The business, technology, and legal worlds all expected the European Union’s General Data Protection Regulation (GDPR) to be a big deal. May 25, 2018, the date when the new consumer privacy and data protection rules went into effect, had an almost Y2K feel to it. And just like Y2K, no big news broke the next day. For 6 months after, debate still focused on the potential impact of the regulation, rather than actual developments.
In recent weeks, however, the trend has shifted. GDPR has bared its regulatory teeth. Let’s look at some of the biggest developments and highlight what this means for your data strategy going forward.
The First Shot Across Adtech’s Bow
In May of this year, Doc Searls, author and Alumnus Fellow of the Berkman Klein Center for Internet & Society at Harvard University, predicted GDPR would pop the adtech bubble. Now, with a recent EU regulatory decision against Vectaury – a French adtech firm – it appears the industry’s status quo of operations is coming under fire.
The ruling from CNIL, France’s data protection authority, has been covered by many angles in the news. From a data management strategy perspective, this development highlights the importance of capturing consent data the right way. Under GDPR rules, consent must be specific, informed, and freely given. Yet Vectaury, and the consent framework they used, bundled consent for third-party data processing through partner contracts. The GDPR regulator called out this practice and has required Vectaury to cease data processing.
Privacy activists and adtech firms took immediate notice of the decision. Bundled consent is at the heart of the online ad industry’s real-time bidding (RTB) system. This system, which has displaced traditional models of digital ad selling, is growing at breakneck speed. It’s estimated RTB digital advertising spend will reach $23.5 billion in the United States in 2018 compared to a $6.3 billion spend in 2014.
When viewed in combination with other GDPR-based complaints about the RTB system, it’s clear this pillar of the adtech industry is under regulatory assault. And, as the CNIL decision shows, regulators are willing to shut down a company’s data processing operations if it finds it in violation of GDPR.
Penalties and Fines Are Warming Up
When the EU unveiled GDPR in 2016, the structure for fines and penalties put the business world on notice. Since it threatened fines of €20 million or 4% of the company’s global annual turnover (whichever is greater), the regulation had “teeth” to enforce its strict new data collection and processing requirements.
Yet, since the May 25th enforcement date, no major GDPR-related fine has been levied. A recent study from the International Association of Privacy Professionals (IAPP) offered two main reasons for this lack of enforcement action. The first: Regulatory officials have given companies more time to implement tools and processes to address the complex regulation. The second: Investigations and their resulting legal battles can take a long time. In fact, the IAPP study estimated that the average violation-to-penalty timeframe spanned about 338 days.
As we enter 2019, the business world is bracing for more enforcement activity. Regulators in Germany, for instance, just issued their first fine. The European Data Protection Supervisor, Giovanni Buttarelli, said much more is on the way in a recent interview with Reuters:
“I expect first GDPR fines for some cases by the end of the year. Not necessarily fines but also decisions to admonish the controllers, to impose a preliminary ban, a temporary ban or to give them an ultimatum.”
Consent Emerges as the Key Issue
Buttarelli also said EU member states had received a total of 42,230 GDPR-related complaints from the time enforcement began until October. Of those, he said customer consent represented the largest complaint category.
“In cases in which it is indispensable to build on consent it should be much more than in the past based on exhaustive information; much more details, written in a comprehensive and simple language, accessible to an average user, and it should be really freely given — so no blackmailing.”
These comments, combined with the CNIL decision, put a company’s consent data management strategy in the spotlight. If your business develops a vision for capturing consent and preferences holistically across touchpoints, brands, and channels – for every instance when this data needs to be captured according to GDPR requirements – it can drastically mitigate regulatory risk.
In addition, if you develop a reliable system for enforcing a customer’s preference and consent choices to downstream applications and services, your business will avoid a major source of GDPR-based complaints.
Moreover, honoring customers’ preferences and consent choices helps build trust in this new age of consumer privacy and data protection. And this trust is the foundation of today’s meaningful customer relationships. Without trust, customers jump to competitors and brand reputation takes a serious hit, as many businesses who are not managing preferences and consent data according to GDPR standards are about to find out.
To discover more keys to digital excellence in the GDPR era, download this whitepaper.
By Ratul Shah