It already has, in fact.
GDPR (or General Data Protection Regulation for short) is a European privacy law that went into effect May 25, 2018. It gives EU citizens greater clarity and control over their personal data. But its impact goes way beyond that.
GDPR is the next generation of EU laws enhancing personal privacy control over the internet (something Europeans take pretty seriously).
EU citizens get to decide what data is collected and how it’s used. They also have the right to be forgotten at any time. Which puts a lot of ad people in a bind.
Doesn’t matter. If an EU citizen can access your stuff (and you’re collecting or processing their data), you’re subject to GDPR.
We can tell you what’s in the law but we want to be clear: we are not interpreting the law in any way.
Even after a month, no one really knows how this is going to all shake out. Talk to a lawyer to get the full story. They know everything.
Here are a few things GDPR spells out.
*A data subject is an EU citizen that has their data collected on the internet.
GDPR divides anyone that touches user data into two camps:
Data Controllers
Collect and make decisions on what to do with the data. They are responsible for obtaining consent from the user for collecting their data (or establishing legal basis for doing so without getting consent).
Data Processors
Analyze and, well, process the data. They do not make decisions about what to do with the data. They just execute decisions set out by the data controller.
Some companies are relying on a CMP to streamline the consent process. Right now, this looks like a snippet of code you put in your website that produces a pop up. It then provides visitors the choice to either consent or decline tracking.
Here is a list of verified consent partners. Do your research and make sure you find a solution that’s right for you, if you haven’t already.
The consent, the penalties and the grey area.
GDPR takes an opt-in approach to gaining consent. This means companies can’t collect and process an EU citizen’s personal data without their specific approval. Consent rates a hugely variable at this point, which complicates the whole process and gives many ad people the heebie-jeebies.
The fine for a GDPR violation is €20 million or 4% of global profits, whichever is more. And everyone who touched the data in violation is liable. That’s everyone from the brand to the advertiser to the DSP to the publisher. There’s a lot at stake.
There are many things GDPR doesn’t define. It leaves a ton of questions that will not be answered until some heads roll. And in an industry like this, we’ve got a few huge players with lots of heads and a bunch of smaller players with only one head to lose.
Yes. Here’s how things are looking at the time of writing this post.
There’s a lot more to say on the subject of GDPR. Below you’ll find some good resources. If you want to hear our thoughts on how it affects the future of our industry, read our article 5 Existential Questions GDPR Raises. Get ready for some deep thinking.