What does the EU’s privacy reform mean for US marketers? And what should you do now?

General Data Protection Regulations are a European issue with a global impact US are not immune from

The incoming European Union (EU) General Data Protection Regulations (GDPR) has marketing professionals there drastically altering their digital marketing strategies. Outside the 28 nation member states, there are not many talking about its implications, despite GDPR's global repercussions, but that does not alter the fact that this legislation will have a global impact.

GDPR, one of the most significant data privacy reforms in years, will affect both individuals and companies looking to reach the EU’s 500 million-plus citizens, with the legislation creating a uniform data security law for all EU members. This is compared to previous arrangements, when earlier laws were state-by-state, dependent on the laws of each country.

With 200-plus pages of regulation set to come into force in May 2018, it formalizes concepts like the "right to be forgotten," data breach accountability, data portability and more — and is arguably the biggest disruption in the digital space in recent years.

Potential fines

Simply put, the regulations are being put into place to give individual more rights to their data, but brands and marketers need to get on board beforehand in order to avoid hefty potential fines – up to $24m, or 4% of annual turnover (whichever is the greater sum). Some of the requirements include:

  • Requiring consent for data processing
  • Anonymizing collected data to protect privacy
  • Providing data breach notifications
  • Safely handling the transfer of data across borders
  • Requiring certain companies to have a data protection officer to oversee GDPR compliance

Levels of preparedness

The potential impact of the legislation on marketers is underlined even more drastically, given the contemporary profession’s reliance on data-driven, or econometric techniques. And recent surveys of the preparedness of marketers, agencies and adtech companies within the EU member states have shown just the scale of the task at hand.

A recent survey from the UK’s Chartered Institute of Marketing shows that only 6% feel they have a grasp of the impact of the technology. Additionally, a further report from polling outfit YouGov forecasts that 17% of ad agencies “would go under” if their current levels of preparedness are not improved upon by May next year.

Close to home, a recent PwC Survey of American multinationals from earlier this year points out that it is also on the minds of a lot of US organizations as well.

A recent PwC pulse survey asked C-suite executives from large American multinationals about the state of their plans for Europe’s landmark General Data Protection Regulation (GDPR). The “pulse” revealed five surprising results:

  • Over half of US multi-nationals say GDPR is their top data-protection priority
  • Information security enhancement is a top GDPR initiative
  • 77% plan to spend $1m or more on GDPR
  • Binding corporate rules are gaining popularity
  • US businesses are re-evaluating their presence in Europe

How will GDPR affect US companies?

No matter their location, GDPR will apply if an organization sells its goods or services directly to individuals in the EU or is ‘tracking’ them for analytics or advertising purposes. This means that US companies that are doing any business in the EU, or have EU residents visiting their sites, must comply. Basically, this is legislation for companies that are doing global business.

As far as what marketers should be thinking about, the location of the user is important, according to Scott Meyer, chief executive officer of privacy compliance outfit Evidon, which recently sold to technology company CrownPeak.

Evidon is one of the companies that licenses the Digital Advertising Alliance's AdChoices icon, which was the self-regulatory reaction to an earlier UK privacy clampdown called the ePrivacy Directive dating back to 2012 (itself soon to be updated). Evidon was also formerly behind adblocking software Ghostery, putting New York-Based Meyer in a good position to comment on the matter.

Local legislation with a global impact

Any company across the globe holding data on the EU's 500m citizens will be affected by GDPR / Piaxabay

“It’s where the user is, not where the company is headquartered. It’s where is the user and, really importantly, where is the data stored," he says, adding that many of those in the US are woefully under prepared.

However, Meyer does move to reassure professionals that not many in the media industry do fully understand the implications, nor the measures they have to take. But with that said, the time for complacency has long past. He advises US professionals to take a lead from The International Association of Privacy Professionals, which represents 25,000 members.

This is also the reason behind Evidon’s July 2017 launch of its Universal Consent Platform – the first single solution to help organizations achieve GDPR and ePrivacy compliance.

"What you really need to understand is where the ePrivacy Directive meets with GDPR," he advises. "That's where the rubber really meets the road."

Similarly, Alex Tait, formerly Unilever’s top digital marketer, and currently a GDPR consultant with his company Entropy, advises that: “Brand advertisers – including US ones – should put in place a ‘joined up’ compliance map taking into account all of their global activities and data processing (plus those of its agencies and data partners). Changes are likely to be needed across the organization.”

He adds: “What every site should be thinking about is 'how do I marry compliance with the best user experience?' Because I can be compliant but I don’t want to tank my business with a poor user experience. A big piece of this is how do I communicate with the user."

Tim Norris, managing director, of mParticle advises US marketers to have a clear concept of the types of data at their disposal (see image), as well as the means of how they will articulate how to gain consent to process it.

mParticle

“Once clearer requirements for consent are in place it is unlikely that the majority of consumers will willfully opt-in to their data being traded when there’s no immediate upside for them,” he says.

Who will be the winners — and the losers?

