Forrester principal analyst Fatemeh Khatibloo will speak at AdExchanger's upcoming Industry Preview conference on Jan. 17-18, 2018 at the Grand Hyatt New York.

If marketers and publishers don’t know how many third-party tags lurk on their sites, Europe’s General Data Protection Regulation (GDPR), which takes effect in May, will change that.

“A client will tell me, ‘We use this vendor and that vendor,’ but then I’ll pull up a Ghostery tracker map on their site and ask, ‘Well, what about these other nine vendors getting your user data – do you also have a contract with them?’” said Forrester principal analyst Fatemeh Khatibloo. “And they’ll say, ‘But we stopped doing business with those companies a year ago.’”

“Well,” she said, “the code is still on their site and it’s still getting data.”

AdExchanger spoke with Khatibloo.

AdExchanger: What is the No. 1 piece of GDPR-related wrongheadedness that makes you crazy?

FATEMEH KHATIBLOO: That GDPR is going to destroy the data brokerage industry. There’s a lot of FUD [fear, uncertainty and doubt] around GDPR, and it’s understandable.

Marketers are notoriously terrible at paying attention [at things that won’t] cost them something. When privacy practitioners try to get marketers and businesses to listen up about GDPR, they talk about the 4% fine. Few will be hit by that, but it’s still being held up as something that will run thousands of companies out of business.

The other bit of baloney I’d really like to see marketers stop parroting is that GDPR doesn’t apply to them. So many clients I talk to have been told, even by their lawyers sometimes, that GDPR doesn’t apply to them, because they don’t do business in Europe – and that is just not true.

The ad tech ecosystem can’t function as is under GDPR. What has to change?

Beyond ad tech, I don’t think the entire advertising and digital ecosystem can continue to operate the way it does. There is too much opacity and marketers need better control of their user data.

The middleware vendors, those vendors that sit one layer beneath the companies that publishers or advertisers sign contracts with, are at tremendous risk.

That doesn’t necessarily seem like a bad thing.

When publishers tell me they only see something like 12 cents of every dollar spent on advertising on their site – where’s it going? It’s going to the vendors, whether that’s the agency, the DMP, the DSP, the SSP or the layer cake of companies all ostensibly trying to do better targeting and behavioral advertising.

If we agree that they don’t bring enough value to this ecosystem, it changes the balance of advertising. That means more money in the pockets of publishers, better quality ads and fewer, less intrusive ads – and now we’ve actually started to solve the ad blocking problem, too.

Do third-party vendors have any chance at obtaining consent or an opt-in?

Some vendors are hiding behind legitimate interest, anonymization or using data at the aggregate or segment level, but they don’t have a first-party relationship with the consumer. That will fly for some of these guys. What they aren’t considering, though, is whether ePrivacy comes to pass in the format it’s in now.

Millions of lobbying dollars are being thrown at making legitimate interest a legal basis for processing data under ePrivacy, but if that’s not successful, it doesn’t matter if GDPR provides a legal basis. The vendors heading this way are more interested in being compliant with the letter and not the spirit of the law.

How often are European citizens likely to invoke their various data subject rights, like the right to be forgotten, the right to access and the right to object to data collection?

Two things will happen. After the first big media push around the fact that people have these new rights, a whole group of people, mainly armchair activists, will go through every spam email they’ve received and send tons of data deletion requests.

But what’s more interesting to think about are browser plugins people use to get a little more privacy or do some truly incognito browsing. These types of plugins have a not insignificant adoption rate. Very quickly, we’ll see simple tools created that automate deletion and portability requests and it’s going to open up that world to a lot of people who might not otherwise have made requests because it looked too difficult.

May is just a few months off. Where should companies be at this stage in terms of preparation?

There isn’t a single answer and companies have different levels of risk tolerance and exposure.

But if you’re a company with headquarters or employees in Europe, you’d better be 65% to 70% of the way to compliance by now. At this point, you need to be doing UI testing for data management and cookie management and thinking about third-party data disclosure. You should also have named a data protection officer by now and have your data flows completed.

But companies mainly in North America with maybe 1% or 2% of their business coming from Europe a year have limited risk exposure. I’d want them to have started on the process of asking how exposed they are and what they need to do to get their data house in order in case a regulator does come calling, but these are not folks that are going to be compliant by May 25. They’re hanging back and watching to see what enforcement actions the data protection authorities will actually take.