Europe’s new data privacy law has put a small army of tech firms that track people online in jeopardy and is strengthening the hand of giants such as Google and Facebook in the $200 billion global digital advertising industry.

The General Data Protection Regulation (GDPR) brought in by the European Union in May is designed to protect personal information in the age of the internet and requires websites to seek consent to use personal data, among other measures.

The ability to track internet users has attracted hundreds of companies that harvest and crunch user data from websites — with or without the consent of the site owner — to form very specific individual consumer profiles.

GDPR poses a challenge to those groups because they all need consent to use the data. While sites often request consent on behalf of the ad tech firms they use directly, uncertainty over whether every link in the supply chain is GDPR-compliant is pushing some to leave Europe altogether.

Concerns about GDPR should, however, benefit Alphabet’s Google and Facebook as their loyal customers are more likely to give consent to carry on using sites, allowing the U.S. giants to keep amassing and analyzing vast amounts of GDPR-compliant data that advertisers will pay to use.

Big publishers such as national newspapers are also likely to keep their readers and believe they can benefit by eventually charging advertisers more for online slots in the knowledge they are compliant with the new EU rules.

“It’s challenging for the digital ecosystem,” said Mark Read, joint boss at the world’s biggest ad agency, WPP.

“But if consumers feel confident that their data is being protected and they understand how it is being used and it’s done with permission, ultimately that should be a good thing for clients and for us,” he said.

Tangled web

From a standing start nearly 30 years ago, the internet has become the largest advertising medium in the world because it allows firms to target consumers with ads based on anything from their browsing history, comments, spending power to location.

Within the tangled ecosystem are multiple firms that help brands and ad agencies connect to sites that fund content with targeted ads. For every dollar spent by an advertiser, about half may go to ad tech groups, according to industry estimates.

When an internet user pulls up a page multiple bid requests are sent into the advertising ecosystem touting facts about the person such as demographics and interests, as well as the nature of the site they are viewing.

That personal data can then pass through a dozen or more ad tech firms before a company or ad agency bids at an auction for space on the website and an advert is loaded. It is that spread of personal data that risks breaking the new EU privacy law.

For example, a firm that provides ads for a website viewed on a mobile phone may use other partners not included in the compliance chain to provide information about a user’s location.

That doubt about compliance is threatening the myriad ad tech middlemen and is also prompting advertisers and publishers to rethink how they share their user data.

“In a world where we are putting the consumer first, there are only going to be so many opportunities for the very colorful ecosystem of companies to obtain consent,” said Andrew Casale, head of the ad group Index Exchange.

Uncertain times

In the midst of the disruption, some ad tech groups are pulling out of Europe. Harry Kargman, founder of the mobile ad firm Kargo, said the company has withdrawn for now because it did not know how GDPR would be applied.

“There is too much uncertainty,” he said. “And I don’t think (that will change) until they apply it in specific cases.”

Verve, a company that helps advertisers target consumers on mobiles based on location, and Drawbridge, a cross-device user data firm, have both stopped operating ad businesses in Europe.

Factual, another company that provides consumer data based on their location, also temporarily scaled back its operations in Europe after realizing the mobile apps it relies on “could not safely claim they were compliant.”

Others groups higher up the food chain have also been hit.

France’s Publicis, one of the world’s top five advertising companies, said it had felt the effect.

“Advertisers were cautious about spending money in supply chains that they weren’t absolutely sure they could target safely or legally,” said Steve King, CEO of Publicis Media.

Kargo’s Kargman expects Facebook and Google to benefit from the uncertainty. The two companies are likely to receive a high ratio of user consent given their loyal customer base, and both own high-quality data because users post likes, dislikes and location, or search for areas of interest on Google or YouTube.

The companies also have deep pockets so can ensure they are compliant, throwing engineers and lawyers at the problem and reassuring brands at a time of uncertainty.

But they, too, have had to make changes.

Facebook lost about 1 million European monthly active users after GDPR and it said a desire by some users to avoid targeted ads is likely to lead to a modest revenue hit.

In response to GDPR, it has asked advertisers to certify they have the proper consent to use any data from third-party brokers, potentially shedding itself of some liability.

Google is also requiring publishers to secure consent when using its ad products on their properties. Marketers and partners also need to now use more of Google’s own services.

It has stopped providing easy access to lists that helped companies evaluate the success of their ads by showing which users clicked on them. Advertisers must now use Google’s Ads Data Hub application to measure the effectiveness of campaigns.

Google declined to comment for this article. It has previously said GDPR is a big change and is working with partners on compliance.

Good news for publishers?

Of the more than 20 executives spoken to by Reuters, from ad bosses to publishers, tech groups, brands, lawyers and consultants, all expect the supply chain to thin out — leaving publishers to potentially receive a greater slice of ad revenue.

“Given the number of actors it could take some time though,” said Phil Smith, head of the U.K. advertiser trade body ISBA.

Leading British sports website GiveMeSport is one publisher hoping the biggest overhaul of data privacy laws in more than 20 years will challenge the system.

“There are too many middlemen and they’ve been eating the cake,” General Manager Ryan Skeggs said. “We’re hoping GDPR will help weed them out. The sites that do well, theoretically speaking, should then make more money.”

Three of the leading U.K. newspaper groups — Rupert Murdoch’s News U.K., The Guardian and The Telegraph — have joined forces in the Ozone Project to sell their online inventory, or ad space, together, offering advertisers access to 39 million users.

Project leader Damon Reeve said publishers had lost control of their data to tech vendors. By compiling only quality inventory, he hopes marketers and publishers will start sharing user data directly — making them less reliant on third parties.

That should provide a boost to the newspaper industry, which is still grappling with the shift online, where ad rates are far lower than those charged for a space in a physical edition.

“By 2020, Ozone could add circa £30 million ($38 million) per annum — not a trivial contribution to a national newspaper newsroom,” said analysts at the consultancy Enders Analysis.

Adam Smith, a director at WPP’s media buying arm GroupM, agreed the focus on user compliance is likely to cut the amount of available inventory. “That feeds into price inflation for the sought-after inventory,” he said.

How long the initial impact of GDPR will last, though, is not yet clear as many consumers — tired of the constant permission pop ups — are just giving consent to access sites. Prosecutors are also yet to bring any cases for data breaches.

But GDPR has ramped up the speed of change in what has been such a fragmented industry. “This kind of consolidation is natural in most maturing industries,” Enders analyst Matti Littunen said. “GDPR has just accelerated it.”