When the General Data Protection Regulation came into force on 25 May 2018, predictions ranged from “nothing will change” to “the end of internet advertising as we know it.” Seven years on, the reality is more nuanced than either extreme suggested - but the direction of travel is unmistakably towards greater enforcement, greater compliance expectations, and a genuine restructuring of how advertising technology works.

The enforcement evolution

The first two years of GDPR produced relatively modest fines and a great deal of uncertainty about how supervisory authorities would approach the complex technical questions raised by online advertising. The €50 million fine issued to Google by the French CNIL in January 2019 was, at the time, the largest GDPR fine issued - and many in the industry concluded it was an outlier directed at a major platform rather than a signal of how regulators would treat the wider ecosystem.

That complacency turned out to be poorly founded. The period from 2021 onwards saw a significant escalation in both the scale and the targeting of enforcement actions. Meta received a fine of €390 million from the Irish Data Protection Commission in January 2023 for its approach to processing personal data for advertising purposes. LinkedIn was fined €310 million in 2024 for similar issues. And critically for publishers, the Belgian DPA’s decision on the IAB Europe’s TCF framework - upheld on appeal in 2024 - put the legal infrastructure underpinning most European programmatic advertising under serious scrutiny.

The ICO in the UK has been developing its own enforcement priorities. Its 2024 guidance on cookies and tracking technologies was significantly more prescriptive than previous guidance, and the ICO has indicated clearly that cookie banner dark patterns - the UX designs that make it easier to accept cookies than to refuse them - are in its enforcement sights.

What has actually changed for publishers

For publishers willing to be honest about the period from 2018 to the present, the answer is: less than it should have, but more than it first appeared.

The immediate aftermath of GDPR saw a wave of consent banner implementations, many of them technically compliant in a narrow legal sense while being practically designed to harvest consent through confusion and friction. The accept-all button was prominent and green. The manage preferences option was small and grey and buried. The consequence of refusing consent was often that the site became substantially less functional. These approaches were not what GDPR intended, and they are not what the ICO considers compliant - but they remained widespread because enforcement focused initially on the largest players.

What has genuinely changed is the supply chain. The major demand-side platforms and ad exchanges have invested significantly in privacy-preserving infrastructure. The IAB’s Global Privacy Platform and TCF 2.2 represent genuine improvements over the original TCF framework, even if they remain imperfect. Header bidding setups are increasingly capable of passing valid consent signals through the chain rather than losing them in translation. And the major buy-side platforms have substantially reduced their reliance on third-party cookies following Chrome deprecation.

What still needs to change

The gap between technical compliance and genuine respect for user privacy is still wide. The proliferation of consent management platforms has created a market in which the primary competitive advantage is the ability to generate higher consent rates - which, if achieved through dark patterns, is precisely what regulators are trying to stop. Publishers who choose their CMP on the basis of claimed consent rates alone are setting themselves up for regulatory exposure.

The industry’s approach to “legitimate interests” as a legal basis for advertising data processing remains legally questionable. The Article 29 Working Party (now the European Data Protection Board) has been consistent for years in its position that tracking-based advertising cannot rely on legitimate interests rather than consent. Many ad tech vendors continue to claim it.

And the use of “consent or pay” models - paywalls that offer users the choice of consenting to tracking or paying a subscription fee - remains an active area of regulatory development, with the EDPB having issued guidance that places significant constraints on how such models can be implemented.

The path forward for independent publishers

For independent publishers, the picture that emerges from seven years of GDPR is one that should actually be encouraging. The regulation was always intended to create a more level playing field between users and the companies that process their data. It was also, in practice, a more level playing field between large publishers with sophisticated legal and technical teams and smaller publishers without those resources - but only if the smaller publishers invest in getting compliance right.

The publishers who have done so - who have implemented genuinely compliant consent management, migrated to contextual or first-party data advertising, and built transparent relationships with their readers about how data is used - are not just compliant. They are more trusted. They have lower ad blocker rates. They have better reader retention. They have advertising partners who are willing to pay premium rates precisely because the advertising environment is clean and compliant.

Seven years in, GDPR is not going away. The enforcement trend is upward, not downward. The publishers who are still treating compliance as an afterthought are running out of time to change that approach.