We’re only 12 months away from the full implementation of European Union General Data Protection Regulation (EU GDPR). Yay! (Or, maybe not yay.)
If you’re a marketer creating ads for global campaigns (face it, every campaign is global now), a lack of awareness of some crucial rule changes heading your way could be costly, especially if you’re engaged in data collection and what you, as a collector of that data, do with that data in Europe.
The EU GDPR will impact the lives of more than 500 million people in 28 countries and will attempt to provide consumers the improved privacy and protection they’ve been demanding without stifling a business’ ability to innovate and market itself.
A few of the highly consequential tenets of these regulations (paraphrased) are:
- Personal data can only be gathered legally under strict conditions, for a legitimate purpose.
- Persons or organizations that collect and manage personal information must protect it from misuse and must respect certain rights of the data owners which are guaranteed by EU law.
- Businesses, public authorities, and individuals that transfer vast amounts of personal data across borders with conflicting data protection rules must adhere to international information exchange policies.
- Transferal of personal data abroad is prohibited if there is any uncertainty over the level of protection another country can provide the consumer.
- Data controllers will be required to report data breaches to their data protection authority (unless it is unlikely to represent a risk to the rights and freedoms of the data subjects).
- Notice must be made within 72 hours of data controllers becoming aware of a breach, unless there are exceptional circumstances, which will have to be justified.
- Data subjects have the “right to be forgotten.”
As stated by Věra Jourová Commissioner for Justice, Consumers and Gender Equality, there is tremendous opportunity in the EU:
...the value of European citizens’ personal data has the potential to grow to nearly €1 trillion annually by 2020. Strengthening Europe’s high standards of data protection, therefore, means business – not a burden to innovation.
In Europe, this is and has been, a big deal. There are websites with countdown timers ticking away the seconds to when the GDPR comes into full effect. If they haven’t already, businesses are making the necessary operational changes needed to ensure they’re in compliance. And, from the European Commission’s Office of There’ll Be No Excuses (not a real office) has come a library of factsheets in 23 languages that explain in-depth what the GDPR means for anyone who does anything on the web.
General data protection regulation: Ruthless or toothless?
The EU GDPR will have a profound effect on business, regardless of the size of an organization. Facebook, Alphabet, Apple, and possibly you, will have to adhere to the wishes of the consumer and guarantee that they have ultimate control over how they want their data used.
If you don’t, the Information Commissioner’s Office (ICO), the enforcement arm of the EU, and/or national privacy regulators, a.k.a. Data Protection Authorities (DPAs), will have the power to fine anyone in violation of the GDPR. Fines can go up to 4% of annual global sales or €20 million (US$21.1M) — whichever is higher. To date, the ICO has never issued a penalty higher than US$512,000. Even for tech giants like Facebook or Google, multiple €20 million fines could get expensive. (Not that they’d flout the rules, of course.)
One of several bellwether amercements testing the boundaries of these rules is presently running its course in France. The French DPA, Commission nationale de l’informatique et des libertés (CNIL), has hit Facebook with a €150,000 (US$161,000) fine stating that:
...the Facebook group does not have a legal basis to combine all of the information it has on account holders to display targeted advertising. It also finds that the Facebook group engages in unlawful tracking… [and] does not allow users to clearly understand that their personal data are systematically collected as soon as they navigate on a third-party website that includes a social plugin.
Facebook is also being pursued for the same offenses by the Belgians, the Dutch, the Germans, and Spanish.
The €150,000 fine levied by the CNIL was the maximum fine allowable at the point which it started its investigation in 2014. Going forward, the CNIL will be able to issue fines of up to €3M (US$3.31M). The amount of these fines is chump change to companies aswim in cash and with battalions of lawyers, like Facebook. Regardless, the long-term impact of this kind of harried legal squabbling, and the press it generates will undoubtedly force players in the EU zone to rethink their approach to data gathering and how they commodify that data.
Death by a 1,000 regulations?
Since 1980, the European Commission (EC) has been actively seeking ways to strike a balance between protecting a user’s privacy and ensuring the myriad of online services seeking to market to individuals can do so in a reasonable manner.
These early efforts resulted in the Automatic Processing of Personal Data agreement, signed in Strasbourg, France, with amendments made in 1988, 1995, and 2003. The nascent regulations, as outlined nearly 40 years ago, rang with an innocent optimism characteristic of the early days of the web when people unblinkingly shared all kinds of personal information and when practices like identity theft or, even retargeting, were mostly unknown.
In 2012 the EC kicked regulations into high-gear and further codified what search engines, social networking sites, and email services, notably Facebook and Google, can do with the data they collect from tracking users to how far they can go when targeting ads. Data privacy updates extended beyond the basics of gender, age, and location to include those elements that could be used to identify an individual, such as their genetic, mental, economic, cultural, or social identity.
Alongside the the various protections created to protect European consumers you can add:
- Article 8 of the European Convention on Human Rights
- OECD “Recommendations of the Council Concerning guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data”
- EU Data Protection Directive (Directive 95/46/EC)
- Article 15 of the Directive on privacy and electronic communications
- Article 29 Data Protection Working Party
- Article 30 of the directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data
Clearly, this is a continent that values its privacy.
