GDPR (General Data Protection Regulation)
EU privacy regulation requiring explicit user consent for personal data collection and processing.
What is GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union in May 2018. It governs how organizations collect, store, process, and share personal data of individuals located in the EU and European Economic Area (EEA). For publishers, GDPR primarily affects how you collect and use visitor data, deploy cookies and tracking technologies, and work with ad tech partners who process user data for targeted advertising.
GDPR applies to any website that serves users in the EU, regardless of where the publisher is located. A US-based publisher with EU traffic is still subject to GDPR requirements. Non-compliance can result in fines of up to 4% of global annual revenue or 20 million euros, whichever is higher.
Why It Matters for Publishers
GDPR has fundamentally changed how publishers monetize EU traffic. Before GDPR, publishers freely deployed tracking cookies and shared user data with dozens of ad tech partners for targeted advertising. Now, publishers must obtain explicit, informed consent from EU users before setting non-essential cookies or sharing personal data with advertising partners.
Without proper consent, publishers cannot serve personalized ads to EU visitors, which significantly reduces CPMs. Non-personalized ads typically earn 50-70% less than targeted ads. This makes proper consent management implementation critical for maintaining EU revenue.
Best Practices
- Implement a Consent Management Platform: Use a certified CMP (like Cookiebot, OneTrust, or Quantcast Choice) to collect and manage user consent that meets GDPR requirements.
- Support TCF 2.0: The IAB's Transparency & Consent Framework standardizes how consent signals are passed to ad tech partners. Most major SSPs and DSPs require TCF 2.0 compliance.
- Offer genuine choice: Consent must be freely given. Consent walls that block content entirely for users who decline cookies face legal challenges in many EU jurisdictions.
- Audit data flows: Map all the personal data your site collects and shares with third parties. Ensure every data flow has a legal basis (consent, legitimate interest, etc.).
- Maintain records: Keep detailed records of consent — when it was given, what was consented to, and how the user was informed. GDPR requires demonstrable accountability.