The European Union’s General Data Protection Regulation goes into effect in late May, so online publishers and marketing agencies are preparing for big changes in order to become compliant with the new law. GDPR enforcement begins May 25, and it requires online companies to obtain direct consent from users before collecting any of their data and using it. The GDPR is likely one of the biggest changes to the digital ad industry so far, as it affects most, if not all companies with an online presence—especially Google, Facebook and other firms in the business of digital advertising.
What is the GDPR?
The GDPR is a much broader set of rules regarding data privacy than what is currently in effect in the EU. The law applies to both residents and citizens of EU nations, and it doesn’t matter where companies are located. If they do business in Europe and European residents access their website, they must be GDPR-compliant. More specifically, any companies that market anything to citizens of the EU, no matter where they reside in the world, must comply with the law, as do companies that employ citizens of the bloc, monitor their behavior, or collect or store their information.
CMSWiRE put together some thorough guides on the new law here and here. The GDPR deals with collection and use of personal data, which it defines as any data that could be used to identify someone, either directly or indirectly. As such, it includes everything from people’s names and email addresses to their IP addresses, social media posts, and much more. It requires companies to obtain explicit consent from users allowing them to collect and use their personal data without burying meaning under difficult-to-understand legalese.
Companies are required to clearly state what the data will be used for, and they can’t apply consent received for one purpose to another purpose. They must obtain consent for each individual use, and they can’t set the default to giving consent, placing the burden on users to opt out. They must also make it clear how users can retract their consent if they change their mind later, and they can’t require users to give their consent in order to use their services.
How the GDPR affects businesses
Because the law applies to people living in EU nations, whether or not they are a citizen of the nation they live in, and EU citizens living around the globe, the GDPR will likely have very broad-reaching implications. It’s the kind of law that companies are better off being compliant with for every user rather than risking breaking it with even just one user.
The penalty for not complying with the law is higher than it is for violating the law that’s currently in place. Companies which violate the GDPR can be fined the higher of €20 million or 4% of their global annual revenues, with the amount depending on how serious the violation is. Unfortunately, many companies still aren’t in compliance with the law, even though many think they are.
A recent survey conducted by Veritas found that 31% of companies claimed to be GDPR-compliant, but their answers to questions about specific areas of compliance revealed that 98% of those companies were actually mistaken. It sounds like companies aren’t even taking the new law seriously, as Varonis found in a recent study that 38% aren’t prioritizing GDPR compliance by the deadline, while a TrustArc survey found that more than 60% of companies haven’t even started to implement their plans to become compliant yet.
Here’s what Google is doing (and not doing) for the GDPR
Google is easily going to be one of the companies that’s most affected by the law, and it already knows the pain of violating data privacy laws in the EU, as it has been fined for it in multiple EU countries before. Because of how much Google will be impacted by the GDPR and the fact that many publishers show ads from the company’s platform, it makes sense that some are using the search giant as a proxy to see how to treat the law. Additionally, if your website serves up ads from Google’s platform, then there are some important things you need to know as far as your responsibilities under the new law.
SearchEngineLand published an email Google sent to some of its publisher partners this week outlining its handling of the new requirements. The most important thing for publishers to understand from that email is that Google placing the burden of data privacy under the GDPR on them.
Google said in an AdWords blog post that it will be updating its EU consent policy to require publishers to “take extra steps in obtaining consent from their users.” For its own compliance, the company will be obtaining consent for all of its own properties, including YouTube and Google.com, but all third-party publishers will be required to obtain compliance for their own websites—including those which utilize Google’s ad targeting products behind the scenes. Publishers will need to maintain their own consent records and tell users how to retract their consent if they ever wish to do so.
Google has already gradually been working toward GDPR compliance since August 2017 by updating its contracts on many of its products to reflect its “data processor” or “data controller” status, as defined by the law. The company is also preparing to launch a new ad solution for publishers who want to serve up non-personalized ads which don’t require that any user data be collected. Google has also published full details of what it’s doing about the new EU data privacy law for affected businesses here.