In a recent note to investors, influential Wall Street analyst Brian Wieser of Pivotal Research noted how consumer-facing companies such as Facebook, Google, Twitter and Snap, plus major publishers which consumers are generally familiar with, should be able to secure consent exchanging use of some personal data in advertising for access to the media property.

However, the note ominously went on to add: “By contrast, ad networks and programmatic platforms owned by these media owners may face challenges doing the same.”

How will the ‘anonymous’ adtech players gain consent?

Given the emergence of programmatic media trading this is also a concern for those in the adtech sector of the business, many of whom base their entire business on the processing of personalized data. But with little opportunity to open a direct dialogue with consumers to obtain their explicit consent, just what is the way forward for them in such a regulatory climate?

The leadership of publicly-listed adtech company Criteo (itself France-founded but listed on the Nasdaq) faced questions from analysts about its GDPR preparations during its most recent call, with its leadership claiming it was something they will look into in 2018.

It’s something that hasn’t been lost on Brian O’Kelley, chief executive of AppNexus (pictured), who adds that the legislation could result in the “the de-globalization of adtech.”

“We have spent a ton of time trying to understand GDPR, and obviously it’s still changing, but it feels like it’s a thing,” he adds.

With many anticipating that GDPR will result in an ‘ad-pocolypse’ in the adtech sector, he explains his company’s efforts to figure out how it’s possible to figure out consumer consent through all the data pipelines.

Speaking with The Drum earlier in the year, he explained how his company was drafting terms and conditions that would require potential adtech partners to sign up to a liability framework drafted by AppNexus. Media buyers or bidders that won’t sign up to this framework will be unable to work with the adtech outfit or its publisher clients.

“We’re going to commit to be ready — so not just us, we’re going to bring a bunch of partners with us (and in some cases our competitors). We’re going to help as many companies as possible get inside the GDPR umbrella in a way that makes it easy for publishers. Imagine if you’re a publisher and you’re trying to vet every single bidder and data provider,” says O’Kelley, pointing out that publishers often work with hundreds of such adtech players.

“The publishers have the obligation and the opportunity here, and we plan to roll out a set of tools and protocols help publishers to gain some kind of vibrant engagement from ads. So we’re going to propose a standard for this, [and] fully support that standard.”

Actionable GDPR insights that apply in the US

For those in adtech eager to maintain the quality and, more importantly, integrity of their data, the ability to ‘cookie’ a user with their consent is now something they have to seriously think about.

Many have speculated as to just how a GDPR-compliant digital dialogue box will look — one where adtech companies need to gain required consent (as well as the soon-to-be updated ePrivacy regulations). This has prompted PageFair (a company more commonly associated with the adblocking debate) to recently offer its take on just how this might look (see video below).

The findings are based on a study of over 300 publishers, adtech companies and brands as to whether or not users will consent to tracking under the upcoming GDPR regulation. Although Dr. Johnny Ryan, Pagefair's head of ecosystem notes, the above scenario does not “cover the vast chain of controllers and processors involved in conventional behavioral targeting” (read more here).

Five key steps towards responsible data processing

1. Take stock

Meanwhile, Evidon’s Meyer recommends that US-based media professionals take stock of the impending regulation well in advance of May next year, and just how much data they hold on the region’s 500 million-plus citizens. This includes data points such as anonymized cookies, and hashed IP addresses, which the latest legislation classifies as personally identifiable information, or PII, and what the risk is of sharing this information.

2. Understand your supply chain

Meyer then goes on to advise those in the media business to plot a "data map" and build towards an understanding of where their own outfit's fit within it.

"You need to understand where it [data points] come in, and where they come out," he says, adding that advertisers should understand their supply chain, their place within it, as well as the privacy compliance of their partners.

3. Be prepared for cooperative action

Once your role within a wider supply chain has been established, a review of your vendor contracts is necessary. However, AppNexus’ O’Kelley reiterates this point, he warns that before any regulatory intervention, those without an effective grip on the regulatory requirements, could effectively find themselves ostracized by their industry partners, as articulated in his cooperative proposals outlined above.

4. Prepare to localize infrastructure

Aside from legal terms and conditions to negotiate, the upcoming GDPR regulations may require companies to look at their data infrastructure so that data they hold on European consumers is kept within the boundaries of the 28 nation member states. A point that hasn’t been lost on adtech companies such as AppNexus and Sizmek, that have made recent, fresh investments in data centers there.

5. Create a roadmap and appoint a data protection chief

Although not specific to US companies, the points raised in an earlier IAB Europe compliance paper are equally applicable. It advises members to audit their current processes, and then see how many conflict with GPR, and then assess how long it will take to take the relevant steps and make the necessary changes.

In Europe, the introduction of the legislation is said to prompt the creation of over 28,000 data protection officer roles within organizations. However, as the concept of data privacy rises up, the priorities of companies across the world (as evidenced by the PwC study).

With so many moving parts to be addressed by almost every organization handling EU customer between now any May 2018, the consensus among all experts consulted on the matter is this: think globally, and act locally.

Ronan Shields & Haley Velasco

Ronan Shields is The Drum's digital editor and Haley Velasco is a freelance writer for The Drum. Both are based in New York.

All by Ronan Shields &