A recent webinar from the British Direct Marketing Association gave a surprisingly low-key report on the outcomes of GDPR on marketing a year on from implementation. According to the DMA, 78% of British marketers felt it was the best way to handle data protection, although only 33% believed that it had had a positive impact on their efforts. Consumers, on the other hand, reported overwhelmingly that they now felt more in control of their data.
However, the IAPP (International Association of Privacy Professionals) has produced a w
hite paper which indicates that the different privacy commissioners in Europe, responsible for administering and enforcing GDPR, are only just getting going. Here are some numbers from IAPP:
- In the year since GDPR came into effect, more than 500,000 Data Privacy Officers have been appointed by organizations
- 280,000 concerns have been reported by consumers, of which 144,000 are complaints and 89,000 data breaches
- Most of the complaints relate to data subject rights including access requests and processing
- While “only” €56million in fines have so far been levied – dominated by the €50million fine on Google - many more are on the way as the case load of complaints works through.
And what of the future? Advertisers need to take note as adtech seems to be a top priority. Ireland’s data commissioner told the IAPP that they will focus on adtech, especially profiling, sensitive data usage, and geolocation. The UK commission, the ICO, will also focus on adtech and has begun a fact finding process including a review of programmatic advertising and data brokerage. Germany has already declared its hand, and promises that its ePrivacy laws will require explicit opt-in for re-targeting and tracking even with pseudonymized data.
A rather apocalyptic version of what a GDPR type regulation might look like in the United States was presented to Congress earlier this year by Dr Roslyn Layton, a Visiting Scholar at the American Enterprise Institute. To be fair, some of her criticisms of GDPR are accurate. It is true that larger organizations have found the mandates and structural requirements easier to deal with than SMBs because they can leverage more resources. It is no accident that in the webinar noted above the DMA picked out the BBC, the Guardian Media Group, and the RSPCA, a major charity, as good examples of transparent communication. Well, no shortage of either creative or legal clout in those institutions. (Although the same applies to Google, who were fined in France for oblique and confusing consent notices.)
However, two other points from Dr Layton are misleading.
Firstly, she asserts that GDPR is about data protection rather than privacy. Really? This seems to be based on the fact that the “P” stands for Protection not Privacy. But GDPR makes it clear that the rights and control of data by the consumer are paramount, they have the right to ensure that data is used correctly, and they have the right of access and to be forgotten. Protection yes, but also safeguarding privacy.
Secondly, she believes that it will lead to a deleterious impact on Europe’s adtech and martech industry. This is possible – but apart from the fact that it is too soon to tell, it may make European companies more dexterous in adapting software to be GDPR compliant. And therefore better able to work in other countries where data protection is also strict. In other words, in almost every country apart from the US.
It is true that GDPR or anything like it will become Federal law in the United States. Apart from anything else it would be hard to administer and enforce never mind any First Amendment concerns or the anti-regulation stance of the current administration. But the new California law coming into effect in January, the California Consumer Privacy Act, CCPA, is likely to be widely adopted by other states and, like car emission laws, “de facto” almost everywhere.
In some respects, CCPA can be viewed as a “GDPR lite”. It will give Californians the right to:
- Know what personal information is being collected about them.
- Know whether their personal information is sold or disclosed and to whom.
- Say “no” to the sale of personal information.
- Access their personal information.
- Equal service and price, even if they exercise their privacy rights.
The main difference is that whereas in Europe the data owner or controller has to proactively reach out to the consumer or data subject, in California the data owner must be prepared to answer and address issues, complaints, and concerns. So while the “front end” of compliance is different, the “back end” is remarkably similar. California data owners will have to track data flows and storage much more rigorously than in the past.
If you are already doing business in Europe or many other places, you will already have addressed these requirements. If you haven’t, then start with the following actions:
- Make sure you know where your data comes from, where it goes to, how it is used, and how it is sored. Across all platforms. In other words, double down on data governance processes.
- Review your reliance on third party data
- Set up a cross functional team to review your use of all data from marketing to HR – what it is used for, how it is collected, how long you keep it, and whether you need so much of it for so long
- Ensure you have training processes in place for all staff handling data
- Check your privacy policies are up to date and regularly reviewed
Apart from new regulations, consumer expectations of transparency, security, and respect for their data are rising. This contributes to a strong customer experience