For ages, media and tech companies in the U.S. have considered European Union data and privacy regulations to be comparatively strict, comparatively complicated, and generally someone else’s problem. But with the E.U.’s General Data Protection Regulation (GDPR) coming into effect in May of 2018, U.S. companies themselves are prepping to understand and comply with some of that infamous yet unfamiliar E.U. data protocol. The new regulation will have global implications, because it applies to E.U. residents, not just E.U. publishers. Any publisher with any E.U. audience has to take note.
GDPR can be seen in part as an extension or tightening-up of the E.U.’s 1995 Data Protection Directive, known colloquially as the “cookie directive.” The cookie directive set up conditions where it would be acceptable to collect and process user data. The U.S. never established comprehensive data policies in quite the same way, and the ad tech industry here evolved to depend heavily on cookies.
A couple things about what changes when GDPR supersedes the old cookie directive: First, as we just said, it applies globally, and it potentially affects anyone who operates a website visited by E.U. citizens. Perhaps confusingly, the regulation applies to E.U. citizens while they are physically in the E.U.—not while they’re traveling beyond Europe. But while they’re inside the E.U., companies and other entities that can access their data must take caution in collecting and processing that data.
Second, GDPR is stricter than the cookie directive, both in how user data may be handled and in the penalties for mishandling data. GDPR expands the type of data that could be considered personal information to anything related to an individual person. Also, it calls for the user’s consent, provided intentionally, before their data can be processed.
Third, GDPR establishes new channels for reporting and enforcing data improprieties. Each E.U. nation will set up a Data Protection Authority (DPA). When an E.U. citizen feels the need to escalate concerns about the way their data has been managed, they’ll be able to take it to their DPA. This means they don’t have to report to authorities in the country where the company/entity accused of mismanaging their data is located. (The language barrier should be less of a problem this way.)
The E.U. will be administering fines for entities found in violation of GDPR, and they could be hefty. They’ll vary depending on the severity of the offense, but at the absolute highest, offenders would have to part with 4% of the company’s annual global earnings or 20 million Euro, whichever is greater.
So what’s that mean for publishers between now and May 2018? Unfortunately, U.S. publishers are still figuring out that part. Many have criticized the wording of E.U. documents related to GDPR for sounding vague and confusing. Under GDPR, there are acceptable reasons for collecting and processing user data, and revenue generation and direct marketing fit the bill. It appears likely users will have to set browser-based privacy preferences (opt-ins and -outs), and publishers will be responsible for documenting those preferences and determining what data can be passed along to other partners.
At the moment, publishers are occupied with parsing the language of the regulation, figuring out how they’ll be affected, seeking out best practices, and calculating the expenses of getting compliant. While some publishers are hoping they just don’t have enough of an E.U. audience to change anything, the global reach of GDPR means that’s a risky strategy. Before GDPR takes effect, publishers should (at the very least) make sure their privacy policies are compliant, and either consult with their DPO or designate someone to perform the functions of a DPO.