Implications of GDPR for marketing in Europe and beyond
Worldwide there is increasing concern about the massive quantity, exposure and use of personal data online. Such personal information not only informs the decisions and actions of private companies and governments, but can also be stolen or mishandled and used for nefarious purposes, negatively impacting all reaches of society and sectors. In the past years, we’ve seen massive data breaches in outfits like Target, Equifax, Sony or the U.S. government as well as clear examples of data misuse by the identity resolution company Navistone.
Because of these consumer personal data concerns and a clear lack of coherent treatment of such information, in May of 2018, the European Union will begin to enforce the privacy data rules called The General Data Protection Regulation, or GDPR.
According to the EU’s webpage on GDPR, “it is the most important change in data privacy regulations in the 20 years”. So far, it seems that businesses are woefully underprepared for this large scale change in how privacy settings must be activated by default and built into their websites and digital products.
Here are the major takeaways of the new legislation and what it means for marketing and your business:
- The regulation probably applies to you, whether you are European or not. Non-EU businesses that sell in the EU will need to comply with the regulations. So will companies based in the EU, even if they sell nothing within the single market.
- EU citizens already have the right to be forgotten and GDPR introduces even more user control on how data is harvested and used. This means businesses will have give easy access to opt-outs, unsubscribe links or wholesale deletion of online accounts.
- Your marketing forms will need to go beyond passive opt-in and users must physically confirm (check a box) that they want to receive information from you and consent to your data use policy. In other words, there is no consent by default anymore. The silver lining is that you can use the consent forms to tease out what parts of your business and communication offer your users are really interested. By seperating the active opt-in options, you can better serve and target users.
- No more secrets: your customers have the right to know exactly what data you have on them, who you are sharing it with and what it is being used for. You can use this to your advantage,
- Identity resolution vendors can expect heavy-hitting criminal or civil charges if they continue to de-anonymise user identity by cross-referencing navigation, devices, purchase history, and more. This just won’t fly under the new legislation.
- The monetary fines in Europe for such practices could be massive, and examples will be made of the biggest violators. Fines at the maximum level under GDPR are 4% of global revenue or 20 million Euro. That should be enough to wake everyone up once the first case arises.
- Firms who will have to be extra careful to not get charged with such violations will include American martech companies such as data brokers, adtech and marketing cloud solutions who rely heavily on third-party cookies and the more relaxed legal privacy environment of the US. If you use martech products originating from the US and you operate in the EU, you would do well to change to EU marketing providers or confirm that your existing vendor will fully comply with the new GDPR standards (get it in writing).
- AI firms will also feel the squeeze. As long as they are using algorithms to analyse instantly and respond with personalised offers, there is a chance that they are also discriminating. It’s going to be very tough to get to the bottom and tell say if an AI platform is using racial or religious indicators to determine how much credit a user is eligible for on a loan. Best practice: wait until 2019 to start that big AI project you’ve been dreaming of or go with a European vendor.
- Google and Facebook may also fall on the wrong side of GDPR. EU countries have already shown an appetite for challenging Google in court as well as hauling Facebook over the coals for tolerating hate speech. Although they are large organisations with the infrastructure to tackle GDPR efficiently and effectively, recent history would indicate that any violations by the Internet giants would be swiftly punished.
Your company is going to have to dedicate time and resources to GDPR and should start right now if you want to operate in Europe. In addition to default privacy controls online, your organisation is also going to have to implement regular privacy impact audits, improve and clarify how they ask for user permission for data and clearly document the ways in which they use that data and how they communicate breaches. Even without a fine or outside of the EU, a data breach or abuse can result in massive loss of revenue. Companies who do not operate in Europe will still be impacted by the rising tide of consumer disgust at private information being compromised and abused. As the number of these incidents increase, expect more consumer outrage and a subsequent loss of revenue on the part of companies who have suffered a breach.