The opinions expressed in this post — as always — are my own.
Earlier this year, I had the opportunity to attend the International Association of Privacy Professionals Global Privacy Summit in Washington, DC. I was there touting self-regulation in the digital advertising field.
Booth after booth and many panels, however, were talking about something else: the European Union’s forthcoming General Data Protection Regulation (GDPR) and its cousin, ePrivacy Regulation — and how American and global businesses may deal with both. GDPR takes enforcement effect on May 25, 2018.
While all the promulgations for GDPR are yet to be revealed, the potential impact is that the EU will place a lockbox on personal information of European citizens (both consumers and business individuals), even those data elements that are as benign and beneficial as advertising and marketing related information. Only affirmative consent from the consumer will make such data available for constructive outcomes as marketing analysis and tailored advertising. Whether or not a company is based in Europe, United States or elsewhere — if it touches EU citizen data, it must conform to the regulation — or face fines as much as 4 percent of global turnover — or €20 Million, whichever is greater. IAB Europe has posted a helpful primer.
Will the first cases under this regulation be brought against Europe-based companies? We shall see.
Many Americans fear something else. It will be used to go after American-based companies — particularly global innovators in data and information that use consumer data for productive use, with great success. Data-driven marketing economies offer superb dividends: consumers get more relevant content, greater choices and greater diversity of content — as well as entrepreneurial businesses that seek to innovate even further. The decision this past week under EU competition law regarding Google only advances the case of perceived anti-American bias in EU “digital” law enforcement. (Without arguing merits or criticisms of the decision — last I heard, no one in Europe is forced to use Google for his or her online searches or shopping.)
Then there’s the debate about consent in GDPR. The tired “opt-in versus opt-out” debate has reared its ugly head, as the EU marketplace implements affirmative consent mandates. We all know opt-in requirements tend to kill consumer discovery, and hurt, particularly, small business.
Like EU’s cookie law, Europeans may well see a plethora of new sets of notices asking consumers whether or not they really want to visit a site, use an app and so on — anywhere personal data, including browsing history and app usage, is intended to be collected and used for marketing purposes. There are myriad other GDPR requirements — data protection impact assessments, data protection officer designees, the right to data access, the right to be forgotten, the right to data breach notification — which marketing organizations will need to navigate.
And what might the global effect be as nation after nation seeks to establish “reciprocity” with more stringent EU law? In the post-Snowden era (how post-Snowden are we?) there are plenty who want to turn off American data collectors, as if the U.S. private sector has anything to do with U.S. government surveillance. They are not the same thing, and should never be.
If the goal of the EU is to protect the European consumer — by striking fear in Silicon Valley and American business through fines, litigation and the like — then it may go over very well with European audiences. Kudos, point made. Then there’s our side of the ocean. Despite all the bluster of “America First,” the truth is that we’re a global economy and there’s no turning back. And, no one will win if there’s a trade war — especially one over data flows that fuel economic growth.