It is no secret that EU has been slamming Silicon Valley companies with large fines. In June 2017, we saw Google being fined a record high penalty of $2.7bn for using its search engine to unfairly steer visitors to its own shopping platform.
The EU has a new weapon called GDPR, or General Data Protection Regulation. This new landmark privacy regulation has vast implications that many companies and individuals are not yet aware of. And, if you think this EU regulation will only affect companies in EU, think again. It has a much bigger impact.
GDPR expands the privacy regulations of EU citizens, which means that all companies dealing with EU personal data have to comply with the new GDPR regulation. In essence, GDPR is applicable to organisations worldwide that deal with EU private data and enforceable by-law.
So, if you run a startup based in Silicon Valley and you have a German consumer on your mailing list, then you are applicable to GDPR. If you run a SaaS platform and receive signups from Denmark, you'll be applicable to GDPR.
A short, but important note on EU law
Directives and Regulations are two important legal acts in EU. A directive is a legal act, which requires member states to implement the directive individually. Directives can leave member states with a certain amount of room as to how they implement the directives, as long as they come to the same result.
A regulation, on the other hand, becomes immediately enforceable by law in all member states simultaneously. As such, regulations constitute one of the most powerful forms of European Union law. When a regulation comes into force, it overrides all national laws dealing with the same subject matter and subsequent national legislation must be consistent with and made in the light of the regulation.
GDPR is a regulation and will come into effect in all EU member states May 25th, 2018. It places many new obligations on organisations as to how they can market, track and handle EU personal data, no matter where an organisation is located.
Disrupted by Legislation
While GDPR will have consequences to organisations worldwide, companies dealing with ads and behavioural data are especially affected. No where else than Silicon Valley do you find a higher concentration of these types of companies. Facebook and Google alone account for one fifth of global ad revenue.
Most of these companies have some profiling or behavioural data on EU citizens. While these companies in theory could avoid servicing EU citizens overall, this would mean losing out on a major part of their business - and revenue.
Any company using behavioural targeting, geo targeting or device targeting as part of their core business model, might see themselves disrupted by legislation. Firstly, these companies will not be allowed to use generic all-inclusive opt-in notifications for everything.
Today, you already see tech companies asking for your consent when you use their product. With GDPR, companies are not necessarily allowed to bundle opt-in in one message and take their consent for granted. What you can expect is that consent messages and notifications will become much more granular. Consent should be given with a clear affirmative act, which is specific and unambiguous (see recital 32).
In essence, the more granular you can make your consent gathering, the better. Secondly, if you are an EU citizen, then these companies cannot use your data starting May 2018 unless they receive your consent. And once they start implementing new granular consent notifications, they need to follow strict GDPR requirements.
This includes, for example, the principle around "purpose limitations", which defines that the purpose needs to be specific, explicit and legitimate and should not be used for a different, incompatible, purpose. It's also described as the following by EU regulators:
"A purpose that is vague or general, such as for instance 'improving users' experience', 'marketing purposes', 'IT-security purposes' or 'future research' will - without more detail - usually not meet the criteria of being 'specific'."
Thirdly, personal data must be kept in a form which permits identification of visitors no longer than is necessary for the specific purpose. Data may be stored for longer period, but only for archiving purposes in the public interest, or for scientific, historical research or statistical purposes (see article 5). Not a word about advertising or marketing.
In short, companies are not allowed to store, for example, behavioural data about your actions unless they have received explicit consent to do so following the requirements defined by GDPR. Fourth, while it may be easy to receive acceptance to certain parts of private data, such as when you search or visit a specific page, it may prove difficult to obtain a consent for others.
Some advertisement and tech companies have no direct relationship with their visitors, which will make it difficult to obtain a consent in first hand. And, if the user has very little incentive to accept a consent, then we'll see companies struggle to make their business models work.
Retargeting is known to be a very effective way of advertisement. Retargeting is a way to display ads based on your previous actions. If you see ads following you around based on the clicks or searches you've done, then you know you're being retargeted.
Even if you have a direct relationship with your users, they'll only have a very limited incentive to accept retargeting ads. Retargeting is very much in scope of GDPR and it will be increasingly difficult to implement after May 25, 2018.
Consequences and Opportunities
If I were to put my crystal ball forward, then I'd predict a drop in advertisement volumes from Q2 2018 and moving forward. This will be accompanied with higher administrative burden to implement GDPR software, the need to update privacy policies and ensuring user controls and data governance are in place.
While this can be viewed negatively, it will likely increase the creativeness and incentives used around advertisements. With Google and Facebook as two of the major players in this space, we'll probably see incremental tests of new consent notifications up to GDPR go-live date.
As a startup or established company, you'll find significant business opportunities in GDPR. It is an obvious way to get ahead of competition by analysing the consequences, risks and inherent opportunities. GDPR might just be the fuel your business needs to connect with your visitors in a trustworthy way.
Your have the chance to take a consumer and business-centric approach that will enable your visitors to take charge of their personal data and increase your online trust. Help your visitors once and for all to make informed decisions and create a better online experiences based on trust.
Do you see GDPR as a compliance issue or business opportunity?
Dan Storbaek is founder of Secureprivacy.AI,