GDPR is no longer fit for purpose for advertisers – here’s how it could be
Susana Figueredo, legal and compliance manager at Incubeta, explains why GDPR is not fit for purpose for advertisers.
The deprecation of cookies has led major technology players to develop alternative tracking solutions
The data reform bill replacement doesn’t spell the end for UK advertisers. When Michelle Donelan, the UK’s secretary of state for digital, culture, media and sport, confirmed plans to replace GDPR, advertisers may have felt a little deflated. Though the GDPR was implemented more than four years ago, many advertisers will feel like they have only recently fully gotten to grips with the regulations.
While the development may seem like a negative for those advertising in the UK, it could end up being a blessing for brands, with many viewing GDPR as having been unsuitable for advertisers for a while now.
When GDPR was officially implemented in 2018, it vastly improved data privacy and security for consumers. However, for marketers, it was not fit for purpose and the reality is that it was created to protect consumers, not businesses.
The regulation has been outpaced by the introduction of new, innovative ways of gathering data, which allow advertisers to run interest-based targeting while reducing the collection of personal data and the amount of data shared with third parties. The eventual deprecation of Google Chrome’s third-party cookies, as well as the disappearance of various other identifiers, has led major technology players to develop alternative tracking solutions that embed user privacy features from the offset.
The fast-moving digital industry will always outpace any regulation that’s put in place – which raises questions about what governments can actually do.
For now, with or without the regulations in place, the industry is dedicating far more effort to ensuring that consumers’ rights to data privacy and security are better respected. These consumers will continue to see the positive impact that GDPR provides for them. Because of GDPR, people have more information available to them about how their data is being used, and more power to stop their data from being collected.
There’s plenty of room for improvement, but GDPR did help to set in motion a shift in how personal data is perceived by consumers and businesses alike.
An answer to everybody’s problems
The UK, while small in stature compared to the might of the EU or the US, has the opportunity to influence data privacy regulation across the world – should the nation get its answer to GDPR right. Although finding a solution for privacy concerns with interest-based targeting that is well received by all players involved would be difficult, there is room for improving other areas of the regulation which would benefit most businesses.
When Donelan announced the government’s intentions at the beginning of October, she claimed that “no longer will our businesses be shackled by lots of unnecessary red tape.” It’s difficult to say what the government views as “unnecessary red tape,” but it’s important that the entirety of GDPR isn’t fed to the shredder.
To enable UK businesses to continue operating freely within the EU, the UK’s adequacy status must be maintained, which is how the EU determines if a non-EU country has an adequate level of data protection, and is one of the core protections provided by the GDPR.
The UK should avoid any amendments that place severe restrictions on the rights or security of consumers and reductions to the requirements for valid consent.
On the other hand, the government could – and looks set to – remove some of the administrative burdens around GDPR, making it easier for UK businesses to operate. The Data Protection and Digital Information Bill currently being discussed in parliament would remove or simplify the requirements around data protection officers, data protection impact assessments and records of processing activities, which will come as a welcome relief for most businesses.
The government could also consider taking a more sensible approach to cookies, shifting analytics cookies into the “strictly necessary” category because they are non-intrusive and help businesses to improve the experience they deliver for consumers.
Being seen to take these steps to simplify data regulation compliance could encourage the rest of the world to follow suit and begin to adopt a more reasonable approach to the issue of data privacy and security – a balanced approach that considers the needs of both businesses and the fundamental rights of consumers.
GDPR may not be entirely fit for purpose, but the UK is well-positioned to improve on it and pave the way for data privacy regulations that benefit one and all.