In the three years since the General Data Protection Regulation was enacted, advertisers, agencies and publishers have been chattering about what this landmark proposal means for the future of the industry. Designed to protect and oversee consumer privacy for European residents, GDPR sought to shift data control back to the people.

It’s helpful to gauge the overall effects GDPR has had on advertising, where legislation goes from here, and how marketers should deal with the implications in the years to come.

A game-changing moment for the industry

Let’s take a look back at a moment in 2016 when PokémonGo mania was raging and hordes of people traipsed their nearest park and Main Street in search of Pikachu. At the same time, digital advertising was experiencing its own mania. For the first time in history, advertising spend on digital was outpacing that of TV, driven by search, mobile and programmatic, and that chasm has continued to grow since that turning point.

While it proved to be a banner year for ad spend, 2016 also forced a host of serious issues out of the shadows. Trust - among the industry as well as between the industry and consumers - had long been an issue bubbling under the shiny digital Lumascape. Increased demand for transparency, particularly within programmatic, followed the increased spend across the board.

Three years ago, ad fraud had become fairly rampant, and advertisers started demanding to know exactly where their dollars were going. To deliver this transparency, the IAB Tech Lab rolled out the Authorized Digital Sellers (ads.txt) text file initiative, creating a route for publishers to weed out bad supply sources and clearly identify the companies allowed to sell their inventory.

The level of trust within the industry has gone up significantly and continues to get better with subsequent updates to the initiative. While trust may have improved within the industry, ads.txt did little to silence the voices calling for better consumer data transparency. Enter GDPR.

Built to cover the full gamut of consumer privacy, two of this regulation’s most significant articles - Right to be Forgotten and the Privacy by Design and By Default - are clearly directed at advertising.

The first major targets of the privacy regulations were placed on tech giants Google and Facebook. The former failed to clearly spell out how the data would be used, hid opt-ins throughout their agreements and even had opt-outs resulting in a hefty fine of 50 million euros (about $56 million). Facebook’s data breach failures could cost them upwards of $1.6 billion. And these aren’t the only U.S. companies in hot water over GDPR, hundreds of other cases are pending across Europe against U.S. companies.

How privacy regulation made its way from Europe to the U.S.

When Apple CEO Tim Cook stated, “privacy is a fundamental human right no matter what country,” many U.S. regulators took notice. This movement is not just something that’s happening “over there,” as many GDPR-inspired bills are now popping up at the state level. The California Consumer Privacy Act (CCPA) is set for launch in January, with several other states crafting their own privacy legislation. Just recently, U.S. senators proposed a new bill prohibiting web companies from collecting more data than they need. Even the advertising industry is taking this seriously now, with the 4A’s, ANA, IAB and NAI trade organizations forming Privacy for America to push for strict federal consumer privacy guidelines.

All of this reflects a broken relationship between consumers and advertisers. Data breaches and hot-button controversies like Facebook’s Cambridge Analytics scandal have further chipped away at the public trust. The industry has failed to deliver on the promise of content and better advertising experiences in return for their data. In fact, a recent RSA study showed only 29 percent of respondents agreed that sharing their data led to more relevant experiences.

Where can digital advertising go from here?

How can marketers create personalized brand conversations and targeted ads when user data has become so toxic, not to mention costly to collect and handle?

One way to improve consumer-brand experiences while delivering highly targeted messages is to target the content itself, not the user. Targeting based on content data can insulate marketers from GDPR by attaching messages in relevant environments where the consumer has declared clear intent. In essence, the content allows marketers to create natural “lookalikes” to target their messages.  

Some are claiming GDPR, CCPA and other privacy regulations are the death knell of programmatic. In reality, programmatic will continue to be strong in a post-GDPR world, but it will need to upgrade its fuel. Buyers will need to adjust their bidding models to increasingly rely on the content, not user data.

To do all of this, advertisers must start investing in content data collection and analysis with the same fervor they had done previously with user data. This will not only provide privacy-safe targeting options but will also insulate brands from ongoing brand safety issues plaguing digital media.

Already, GDPR has gone a long way toward driving the industry forward by forcing advertisers to reconcile with longstanding user data issues.

Gil Becker is CEO of AnyClip, a video intelligence company working with publishers and advertisers.