Ladies and gentleman, GDPR will change everything.
It already has, in fact.
GDPR (or General Data Protection Regulation for short) is a European privacy law that went into effect May 25, 2018. It gives EU citizens greater clarity and control over their personal data. But its impact goes way beyond that.
So, what is GDPR?
GDPR is the next generation of EU laws enhancing personal privacy control over the internet (something Europeans take pretty seriously).
EU citizens get to decide what data is collected and how it’s used. They also have the right to be forgotten at any time. Which puts a lot of ad people in a bind.
But we’re in the US/Canada/Botswana.
Doesn’t matter. If an EU citizen can access your stuff (and you’re collecting or processing their data), you’re subject to GDPR.
How’s that supposed to work?
We can tell you what’s in the law but we want to be clear: we are not interpreting the law in any way.
Even after a month, no one really knows how this is going to all shake out. Talk to a lawyer to get the full story. They know everything.
Here are a few things GDPR spells out.
Data Subject* Rights
- The right to access information about how personal data is used.
- The right to access personal data held by any organization.
- The right to have incorrect personal data deleted or corrected.
- The right to have personal data rectified/erased (often referred to as the “Right to Be Forgotten”).
- The right to restrict or object to automated processing of personal data.
- The right to receive a copy of their personal data.
*A data subject is an EU citizen that has their data collected on the internet.
Data Controller vs Data Processor
GDPR divides anyone that touches user data into two camps:
Collect and make decisions on what to do with the data. They are responsible for obtaining consent from the user for collecting their data (or establishing legal basis for doing so without getting consent).
Analyze and, well, process the data. They do not make decisions about what to do with the data. They just execute decisions set out by the data controller.
Consent Management Platform (CMP)
Some companies are relying on a CMP to streamline the consent process. Right now, this looks like a snippet of code you put in your website that produces a pop up. It then provides visitors the choice to either consent or decline tracking.
Here is a list of verified consent partners. Do your research and make sure you find a solution that’s right for you, if you haven’t already.
So, what’s with all the hubbub?
The consent, the penalties and the grey area.
GDPR takes an opt-in approach to gaining consent. This means companies can’t collect and process an EU citizen’s personal data without their specific approval. Consent rates a hugely variable at this point, which complicates the whole process and gives many ad people the heebie-jeebies.
The fine for a GDPR violation is €20 million or 4% of global profits, whichever is more. And everyone who touched the data in violation is liable. That’s everyone from the brand to the advertiser to the DSP to the publisher. There’s a lot at stake.
There are many things GDPR doesn’t define. It leaves a ton of questions that will not be answered until some heads roll. And in an industry like this, we’ve got a few huge players with lots of heads and a bunch of smaller players with only one head to lose.
Seems like things a lot of things will change.
Yes. Here’s how things are looking at the time of writing this post.
- There is a lot more pressure to shore up partnerships. One weak link and the whole chain breaks.
- The big dogs benefit way more than everyone else. It just so happens that a lot of their efforts to get compliant also edge out their competition.
- There will continue to be a lot of consolidation and a fair amount of failures. There are already some companies that are exiting the space or just closing shop.
There’s a lot more to say on the subject of GDPR. Below you’ll find some good resources. If you want to hear our thoughts on how it affects the future of our industry, read our article 5 Existential Questions GDPR Raises. Get ready for some deep thinking.
A few good resources: