Earlier this year, the European Union’s General Data Protection Regulation (GDPR) went into effect, radically changing the way data can legally be collected from European residents. As of May 25, 2018, it has become much more difficult for both EU and non-EU businesses to collect personal data online for use in a variety of industries. Chief among the impacted fields is digital advertising.
The GDPR has effectually “affirmed individuals’ rights to access and delete their personal data and has heightened data breach notification and consent requirements for companies.” (Caitlin Chin, Georgetown Public Policy Review) Basically, more control is in the hands of the people. Consumers have the right to object to direct marketing and must give their consent for any other marketing activities. What do these new rules mean for marketers if they cannot collect, use and store consumers’ information the way they have been more freely doing so in the past? There are certainly implications that businesses need to take into consideration, even if they are based outside of the EU.
There are several ways businesses and marketers have had to change the way they work in order to comply with the rules of the GDPR. They have been sending consumers consent requests, opt-in emails, updated privacy policies and terms of use. If a consumer objects to direct marketing, the organization must agree to cease. In addition, certain organizations are required to hire a Data Protection Officer, if they don’t already have one. Some companies, such as the LA Times and Chicago Tribune, have even chosen to completely block their websites to EU users temporarily or permanently, due to difficulty following the mandates of the GDPR.
The worldwide response to the GDPR has been controversial. In the wake of major data breaches in recent years, it would seem natural to see a call for stricter privacy guidelines everywhere. It feels as though every week there is a new headline about a company’s data being compromised. And while many have taken a strong stance toward more directives, there are still several countries and powerful financial regulators that have been looking for exemptions or loopholes to the new laws. It is still too early to tell, but this could be an indication that the rest of the world is not so eager to follow suit. According to Nicole Lindsey of CPO Magazine, the European Securities and Markets Authority (ESMA), the U.S. Commodities and Futures Trading Commission (CFTC), the U.S. SEC, Japan’s Financial Services Agency (FSSA) and the Hong Kong Securities and Futures Commission are among those looking for exemptions. Mainly, these regulators claim that exceptions need to be made in cases that would result in the best interest of the public, such as trying to stop financial fraud across national borders. While this may seem like a reasonable exception, there is still another set of critics who say that the GDPR will hurt small businesses who don’t have the resources to deal with all the new guidelines.
However, there has been some evidence to show that this may be the way other parts of the world are headed. While the US does not currently have a comprehensive nationwide privacy policy, the state of California passed a bill similar to GDPR over the summer. Known as The California Consumer Privacy Act (CCPA), the law will not formally go into effect until 2020. Analyzing the distinct similarities and differences between the CCPA and the GDPR is a discussion for another time, but you can learn more about CCPA at caprivacy.org. Law firm Arnold & Porter has also done a thorough comparison if you’re looking for further details. Click here for a link to their article.
Passing this kind of act in a huge state like California will have an enormous impact on the global market as well. Companies are already trying to figure out how they will navigate around this set of new rulings. Although, there is a worry that other states may jump on the bandwagon and develop their own versions of these privacy policies. This would create a potential nightmare for marketers who would then need to make sure they follow proper protocol in each individual state, on top of the GDPR (George P. Slefo, AdAge). Yet, this oppressive weight on companies may be what the federal government needs to see in order to spur the policymakers to pass nationwide laws.
Since this is a new era, it’s common for all the fears and worries to be at the forefront of any planning or strategizing. Even so, it is important to realize that there really are some benefits and opportunities for those who choose to see them.
- GDPR compliance, and compliance with any new laws to come, can build serious consumer trust. More trust means more business. A 2014 Pew Research Center study found that only 7% of Americans believed that online advertisers would keep their data private and secure (Georgetown Public Policy Review). It will be interesting to see how this number increases as people feel that their information is better protected.
- It gives companies a chance to reassess their data collection and storage practices and improve their security, hopefully making them less susceptible to infractions.
- Marketers may be forced to get creative in how they get their messages out there, relying more on contextual targeting, social media tactics and interesting content.
Although it is too soon to adequately gauge the impact of the GDPR on a global scale, and the US market in particular, I think it’s safe to say there is a potential for much to be gained.
It is prudent to educate yourself and your business on all the facets of the GDPR. The penalty for violating the regulations is steep; up to 4 percent of a company’s annual global turnover or 20 million euros, whichever is greater. Fines for disobeying the CCPA promise to be substantial as well. For more information on the GDPR, you can visit the European Commission’s webpage about regulation and data protection – ec.europa.eu.