General Data Protection Regulation (GDPR) is the talk of the entire digital advertising world. What is it? What will happen if a business is non-compliant? How will it impact businesses & ad networks overall?
What is GDPR?
The goal of GDPR is to protect customer data and user privacy. Developed by the European Union, the GDPR is a set of regulations governing this information. Any information that can be used to directly or indirectly identify a person is covered by the GDPR. Examples of this data include identity information such as their name, address or ID numbers; internet data such as their location, IP address, cookie data and RFID tags; biometric, health, and genetic data; racial & ethnic data; political preferences; and sexual orientation. There is a useful website filled with information about GDPR at https://www.eugdpr.org/.
Rather than each country having their own restrictions, the EU worked together in order to have one standard set of regulations. The rules have been debated for years, but will begin to be enforced starting May 25th, 2018.
While there are many parts to the GDPR rules, there are a few key items to note. Conditions for consent will now be much stronger. No longer will companies be able to hide these requests deep within legal terms. It must be clear to the consumer what is going to happen with their data. It must be as easy for them to opt out of their data being used as it is to opt in. For sensitive data, consumers must “opt in”. For other data, consumers must simply be unambiguously aware of what they are consenting to.
Even if a business doesn’t primarily target Europeans, the GDPR still impacts any businesses who might encounter people from Europe – even if they are just website visitors that may be tracked.
What will happen if a business doesn’t comply with GDPR?
The penalties for non-compliance with GDPR are harsh. For the most serious infractions, a business can be fined up to up to 4% of annual global turnover or a maximum of €20 Million. Lower-level infringements have lower fines. The rules apply to both controllers and processors of information, so both need to be fully aware of all requirements. CSO reiterates as part of their useful information about GDPR that the EU has shown that it does not hesitate to assess fines for non-compliance. In short, the penalties can be costly, so no business should ignore GDPR.
What does this mean for businesses and ad networks?
As the deadline nears, uncertainty still remains. With there being so many levels & connections between data, ensuring compliance will be difficult. The balance between user privacy and advertising network data is being tipped back toward the user. As a result, programmatic advertising will become much more difficult, and for some, impossible. In recent years, companies have made a lot of money by being able to track and retarget customers, but this tracking was generally done without consumers fully realizing what is going on. While it will still be possible to collect cookie data, as noted above, it will have to be much clearer to the user that this is what is happening. Anyone who relies on this cookie data is at great risk if they do not comply, but even compliance will likely have an impact on their business, as users will be less likely to opt-in. While there is an overall uncertainty, there is plenty of information out there that will help move businesses toward compliance, including an API & dashboards from TMForum.
Every advertising network is aware of these new issues protecting user privacy. Major ad networks such as Google & Facebook are at the forefront of establishing compliance, but even they will see revenues impacted. Google has set up a site to show their own efforts as well as help their customers with compliance, while Facebook has outlined how they will be addressing user privacy settings. Smaller companies that don’t have the legal resources will be impacted the most. One underreported aspect is that small publishers who rely on already-shrinking ad revenue will see this revenue shrink further if companies are less willing to spend ad dollars if they can’t target customers as well. These publishers may have to look to other income sources.
Blockchain is one possibility for GDPR compliance. If a customer data source has control over their own data through blockchain, then that data would be compliant. There are still some questions about blockchain and GDPR compliance, such as with the Right to Be Forgotten, but for now it appears that blockchain may be a good solution for data privacy.
One thing that is clear is that May 25th, 2018 is getting closer and closer, and business have yet to master what will happen with their ad networks and GDPR. It is inevitable that revenues will be impacted for many companies if they are unable to target customers as well, but the cost of non-compliance is even greater.