General Data Protection Regulation: What You Need to Know

what is GDPR.png

Buckle up. In 2018, major regulatory changes are in store for companies that collect consumer data and use it to deliver data-targeted advertising to EU consumers. The General Data Protection Regulation (GDPR) will immediately impact digital advertising companies operating in Europe, and the new regulations will likely influence similar laws throughout other parts of the world.

The GDPR is the new legal framework for consumer data protection throughout the EU. It supersedes the 1995 Data Protection Directive on which European law is currently based. The new regulation, which was adopted in 2016, will be enforceable starting on May 25, 2018. According to the GDPR website, the legislation is designed to harmonize data privacy laws across the EU and give greater protection and rights to consumers, including the “right to be forgotten” by online marketers.

GDPR Basics

In a nutshell, the GDPR provides greater protections and control by mandating a 1:1 direct relationship between data collectors and consumers. This means companies must obtain explicit consent from consumers, in a way that leaves no room for misinterpretation, to be able to use their data for the purposes of online ad targeting. The Information Commissioner’s Office (ICO) has provided guidance on the way in which organizations will have to gain consent, but a potentially confusing aspect of the GDPR is that it will be enforced separately by each of the 28 countries that make up the EU. Moreover, there are many areas where the GDPR is murky and could be interpreted differently depending on one’s point of view.

This moving target makes developing firm strategies for compliance difficult. The ICO plans to continue releasing details and guidance in an attempt to make GDPR compliance clearer. Yet, many publishers and ad tech businesses remain in limbo while they await information on how the law will be enforced. The stakes are certainly high: maximum fines of €20 million ($24 million US) or 4 percent of global annual revenue are possible for those who find themselves operating outside the new regulation.

Some Details

Under the new rules it will be illegal for companies anywhere in the world to pass a European user’s personal information to another company, or to store it without agreeing to a formal contract with the “data controller” (generally understood as the first-party data collector) that defines limits on how the data can be used.

Under the GDPR, businesses that are defined as data controllers are most liable for fines, since they are the holders of consumer data. The GDPR broadly defines personal data as “data about an identified or identifiable person, either directly or indirectly.” It holds companies accountable not only for the data they process and hold within their own systems, but for data they pass on to other companies in their ecosystem, and the ability for consumers to be identified or re-identified by other companies within that ecosystem.

This means big changes for publishers, advertisers that operate websites with first-party customer data, and their ad tech vendors. Technology vendors classified as “data processors” could potentially find themselves on the outside of the data controllers / consumer diad. As a result, publishers will likely limit tracking pixels and third-party JavaScript on their webpages. The GDPR will also limit common practices like cookie syncing and third-party pixels while requiring “opt out” data strategies to change to “opt in.”

What’s the Impact?

The GDPR could be a creative opportunity for marketers. In an October 2017 DMA poll of 249 senior marketers, 71 percent agreed that the new data laws will spur more creative campaigns to acquire customers over the next five years.

By requiring explicit opt-in from consumers, the GDPR hits the reset button on legacy advertising tactics (e.g. audience and behavioral targeting via browser cookies) and ups the ante in the value brands and publishers must provide to preserve their connection to consumers. The GDPR will push marketers to be more thoughtful about their creative assets, how they message consumers, the perceived value of the message by the consumer, and how marketers and publishers can obtain explicit permission to remarket to them.

The new guidelines make it clear that managing first-party data is the key to safeguarding consumer privacy while still providing a relevant and personalized experience. The GDPR also reinforces the value of context: context remains the foundation of relevant exchanges between consumers and brands. This could drive higher CPMs for publishers that can package and deliver high-value audiences to advertisers through contextual targeting, relevant content, and engaging experiences.

This bodes well for branded content that is delivered in the form of non-interruptive native ad formats that fit sensitively within context and preserve the publisher’s organic user flow. This value proposition will ultimately enhance a brand’s ability to forge deeper relationships with consumers and preserve their connection as consumers become increasingly mindful and judicious with how they manage their right to privacy and/or right to be forgotten.


Details around the GDPR are still in flux, but here is a list of resources to help you better understand the regulations and plan compliance: