The Media Trade Upgrade: What programmatic traders need to know about data privacy regulations

What Programmatic Traders need to know about data privacy regulations, GDPR, CCPA, and DSP impact.

If you’re a programmatic media trader, you know how much it takes to keep clients, account execs, and other stakeholders happy. You’re expected to launch, optimize, and measure campaigns that exceed KPIs. Your QBRs are high-stakes, and you know what it means to feel spread thin. (You might not really have time to read this blog post, so we’ll keep it as clear and actionable as possible.) 

One complex factor shaping the programmatic media ecosystem is the rise of data privacy regulations. No matter what DSP you prefer in terms of media inventory, user interface, and navigational toggles, all DSPs must comply with GDPR and CCPA regulations. Here’s the quick lowdown of what you need to know about how data privacy regulations impact your day-to-day as a programmatic media trader. 
Estimated reading time: 5 minutes

Quick Navigation
Which data privacy regulations matter to programmatic media traders?
GDPR and Beyond: Why European Laws Matter So Much in the US
CCPA: California Consumer Privacy Act

Takeaways: Impact on Programmatic Media Traders
Programmatic Campaign Performance
DSP Data Collection, Processing, and Storage
Algorithms and Transparency: Audience Targeting and Real-Time Bidding

Additional Resources

Which data privacy regulations matter to programmatic media traders?

The two biggest data privacy regulations you need to be aware of are GDPR and CCPA — but other regulations are on the horizon, both in the US and in the EU. Although GDPR applies to the European Union and CCPA applies to California, the internet is global. It’s more efficient for a site or app to ensure GDPR and CCPA compliance for all its users, rather than having multiple versions for GDPR, CCPA, and everybody else. 

Before we dive into how these data privacy regulations relate to DSPs, let’s define what they are and what they mean. 

GDPR and Beyond: Why European laws matter so much in the US

Remember how cookie consent windows popped up everywhere back in 2018? We have GDPR to thank for that. User experience improved slightly in 2020 after the European Data Protection Board (EDPB) issued additional guidelines to make it easier for consumers to choose their cookie preferences. 

At the heart of GDPR is the principle of Privacy by Design, also known as Privacy by Default. This means that companies can only collect data if it’s necessary for a specific purpose — not just because it’s available. Most importantly, companies can’t collect personal data without the individual’s consent.

Privacy by Default empowers users to explicitly choose how their personal data is collected or used. This marks a huge change from “implicit consent,” where simply visiting a website “granted” consent to collect personal data via tracking tools like cookies. Under GDPR, consent must be freely given, specific, informed, and unambiguous.

All sites that allow traffic from EU users must comply with GDPR. Additionally, if a company’s data-processing activities are considered “high-risk,” they must file a DPIA (Data Protection Impact Assessment). Examples of high-risk activities that trigger a DPIA include:

  • Location tracking
  • Marketing to children
  • Processing biometric or genetic data

While GDPR is an undeniably important step forward for consumer rights, it’s also created complications for businesses as they adapt to data protection standards. GDPR has significantly impacted DSPs by requiring greater transparency, fairness, and accountability in collecting, processing, and using personal data. DSPs must comply with GDPR regulations to avoid potential legal and financial penalties, and to maintain consumer trust and confidence.

A final note on European privacy laws that will impact marketers and advertisers: keep an eye out for two new pieces of regulation: DSA and DMA. We’ll cover these in more detail soon!

CCPA: California Consumer Privacy Act

Since 2020, the California Consumer Privacy Act (CCPA) has applied to companies doing business in California if they meet certain criteria, including:

  • Annual revenues above $25 million.
  • Collecting personal information from more than 50,000 consumers. 

While CCPA is “just” a state law, California is poised to become the world’s fourth-largest economy; California regulations have resounding implications far beyond the state’s borders. Penalties for non-compliance can include fines of up to $7,500 per violation, not to mention potential lawsuits and reputational damage.

Like GDPR, CCPA gives California residents the right to know what personal information companies collect, and to request deletion of their personal data. CCPA also requires companies to disclose whether they’ve sold or shared personal information with third parties. Consumers have the right to easily opt out of companies selling their personal data. Finally, CCPA prohibits companies from discriminating against consumers who exercise these privacy rights. Consumers must have access to the same products and services regardless of opt-in/opt-out status. 

3 Takeaways: Impact on programmatic media trading and DSPs

1. Programmatic campaign performance

Consumers trust and prefer brands that protect their customers’ privacy. As a programmatic media trader, your choices around targeting and inventory selection are connected to how companies protect consumer data. Fortunately, every DSP has privacy regulations built in under the hood — but it’s still important to understand data protection and how it can impact your campaigns and KPIs.

Why this matters for programmatic media traders:

  • Improved brand lift: consumers’ preferences for brands that protect their data can have a lasting impact on brand perception and customer loyalty.
  • Reduced campaign reach: limitations around location tracking can reduce audiences reached via geotargeting.

2. DSP data collection, processing, and storage

More personal data = more accurate targeting by DSPs and higher ROAS.

As ad tech waits for cookies to die out, stakeholders are prioritizing privacy-compliant first-party data like consumer email addresses and purchase history. DSPs buying ad space on behalf of brands are involved in collecting, processing, and using this kind of personal data. However, under data privacy regulations, advertisers and DSPs must obtain explicit and informed consent from users before gathering or using this personal data. This means DSPs must provide users with:

  • Clear and concise information about data collection, usage, and sharing.
  • Easy ways to opt out. 
  • Access to view, modify, and delete their personal data at any time.

Data protection regulations impact DSPs in other ways, including:

  • Investing in tools and processes to ensure secure and confidential data collection and processing.
  • Keeping records of the DSP’s data-processing activities.
  • Providing these records to regulators upon request.

Why this matters for programmatic media traders: 

  • 92% of consumers appreciate companies giving them control over data collection.1
  • 83% of consumers are concerned about sharing personal data online.2
  • Collaborate with account managers to understand clients’ first-party data collection methods.

3. Algorithms and Transparency: Audience targeting and real-time bidding

Agencies and DSPs are all keen to leverage first-party data to improve targeting, ultimately making the media spend more efficient. For example, first-party data is super helpful for retargeting campaigns or building lookalike audiences. That’s all well and good, but DSPs must be transparent about how they use automated decision-making, such as algorithms used for targeting and bidding. Additionally, DSPs must provide a way for users to request human intervention in the decision-making process. DSPs’ algorithms need to be transparent, fair, and non-discriminatory.

Why this matters for programmatic media traders: 

  • 81% of consumers have privacy concerns over how AI is used for personalized recommendations.2
  • 72% of consumers would stop buying from a company or using a service because of privacy concerns.1
  • Keep these stats in mind, especially for retargeting campaigns where ads could feel “creepy” or a little too personal.
  • When building audiences for campaigns, only use first-party data if it was collected in a privacy-compliant way.

Additional resources for programmatic media traders

At Verve, we know how important programmatic media traders are to brands’ and agencies’ success, and we’re here to support you with resources and information, even if you’re not our customer. 

That said, we’re increasingly focused on customer satisfaction and understanding our customers’ needs. We recently brought in Cortney Frank as Verve’s first-ever Director of Customer Advocacy. She’s been in ad tech for over 10 years and has lived the hand-to-keyboard life before. If you ever want to chat about the DSP world, programmatic campaign strategy, or inventory, feel free to reach out to Cortney directly. Open door policy! DM her on LinkedIn.

More resources:


The Media Trade Upgrade: 5-Minute reads for programmatic traders

We hope you enjoyed the first edition of our new monthly series, The Media Trade Upgrade: 5-Minute Reads for Programmatic Traders. Stay tuned for more great content: blog posts drop the second Monday of every month!

Sources cited:

  1. “State of the Connected Consumer 2020.” Salesforce, 2020. https://www.salesforce.com/resources/research-reports/state-of-the-connected-customer/
  2. “Data Privacy Statistics: Consumer Trust & 1P Data Trends.” CDP.com, 2022, https://cdp.com/articles/basics/data-privacy-statistics-brand-trust/