With the General Data Protection Regulation (GDPR) approaching, several marketing tech firms are pivoting their business models to avoid the risk of getting their hands slapped.

The EU’s GDPR becomes enforceable in May and stipulates that a user’s data can be used only if that individual gives a company explicit permission. Because companies that are found to be in violation of the GDPR face a fine of €20 million ($22.1 million) or 4% of global revenues (whichever is greater), firms that rely on sensitive data are treading in uncertain waters. Subsequently, several tech vendors have restructured their business models around the looming regulation.

The GDPR contributed to location data company Verve closing its operations in Europe, reported The Drum. In March, cross-device vendor Drawbridge yanked its ad business out of Europe. And in January another cross-device specialist, Tapad, ended its media services and pivoted its business to resemble a customer data platform, which is a tech category that is banking on the GDPR by focusing exclusively on first-party data.

Even the most powerful players in the ad industry are having to tweak their functionalities to adjust to the GDPR. Facebook is beginning to ask users to agree to its new data policies and review their ad preferences. Some industry observers believe the adjustments Facebook is making around the GDPR will fundamentally change how ad targeting works in its platform

While the GDPR could shake up the marketing tech industry if regulators decide to strictly enforce the law, few companies are completely ready for the upcoming rule changes. According to a November 2017 survey of IT professionals in North America by data modeling company Erwin, just 6% of respondents were completely prepared for the GDPR.

What makes preparing for the GDPR particular difficult is that people’s interpretations of how the law will be enforced vary widely, and it is expensive to become compliant with the new laws. Half of the companies in a Forrester Consulting and Evidon survey spent at least $1 million to meet GDPR requirements. For some marketing tech companies that run on personal data, it makes more sense to pull their business out of Europe and see how this whole thing plays out.