively employ about 3,200 people, according to public information on LinkedIn.

Luma Partners, the investment bank firm known for its charts that break out digital media trends, groups hundreds of companies into 17 charts that include mobile players, agencies, search specialists and marketing tech experts. Reading the marketing tech chart alone, you’d be forgiven if your eyes instantly gloss over. At least a few hundred companies cover everything from measuring website analytics to piecing together data to create ad-targeting profiles.

According to research from Luma Partners and JEGI, the ad-tech bubble hasn’t burst yet. Mergers and acquisitions brought in $272 billion in 2017. Per Luma, the performance of stocks increased by 26 percent from May 2016 to May 2017 while they gained $8 billion in market cap value (although the firm notes that it is “largely due to the strong performance of The Trade Desk” ). As a comparison, Facebook and Google’s collective market cap value increased by $263 billion over the same time period.

It’s important to note that the ad-tech shakeout has slowly been happening for years. Faced with challenges around securing investment money, a number of firms like Rocket Fuel, Millennial Media and Tremor Video went through high-profile IPOs in 2012 and 2013, only to quickly burn out.

Take Rocket Fuel, for example. In October 2013, the programmatic company’s shares peaked at $66.43. The day before its acquisition by Sizmek last year, Rocket Fuel’s stock traded at $2.69, and the firm was purchased for $145 million. The story plays out similarly for Millennial Media, which was acquired by AOL (now Oath) in 2015 for $238 million. And Tremor Video sold the demand-side platform arm of its business for $50 million before rebranding to Telaria. On Monday morning, Telaria’s stock was trading at $3.56.

At the same time, Facebook and Google’s klout only continues to grow, stealing digital budgets from publishers and ad-tech vendors. According to eMarketer, Facebook and Google controlled 67 percent of the digital ad business in 2017. Google is expected to make $40 billion, while Facebook will rake in $21.57 billion in 2018, eMarketer says.

GDPR’s impact

With May 25, GDPR’s start date, steadily approaching, ad-tech companies are scrambling to meet strict data practice policies as well as assemble privacy teams to handle the dicey issue that allows consumers to decide what information they share with companies.

For U.S. companies that conduct business in Europe, the new rules mark the first time they’ve faced regulation—and the threat of heavy penalty fine. (That’s 20 million Euros, or 4 percent of a company’s global revenue, if they’re caught conducting shady business.)

As part of the process to clean up data practices and remove shady players, marketers are increasingly moving to rely on their own vetted data (or first-party data) versus third-party data passed between multiple companies. That could spell bad news for ad-tech firms who have built businesses on swapping digital data to create sophisticated ad-targeting zeroing in on someone’s online behavior and physical location.

The Silicon Valley impact

Facebook entered that thorny area a few weeks ago when it closed its Partner Category program that a handful of ad-tech companies—including Acxiom, Epsilon and Oracle Data Cloud—used to match offline data (like if a user is in the market for buying a house or car) with Facebook’s own data for ad targeting.

“Now more than ever, advertisers need to exert their voice,” Scott Howe, CEO and president of Acxiom, wrote in a blog post blasting Facebook. “Money is powerful, and advertisers should remember that they’re the real decision makers. Use your voice to demand support for data you can use everywhere and integrations that allow you to protect the data that’s in your care.”

Facebook’s move hints that firms supplying third-party data could be some of the first to disappear under GDPR. “This combined with GDPR is going to be a new day where every single marketer has to go directly to the customer,” said Steven Wolfe Pereira, CMO of Quantcast. “GDPR is going to force the hand for everybody to rethink the way that they’re engaging with the customer—anyone that relies on third-party data is going to be screwed.”

The problem: Firms like Acxiom also built the technology and infrastructure underpinning the juggernaut ad-tech industry that’s expected to make more than $39 billion in programmatic spend from U.S. marketers this year, according to eMarketer.

“Third-party data more broadly was always going to be the most challenged data type under GDPR,” said Tim Norris, general manager of EMEA for mParticple. “With systems like Facebook now turning it off, I think it’s another nail in the coffin.”

At the same time, YouTube is also axing third parties from its platform. According to a memo obtained by AdExchanger, YouTube will “no longer support third-party ad serving on reserved buys in Europe beginning May 21,” adding that it will “assess whether to extend that policy globally.”

Then there are location-based advertising firms that cobble together multiple sets of data to determine where someone is and what ads they might be interested in receiving. In some cases, companies like Foursquare collect first-party data straight from people who opt to have their location tracked, but a plethora of location companies sell third-party data to ad networks. Such stats detail latitude and longitude (or lat-long) coordinates from a smartphone’s GPS.

Location data has long been viewed as key in helping marketers piece mobile, display and social stats together with contextual targeting, but lat-long coordinates are considered personal data under GDPR, which is why firms like online video advertising company SpotX don’t plan to include location data in its offerings.

“It’s not even gray—it’s black and white and a no-no [under GDPR],” said J. Allen Dove, chief technology officer at SpotX. “There’s going to be a shakeout, and that will be the kind of stuff that shakes out … [I]t has to.”