The European Union’s General Data Protection Regulation goes into effect next month, and analysts are weighing the implications for the two leading digital ad platforms, Facebook and Google. The potential GDPR risks range from fines for non-compliance to falling revenue due to a reduced ability to target users with ads.
These are the GDPR risks
In a note this week, Bank of America Merrill Lynch analyst Justin Post outlined the potential GDPR risks to all internet firms. He recently spoke with Deloitte consultant Paul Hood and came away with a better understanding of what companies will need to do to get in compliance with the new regulations.
The GDPR centers around user data. Whenever companies collect data on their users, they must clearly state what the data will be used for, obtain consent to collect it, and make it easy for users to opt out of having their data collected. Facebook, Google and other online firms can’t just obtain blanket consent for everything. They must obtain consent for each individual purpose of data collection, and it must be clear to users how their data will be used.
Hood told Post that he hasn’t seen many examples of how companies are intending to obtain the consent of their users, but he did warn that the impact on digital ad revenues could be as high as 20% to 30% in the EU, depending on the platform.
Programmatic advertising is most at risk
According to Post, the GDPR risks are the greatest for programmatic advertising because it will be difficult to convince users to give their consent to use their data for targeted ads. Two key platforms that are expected to be impacted the most are DoubleClick, which is operated by Google, and Facebook Audience Network. He doesn’t expect search or News Feed advertising to be impacted to the same extent as programmatic advertising.
He explained that behavioral data which doesn’t identify users, such as their search history, could still be allowed under the GDPR and not subject to the requirements involving user consent. However, he also said that certain targeting options like laying demographic data over behavioral data probably won’t be possible for some users, which means that ad targeting could become less effective.
Post expects GDPR risks and compliance to be an overhang during the second quarter and predicts that investors will be asking for more information on the first-quarter earnings calls. Based on Hood’s estimate of impact to digital revenues, he estimates that GDPR could have a negative impact of 2% to 3% on Facebook’s and Google’s total ad revenues. He assumes that the EU contributes 30% of their revenues, half of EU users opt out, and less-effective targeting results in a 15% to 20% negative impact on their revenues in the region.
The BAML analyst also believes that Facebook and Google are in good positions as far as gaining user consent because of the size of their networks and the value they provide to users.
How big will the impacts on Facebook and Google be?
Deutsche Bank analyst Lloyd Walmsley also spoke with an expert about the GDPR risks recently. He spoke to law professor Ari Waldman regarding the legal impacts of the regulation. Waldman believes that in the early days of the regulation, the EU will simply try to resolve concerns by striking agreements with major players like Facebook or Google before monitoring their compliance and then, if they don’t comply, meting out punishments such as large fines. However, Walmsley also said that Waldman’s interpretation of the GDPR was “relatively more liberal” than the views of others he spoke to about it.
Still, he doesn’t believe Facebook will see much impact to its revenues, and he doesn’t expect the company to have any problems targeting users with ads, despite the concerns others have.