There's no question the GDPR has anyone who's paying attention on their feet. Talk to any privacy consultant or vendor and they'll tell you: Business is good these days. But there's one group in particular that's got both a lot at stake and a lot of unknowns to contend with ahead of May 2018, and that's the ad tech industry. 

That was clear at yesterday's session, "What Third-Party Compliance Will Look Like for Ad Tech" here at the IAPP's PSR conference in San Diego, California. 

The disruption the new privacy regimes in Europe will cause is largely triggered by the ad tech space's heavy reliance on third-party data sharing. The new consent requirements outlined in the GDPR and the pending ePrivacy Regulation, once that's finalized, are significantly more burdensome than the landscape the industry has enjoyed before now. The new privacy regime will require data controllers to obtain consent from users to share data with third parties. It also calls for the provision of opt-out mechanisms, which one panelist indicated is going to be an uphill battle for the ad tech industry to overcome based on recent surveys about users' willingness to share their data with advertisers they don't have a relationship with already. 

It can sometimes be difficult, given its complexity, for people outside of the ad tech space to understand the widespread panic about how an industry based on data sharing can survive under the impending rules. But TrustArc CEO Chris Babel had some data that might put that into perspective. 

According to PageFair research that polled just over 300 people in September, 80 percent of those surveyed said they would say no to a company asking, "Will you allow us to share your data with third parties and their partners?" Even if the company promised to delete the data within six months. 

A second question asked users to essentially create their own tracking preferences, allowing them to choose whether they wanted to make the default either to delete all tracking, allow only first-party tracking, or reject tracking unless its related to a service they'd requested. Fifty-five percent of those surveyed said they'd reject tracking unless it was strictly necessary for the services they request. Only five percent said they'd opt-in to all tracking. 

That's a nightmare scenario for the ad tech industry, faced with essentially finding a way to get the other 95 percent to change their minds. 

As Oracle's corporate counsel, Pedro Pavon, CIPP/US, put it, many in the privacy space are working at large, global companies. Big ships that move slowly. And moving slowly is a problem when the changes that must be implemented ahead of the GDPR and — perhaps even more daunting to ad tech — the ePrivacy Regulation are complex, complicated and sometimes unclear. 

"If you're in the third-party ad tech space, you want to take the GDPR and ePrivacy really seriously," he said. But there's "a lot of conflicting advice. Depending on which consultancy you speak to, there's a different response." As corporate counsel, Pavon's challenge has been to parse out the good advice from the junk and try to synthesize a compliance plan that makes sense. 

"Most of the proposals that have come my way have flaws in them. Do you do nothing? Do you pick a flawed plan? Do you pick a piece of each of the proposals that you've seen that are good?" The latter has been Pavon's strategy, but he advised privacy professionals to remember that the business is always the ultimate focus. Even if there's a compliance strategy that's good on paper, it might not be a fit for your particular organization and its business functions. It all depends on staffing, resources, methodology, etc. 

"If you lose sight of that, you're going to lose your business folks," Pavon said. And any compliance plan is only as good as the people who follow it. If the business folks aren't invested, your compliance plan in in trouble. 

Beyond that, there's some confusion about what consent even means. And that makes contracting between publishers and third parties difficult. 

"When you say to a data supplier, 'here's the data we need, we're not really sure how you get the consent, but, don't send it to us until you comply,'" that's a sort of troublesome way to do contracts, Pavon said. Or, if you're a supplier yourself and want to be a good actor, it's just as complicated to apply pressure on vendors to get a clear technical explanation of the use cases in which data sharing is happening so you can go get the consent you need, he added.

Babel said the ePrivacy Regulation, were it to be passed in its current form, "would create an almost insurmountable problem for ad tech to do the things that make the industry run. The penalties are severe, the compliance is incredibly burdensome, and it nudges consumers to opt out." 

As for whether that's true, we'll wait on the final version of the ePrivacy Regulation to find out. In the meantime, the GDPR looks to be enough to keep the ad tech industry busy.