Meanwhile, in the US…
In the US, the (seeming) lack of emphasis placed on consumer privacy couldn’t be more striking, or the deference shown businesses and marketers more blatant. This isn’t to say the US does not have privacy rules, (and it may seem like they’re being systematically repealed into extinction, as the recent repeal of broadband privacy rules seems to attest). The fact remains there are regulations in place, it’s just that they tend to favor business.
Without getting political or needlessly philosophical, the reasons that in the US everyday is opposite day, has all to do with money, the Constitution, and American culture.
It’s all about the money
The digital marketing industry is worth more than US$60 billion. This amount is expected to reach US$80 billion by 2020. Whenever there’s this much cash in play, you can be assured that there are organizations out there looking out for other organizations “interests.”
Big pieces of the very big digital marketing pie have been carved out by the major players in the industry like Google and Facebook, and several have decided to spend some of that cash on shaping policy. These expenditures often go to corporate lobbyists, and those influencer peddlers have fought on behalf of their clients to create and pass regulations that place the burden of opting in or out of having personal data collected squarely on the shoulders of the consumer — rather than require companies to seek the user’s approval upfront.
This isn’t as nefarious as it sounds.
For many years consumer protection groups, and the many Federal agencies whose job it is to protect consumer rights have been asking Congress for baseline federal privacy legislation. In most cases, the public has gotten what they’ve asked for. A few of the high-profile regulations that have been created are:
- Computer Fraud and Abuse Act (CFAA) that makes it a federal crime to access and share protected information.
- The Federal Trade Commission Act (FTC Act) that prohibits unfair or deceptive practices and has been applied to offline and online privacy and data security policies.
- The Health Insurance Portability and Accountability Act (HIPAA) that regulates medical information.
- Children’s Online Privacy Protection Rule (COPPA) imposes certain requirements on operators of websites or online services directed to children under 13 years of age.
(You can decide for yourself if these rules are too weak, adequate, or go too far.)
In one instance, the FTC presented recommendations based on concerns about the lack of transparency regarding particular organizations’ data collection practices and the lack of meaningful consumer control of personal data.
In its 2012 Privacy Report, the Federal Trade Commission (FTC) acknowledged that companies should not be compelled to provide choice before collecting and using consumer data for practices that are consistent with the context of a transaction or the company’s relationship with the consumer. Because data uses are generally consistent with consumers’ reasonable expectations. They also concluded that by obligating companies to ask every user for their consent to collect data would result in those costs being passed on to the consumer. Besides, how long would any of us put up with opt-in requests before we would clamor for them to stop?
“We the People…”
The First Amendment of the Constitution guarantees freedom of expression; you know Free Speech. Nowhere in any of the US online privacy regulations are there any rules that allow a person to delete or remove information about themselves online. Yes, there are procedures in place to make this happen; none of them are mandatory by law. This seeming deficiency is understandable when one views it through the prism of constitutionality.
As such, challenging present-day privacy rules ultimately amounts to challenging the First Amendment. This is a legal battle no one has possessed the wherewithal to take on. This is also a giant generalization, but an accurate distillation of how the constitution impacts the creation of privacy rules.
American Culture: Not an oxymoron
“The business of America is business.” So said Calvin Coolidge in 1925.
Despite the fact that this phrase has come down to us incorrectly and that, when taken in context, Coolidge’s remark was more of an indictment on the accumulation of wealth, rather than in praise of, it nevertheless sums up a lot about American culture.
As a nation, Americans are less suspicious of big business than citizens of other countries. Also, most Americans are avowed free market capitalists, rugged individualists, budding tycoons, serial entrepreneurs, etc. In a country full of people eager to create “the next big thing,” it comes as no surprise that privacy is less important, or is not as high on their list of priorities.
Europeans have a higher expectation of privacy than Americans. This may be because Europeans have lived through tumultuous times, or because they have lived near each other for centuries. Or, perhaps it’s as simple as the European cultural predisposition toward privacy.
Which is more valuable: your privacy or your data?
No one likes to feel like they’re being watched, much less stalked. But, at the user level, that’s what’s going on; and we know it, we accept it (sort of), and most of us understand that it’s not always beneficial. Two statistics speak to that maybe better than anything else:
- 54% of app users have decided not to install a cell phone app when they discovered how much personal information they would need to share to use it.
- 30% of app users have uninstalled an app that was already on their cell phone because they learned it was collecting personal information that they didn’t wish to share.
When the price is right, we’ll open our devices up to the highest bidder. And, evidently, for some, the bidder need go no higher than $8.
In the EU, the answer to the data vs. privacy question is clear: Privacy. From being “cookied” to drones, the European Commission has taken the Continental sentiment to heart and has made consumer privacy its priority. With the full rollout of these consumer protection plans by year’s end, the EU has averred to protect people’s personal information and that it is now incumbent on a business to ensure that their customer’s privacy is protected.
Whose side are you on?
The countdown clock to increased privacy regulation in Europe is ticking more loudly. And with each passing second marketers are closer to having to confront how they’re going to maintain their ability to personalize their advertising campaigns while maintaining the personal privacy of those they’re targeting and their “right to be forgotten.”
In this era of increased advertising personalization your agency, or brand, will have to ensure that your data collection tactics stay within the new legal lines or face stiff EU penalties. One way to measure if your advertising is crossing the legal line is the Advertising Classification System. For more on this system go here.