Privacy and Data Protection has been at the forefront of marketing regulatory news over the past year, and it will remain increasingly important as the world becomes more dependent on behavioral data.
The European Union’s (the EU’s) General Data Protection Directive (GDPR) has been in effect since May of 2018. The reach of GDPR goes far beyond the borders of the EU. The GDPR requirements apply to all “controllers and processors” of information regardless of whether they are located within the EU or not. Simply said, this means that if the behavior of EU citizens is being tracked by technology, or if goods and/or services are being offered to EU citizens, the GDPR applies. Thus, the GDPR potentially applies to advertisers, agencies and media companies anywhere in the world, with a database inclusive of EU consumer data, including third party suppliers of such data.
The GDPR requirements, (greatly simplified):
(1) Securing Consent – It is necessary to secure an individual’s consent regarding the ability to gather, hold and/or use their data. Securing that consent is necessary in advance, and that consent must be specific and clear. The consent must be in advance, it cannot be assumed by silence, it must be current, and it must satisfactorily explain how the data is being used. Transparency regarding the nature of use (including any repeated use) is very important. The GDPR also has special requirements about how to secure the necessary consent from a child (defined as under 16 years of age). And—very key is the fact that the EU individual must have ability to withdraw the consent. The “right to be forgotten” is an EU individual’s right. If requested, an individual’s data must be removed permanently from all databases.
(2) Companies larger than 15 employees (and public authorities larger than 10 employees) must have a Data Protection Officer (DTO). There are many roles and responsibilities of the DPO, but overall it is the DPO’s job to ensure that a company is GDPR compliant. Assuring that systems are established, testing those systems, assuring compliance, reporting to authorities, regular data system checks, all fall under the responsibility of the DPO. Every company larger than 15 employees must legally have one.
(3) There are requirements to establish and perform ongoing Data Protection Impact Assessment (DPIA) regarding data being held, and the processing of that data, to ensure GDPR compliance. The ability to assure the authorities that you have systems in place to comply with GDPR is itself a requirement of GDPR.
(4) Data Breach Reporting - The law requires that Data breaches must be reported to local EU data protection authorities within 72 hours of that breach. . Thus, systems and technology are required that enable the detection of such breaches, and company personnel clearly need to be trained regarding response requirements.
And—there are significant fines for GDPR non-compliance!
The EU GDPR law allows that fines for non-compliance can be as high as 4% of a company’s “annual global turnover”. This extraordinary penalty must have rung alarm bells within corporate boardrooms globally. The huge potential penalties certainly were intended to focus the business world to address privacy and data protection, and it has! Although companies have had years to prepare for the GDPR requirements, exactly how to comply, how to stay in compliance, and how severely the regulators would actually enforce and invoke the penalties the new law allows, have yet to fully unfold.
As IAA will remain keenly interested in how GDPR enforcement and interpretation will unfold going forward, the IAA was very interested in the recent fine brought by the French watchdog CNIL against Google. The French CNIL used its powers under GDPR to fine Google 50 Million Euro’s for allegedly breaching the complex GDPR laws. The general basis of the complaint is that Google did not properly secure consent from consumers in advance of sending consumers ads, and that Google allegedly did not fully explain to consumers how or why data was being collected.
The Google case is being appealed, but what we all can learn as we watch this case (and penalty) unfold is that that fines are not only a potential, but that fines will be assessed—and those fines can be huge! Although the first cases may be against the “big guys”, the law applies to companies of all sizes, including those with a lot less to spend on determining how to fully comply with GDPR! Headlines are made by selecting a huge company to fine, but the ambiguity of the GDPR law is dangerously real, and that ambiguity of how to exactly comply could next impact others in the marketing space much smaller. Up to 4% of global turnover is a huge number regardless of your size!
The GDPR is also inspiring new state privacy laws within the United States. California has already passed the “California Consumer Privacy Act” (CCPA) which gives more than 40 Million California residents rights which are similar (yet different) from the GDPR rights delivered to EU citizens. This California privacy law goes into effect on January 1, 2020. Other U.S. states have introduced their own privacy legislation. There is likely to be a federal privacy law “push” this year in Washington DC, due to (if nothing else) the risk of fifty different states introducing varying versions of their own privacy laws!
Privacy is not a simple matter-- The GDPR cannot be applied in “cookie cutter” fashion globally. Data is the DNA that enables the smooth flow of the digital information economy. The advertising and marketing industry is dependent upon respecting consumer privacy and adherence to the established laws. The industry has created self-regulatory systems (such as the Digital Advertising Alliance https://digitaladvertisingalliance.org) in some markets to address consumer access to data and control over use of their data. More self-regulation is needed, and more education about privacy laws, and self-regulatory efforts is certainly to be encouraged.
The GDPR law as outlined above was greatly simplified. The GDPR legal requirements are complex and there is need to seek legal counsel with privacy/GDPR expertise to assure your company, your database, your suppliers, and your systems are compliant.
We invite IAA members to submit comments/opinions on matters of regulatory interest for review.