The Impact of GDPR on Publishers

By Christopher Reid |
July 05, 2018

Ad Ops & Digital Publishing News - Sortable

Christopher Reid

It’s a new world post-rollout of the General Data Protection Regulation (GDPR), a European digital privacy law with global economic impact. An enormous amount of time, energy and expense has been spent across the digital advertising industry – from SSPs and DSPs, to publishers, marketers and networks – to integrate these new consumer privacy protections into their businesses. And with good reason too, as we review publisher GDPR decisions and the costly impact on fill, CPM and revenue.

A Quick Summary of GDPR

On May 25, 2018, GDPR pushed the digital advertising industry to comply to stricter regulations around how they handle personal data and privacy from European Economic Area (EEA) citizens. And it wasn’t only businesses based in France or Germany. While the new data privacy law was aimed at aligning different legislations and interpretations across European countries, publishers based outside of the EEA, including Canada and the US, were also accountable. All companies offering goods or services to EEA buyers or who tracked their online activities were now required to obtain consent from users with respect to what data they collect and who they shared it with. Implied consent as an advertising business model became obsolete.

Costly to Publishers

Everyone scrambled into the final hour to understand and meet compliance with some ad tech monoliths like Google waiting until after go-live date to fully clarify their position around the IAB Framework. Why? Because the cost of GDPR was mounting in every direction.

  • Fines: Publishers found using data without consent were liable for up to 4% of annual global revenue or €20 million in fines.
  • Dirty vendor chain: Publishers that retained vendors who fell outside of the Global Vendor List risked revenue in the short and long run.
  • Consent options with varying costs: Publishers had several implementation options for desktop and mobile web consent, each carrying a level of risk to revenue and requiring integration efforts. Publishers who tried to avoid the intensive process of communications, audits, and platform integrations did so at the expense of their programmatic ad revenue. Serving untargeted ads, or serving no ads to visitors resulted in a performance dip for publishers with an EEA audience base. 

Observed Trends in Publisher Decisioning

Sortable’s GDPR implementation across hundred of publishers have netted some trends in aggregate. In a review of publisher decisions around GDPR we saw three things:

1. A standardized CMP (consent management platform) approach positively impacts revenue trends.

Sortable aggregate data from publishers who chose not to implement a CMP (Figure 1) shows that CPMs or impressions drop off significantly after May 25, 2018, when GDPR went into effect.

The red line shows the CPM trends for the same group of publishers in non-EEA countries, which indicate that the lack of a CMP is significant. The CPM trends are not a result of normal month-to-month and seasonal cycles.

Figure 1. Net CPM in GDPR v. non-GDPR Countries

Net CPM in GDPR vc Non-GDPR-01


Sortable aggregate data from publishers shows the impact on fill rate in GDPR vs. non GDPR countries when no CMP was initially implemented (Figure 2). On May 25, there's an immediate impact on fill from not having a CMP. Note that EEA traffic remains consistent. Once a CMP was implemented for GDPR countries on May 28 fill rate recovered back to pre-GDPR levels.

Figure 2. Fill Rate GDPR and CMP Implemented

Fill Rate GDPR and CMP Implemented-02



2. An increase in the number of vendors who were in compliance with GDPR and part of the Global Vendor List positively impacts revenue trends for publishers.

Sortable aggregate data shows the effect on CPM for a group of sites for traffic broken out into GDPR and non GDPR countries (Figure 3). For GDPR countries, at first there was a targeted list of known vendors in the CMP. Around May 28, more vendors were added to the CMP and finally on June 9 the full list of all appropriate vendors was applied to the CMP.


Net CPM in GDPR v Non-GDPR Countries-03

3. CPMs are higher where users have provided consent.

Sortable aggregate data shows the impact on CPMs based on whether consent was provided or not post-GDPR for just over 16 million impressions at the end of June (Figure 4). Included in the dataset is CPMs for the same group of publishers pre-GDPR. Overall, CPMs are higher where users have provided consent. The CPM values as compared to pre-GDPR are either approaching pre-GDPR ranges, or have surpassed pre-GDPR values.

Note: This graph excludes the volume of a given bidder or the participation drop. The total impact on revenue can be quite extreme for certain bidders and ultimately on revenue as you can see some bidders do very poorly without consent.

CPM Values-04



Our data show that having a clean vendor chain, implementing an IAB-compliant CMP, and gaining user consent all work towards positively impacting the bottom line. GDPR implementation and fallout aren’t quite over, based on daily headlines coming from industry publications. And like it or not, publishers with a large EEA audience have witnessed the rollercoaster effect of protecting–or abandoning–that high-value base.


Sortable’s hosted Content Management Platform helps our publishers comply with GDPR, following the IAB standard. Our data warehouse and analytics offering make it possible for us to understand bidder performance and the granular impact GDPR has on our customers. Get in touch with our team of GDPR experts to find out how Sortable can help you manage consent and understand the complexities of regulation while earning more revenue.

Recent Posts

Subscribe to Email Updates