**There is the law of unintended consequences. And then there is GDPR. **
The European Union’s massive regulatory effort to protect user’s data and privacy was originally “built” to protect users and regulate the market dominance of Google, Facebook and Amazon among others. But it appears in the early going, the law is actually going to benefit “Big Tech” more than anyone else. The law has actually empowered these companies because they will still be able to obtain or have access to first-party data that other publisher’s won’t be able to touch. And they are allowed to use that first-party data and the network potential they have that the rest of the world simply doesn’t have.
Big Tech, of course, is privy to all sorts of “co-mingling” that consumers are actually used to and comfortable with. For example, if someone provides consent as a user in YouTube.com, then that data can be processed and provided to other applicable Google entry points with advertising and be retargeted according to an individual’s user behavior/navigation on Google.com. This can cover billions of users.
The same is true for Facebook and Amazon. These sites have all the services that people are comfortable using and most will naturally opt in for it and provide their consent. But by limiting smaller publications or players in the ecosystem via explicit consent, it makes it difficult because, being a smaller publisher, you may not get the consent. The big guys have a real advantage because of their entry points, the amount of users on them, and the range of data they would have to retarget them on.
Instead, the burden of implementing GDPR was placed on all publishers regardless of size. Instead of acting like sort of a “tax” on Big Tech, the law has achieved quite the opposite, adding friction and challenges to all publishers while further empowering the strongest out there.
You can see this just by taking a look at the law’s implementation. Publishers were forced to develop and deploy the consent mechanisms, like CMPs, to ensure GDPR compliance for itself and its clients. It’s simply a major headache for some. And, yes, many publishers outside of the EU avoided the headache by turning their sites off completely for EU traffic. And in most cases, they remain turned off to this day.
It is the opinion of many now that GDPR’s implementation should have been managed at the browser or operating system level. The execution would have been much smoother because, really, there’s only two players you would have to worry about; iOS and Android. If the major operating systems implement consent mechanisms, then you’ve taken care of all possibilities in one fell swoop. That’s what was originally promised. But instead, each publisher had to do this on their own, which can only lead to more questions, more lawyers and, apparently, more annoying pop ups than users can ever imagine.