The General Data Protection Regulation is finally here. Earth has continued to rotate.

Despite a two-year grace period in which to prepare before enforcement of the law, most businesses have scrambled to get compliant in time for the May 25 deadline. In other words, it’s been a bit of a mess.

The law itself should be accountable for some of the blame: The bombardment of consent notices and requests for opt-ins or opt-outs over the last few weeks highlights just how broadly the law has been interpreted. The market is divided into those who have attempted to follow the spirit of the law to the letter, and those who have crossed their fingers and hoped for the best.

As with anything, there are winners and losers. Bluntly speaking, any business that doesn’t have a direct relationship with users is in for a difficult time.

Winners:

Google

It’s no secret Google’s GDPR approach has angered many in the digital advertising world, particularly publishers. Its decision to reveal its GDPR approach just weeks before the deadline, after publishers had spent the last year developing compliance strategies, has been met with iciness.

Google is not immune to GDPR pressure. The company has been under fire from Brussels for years and has a handsome collection of multibillion-dollar fines courtesy of behavior the European Commission has deemed anti-competitive. Its GDPR approach will likely be scrutinized in-depth, although whether individual-country regulators have the resources to take on a company with Google’s resources is another matter. Google will also likely be a core target of privacy activists.

Google is rightly being taken to task by the world’s biggest publishers. Regardless of its dominant market position, it will want to retain good relationships with the big publishers. In some cases, it will have to rely on publishers gaining consent on its behalf and can cut off third-party tech vendors that it deems noncompliant whenever it likes.

Regardless of size, it will take a brave publisher to cut off Google from its supply chain. Even the mighty Axel Springer, which has gone public about how it is weaning itself off relying on Google’s platforms, must still stay in the company’s good graces enough to be able to use its ad products, to sustain digital ad revenues.

Combined, Google’s core products DoubleClick Bid Manager, AdX, DoubleClick for Publishers and its attribution solution generate just under $5 billion net revenue, dwarfing its nearest competitors in each category, according to a recent post from U.S. publisher trade body Digital Content Next CEO Jason Kint. “Google both creates the market and makes the market,” he said.

There is widespread concern that Google has used GDPR as a cover to gain competitive benefits, such as restricting the DoubleClick ad ID to its own platform and restricting the number of ad tech vendors that publishers using its CMP can plug in. “Google regards GDPR as a strategic play,” said Jon Slade, chief commercial officer of the Financial Times.

Publishers with muscle

When it comes to GDPR, size matters. While larger, known brands are likely to attract the eyes of regulators and privacy activists, they’re also well-resourced. That means they have the funds for lawyers and to create their own technologies such as consent management systems, and they have enough clout to push back on the GDPR terms being dictated by dominant U.S. tech platforms like Google and Facebook.

European media powerhouses like Axel Springer will be in a strong position. The publisher had the resources to develop its own consent management platform that it has opened to other publishers to use as open source, and it has enough clout in the market to stand up to the platforms. It also, like many other premium publisher groups, has a sea of consumer brands that people recognize.

Subscription-focused publishers

While most publishers can speak directly with users, either via email newsletters, sites, apps and other marketing messages, subscription publishers are clear winners. People are prepared to pay for their products and services. They needn’t harbor the fear on other publishers’ minds: that users may opt out or choose not to give consent. Therefore, they won’t have to worry about programmatic revenue deficits caused by a drop in the amount of audience data they can run advertising against. Publishers with registered users will also be in a strong position. Anyone that has logged in to use a media owner’s product has chosen to do so because they believe that product is worth it.

Lawyers

It isn’t for nothing that “ambulance chasers” has been the GDPR phrase du jour for some time. Overall, industry consensus is that in truth, everyone loses something — apart from the sea of lawyers who have been no doubt rubbing their hands in glee at the onslaught of business requests from terrified businesses.

The general public

OK, the current confusing sea of emails requesting users to opt in or check out new privacy policies is annoying. But look at the long term. GDPR has been devised to give people more control over how their data is used on the web. Some may care fiercely about how their data is being used; others may be unbothered by the reams of opt-in and opt-out requests they’re now receiving. Although there is a danger that site user experience will suffer for a time, ultimately, this is all intended to give consumers more control of their data.

