According to Dr Johnny Ryan, head of ecosystem at analytics firm PageFair, Google and Facebook risk seeing their current business model disrupted when the General Data Protection Regulation (GDPR) comes into play next year. 

They will be unable to use a ‘service-wide’ opt-in for everything, or to deny access to service users who refuse to opt-in to tracking, which will disrupt how they use personal data for advertising, says Ryan. Some parts of their businesses face more disruption than others. 

PageFair has created a GDPR scale, which maps the levels of risk that companies face, from zero: where a business is already out of scope of the regulation, to five, where it needs opt-in consent, but is unable to communicate with users. 

Many of Google’s products are rated at a risk level of four, which refers to companies that have direct relationships with users but these users have little incentive to give their opt-in consent.

Facebook’s Audience Network and WhatsApp are also rated at a risk level of four.

"Both Google and Facebook have direct relationships with their users, and have a well thought out design for their current privacy requests," says Ryan.

"However, they are not immune to disruption when the new regulations apply. Indeed, some parts of their businesses may be particularly susceptible to them.

"While they can process personal data necessary to provide services that their users request, using these data for any other purpose requires user-permission, or inaction, in the case of out-outs. The critical question for both businesses is whether users will click ‘yes’ when asked to consent."

Full details can be found here.