Privacy and Data Protection has been at the
forefront of marketing regulatory news over the past year, and it will remain
increasingly important as the world becomes more dependent on behavioral data.
The European Union’s (the EU’s) General Data Protection
Directive (GDPR) has been in effect since May of 2018. The reach of
GDPR goes far beyond the borders of the EU. The GDPR requirements apply to all
“controllers and processors” of information regardless of whether they are
located within the EU or not. Simply said, this means that if the
behavior of EU citizens is being tracked by technology, or if goods and/or
services are being offered to EU citizens, the GDPR applies. Thus, the GDPR
potentially applies to advertisers, agencies and media companies anywhere in
the world, with a database inclusive of EU consumer data, including third party
suppliers of such data.
The GDPR requirements, (greatly simplified):
(1) Securing Consent – It is necessary to
secure an individual’s consent regarding the ability to gather, hold and/or use
their data. Securing that consent is necessary in advance, and that consent
must be specific and clear. The consent must be in advance, it cannot be
assumed by silence, it must be current, and it must satisfactorily explain how
the data is being used. Transparency regarding the nature of
use (including any repeated use) is very important. The GDPR also has special
requirements about how to secure the necessary consent from a child (defined as
under 16 years of age). And—very key is the fact that the EU individual
must have ability to withdraw the consent. The “right to be forgotten”
is an EU individual’s right. If requested, an individual’s data must be removed
permanently from all databases.
(2) Companies larger than 15
employees (and public authorities larger than 10 employees) must have a Data
Protection Officer (DTO). There are many roles and responsibilities of
the DPO, but overall it is the DPO’s job to ensure that a company is GDPR
compliant. Assuring that systems are established, testing those systems, assuring
compliance, reporting to authorities, regular data system checks, all fall
under the responsibility of the DPO. Every company larger than 15 employees
must legally have one.
(3) There are requirements to
establish and perform ongoing Data Protection Impact Assessment (DPIA)
regarding data being held, and the processing of that data, to ensure GDPR
compliance. The ability to assure the authorities that you have systems in
place to comply with GDPR is itself a requirement of GDPR.
(4) Data Breach Reporting - The law requires
that Data breaches must be reported to local EU data protection authorities
within 72 hours of that breach. . Thus, systems and technology are required
that enable the detection of such breaches, and company personnel clearly need to
be trained regarding response requirements.
And—there
are significant fines for GDPR non-compliance!
The EU
GDPR law allows that fines for non-compliance can be as high as 4% of a
company’s “annual global turnover”. This extraordinary penalty must have
rung alarm bells within corporate boardrooms globally. The huge potential
penalties certainly were intended to focus the business world to address
privacy and data protection, and it has! Although companies have had years to
prepare for the GDPR requirements, exactly how to comply, how to stay in
compliance, and how severely the regulators would actually enforce and invoke
the penalties the new law allows, have yet to fully unfold.
As IAA will remain keenly interested in how GDPR enforcement and interpretation
will unfold going forward, the IAA was very interested in the recent fine
brought by the French watchdog CNIL against Google. The French CNIL
used its powers under GDPR to fine Google 50 Million Euro’s for allegedly
breaching the complex GDPR laws. The general basis of the complaint is
that Google did not properly secure consent from consumers in advance of
sending consumers ads, and that Google allegedly did not fully explain to
consumers how or why data was being collected.
The Google case is being appealed, but what we all can learn as we watch this
case (and penalty) unfold is that that fines are not only a potential, but that
fines will be assessed—and those fines can be huge! Although the first cases
may be against the “big guys”, the law applies to companies of all sizes,
including those with a lot less to spend on determining how to fully comply
with GDPR! Headlines are made by selecting a huge company to fine, but
the ambiguity of the GDPR law is dangerously real, and that ambiguity of how to
exactly comply could next impact others in the marketing space much smaller. Up
to 4% of global turnover is a huge number regardless of your size!
The GDPR is also inspiring new state privacy laws within the United States. California has already
passed the “California Consumer Privacy Act” (CCPA) which gives more than 40
Million California residents rights which are similar (yet different) from the
GDPR rights delivered to EU citizens. This California privacy law goes into
effect on January 1, 2020. Other U.S. states have introduced their own privacy
legislation. There is likely to be a federal privacy law “push” this year in
Washington DC, due to (if nothing else) the risk of fifty different states
introducing varying versions of their own privacy laws!
Privacy is not a simple matter-- The GDPR cannot be applied in “cookie
cutter” fashion globally. Data is the DNA that enables the smooth flow of the
digital information economy. The advertising and marketing industry is
dependent upon respecting consumer privacy and adherence to the established
laws. The industry has created self-regulatory systems (such as the Digital
Advertising Alliance https://digitaladvertisingalliance.org) in some markets to
address consumer access to data and control over use of their data. More
self-regulation is needed, and more education about privacy laws, and
self-regulatory efforts is certainly to be encouraged.
The GDPR
law as outlined above was greatly simplified. The GDPR
legal requirements are complex and there is need to seek legal counsel with
privacy/GDPR expertise to assure your company, your database, your suppliers,
and your systems are compliant.
We invite IAA members to submit comments/opinions on matters of regulatory
interest for review.