Losers:

Ad tech vendors

Pity the Lumascape. So far, two U.S. ad tech vendors, Verve and Drawbridge, have exited Europe and cited GDPR as a core reason. There will be others who decide that risking the burden of costs in getting compliant, along with the difficulty of gaining user consent for multiple data purposes, is simply not worth it, especially if European revenue is a fraction of what it is in the U.S.

Ad tech vendors that rely on large amounts of traffic from other ad tech vendors will also likely have a tough time, as will vendors that rely on bid-stream data to create segments and audience. Retargeting companies will also suffer: Just look at how retargeting firm Criteo’s stock price has fluctuated over the last six months.

Vendors that haven’t bothered to cultivate relationships with publishers, agencies or brand advertisers that would in turn be willing to gain consent on their behalf: Good luck. If they don’t have the endorsement of their partners, they will also be kicked out of Google and Facebook’s ad ecosystems. Data management platforms will also take a hit.

Facebook

Facebook’s position is far harder to read than Google’s. It has the same advantages as any of the other big four U.S. tech platforms (Apple, Amazon and Google) and large pot of people who have to log in to use its products — which are a daily habit for many, whether it’s Facebook’s main app, WhatsApp or Instagram. Yet it has been under a very uncomfortable spotlight since the Cambridge Analytica scandal erupted.

Agencies

Agencies also do not have direct relationships with consumers, unlike the advertising clients on whose behalf they work. Therefore, gaining permission directly from users will be tough. Naturally, they will look to established partnerships with publishers to gain consent on their behalf. Larger agencies will be better equipped to cope with compliance demands, but they are also vulnerable to clients pulling programmatic spending in the immediate aftermath of GDPR.

Publishers overreliant on programmatic advertising

Savvy publishers have focused on diversified revenue strategies ever since print advertising revenues started plummeting. But there are still many reliant on programmatic revenue for a large chunk of income. Publishers that have asked users for informed consent are not expecting 100 percent opt-ins. Whatever percentage of their audience chooses not to opt in, they can no longer target with personalized ads. For that reason, certain publishers have estimated they will lose programmatic ad revenue, in the short term at least.

Small publishers

It’s only really the big publishers that have the resources and market position to contest the tech platforms. Case in point: Google’s meeting yesterday would have likely been well-attended by mid- to long-tail publishers that have no choice but to keep on the right side of the tech giant. As such, they won’t have much of a voice in all this.



US publishers with (albeit) small European operations

Some U.S. publishers that cottoned on late to GDPR have decided to just halt all ads from running on their European pages. USA Today has stripped its page of all ads and has claimed to offer a “EU site experience” in a disclaimer to anyone visiting the site from Europe. It’s easier to just turn the tap off rather than risk fines for what’s likely a very small portion of their revenue.

Facebook-reliant publishers

Digital media publishers that hedged their bets on posting to Facebook to scale fast are now regarded as a cautionary tale. Case in point: Facebook-dependent U.S. publisher LittleThings, which was forced to shutter in February after Facebook made its last algorithm change. While it’s fair to say that any publisher that hasn’t done enough to establish its brand or found a way to diversify its distribution beyond Facebook will struggle to attract loyal readers, that will only intensify post-GDPR. With people’s inboxes bursting with emails from every company under the sun that has ever used their data, consumer-consent fatigue is inevitable. Soon, giving consent, filling in email details or even just clicking to opt in to the sea of messages will become a chore. Publishers that don’t have well-known brands and rely on flyby readers clicking through to their sites from Facebook or other platforms will likely find readers don’t care enough about that one headline to go through a series of cookie notices and consent requests.

Consent dodgers

The confusion over whether a business can rely on legitimate interest or not has been intense. No one will know for sure until someone is reprimanded for it by the regulators. But in reality, it’s a stretch for any ad tech business that survives by legitimate interest will make the cut. Those who have relied on it entirely and made no effort elsewhere to gain consent likely know they don’t have a genuine legitimate interest to use personal data.

So, while some businesses will be able to claim a legitimate interest in using people’s data without having to seek explicit permission, no ad tech vendor that relies on bid-stream data to create segments and audiences can use the legitimate-interest loophole, and they will face a reckoning.

Get our complete guide to GDPR, including exclusive research, recent developments, checklists and much more.