GDPR: Privacy law gives advertisers a tough cookie

Digital advertising is a powerful economic engine, driving billions in revenue around the world, and accounting for many thousands of jobs. Indeed, MAGNA estimates the global digital advertising industry will be worth $299 billion by 2021. But continued growth could be threatened by increasing regulatory scrutiny. The industry as a whole will need to simultaneously address not one but two European Union laws, the General Data Protection Regulation (GDPR) and the ePrivacy Regulation (ePR). Here’s what you need to know.

The GDPR, which goes into effect 25 May 2018, aims to give power back to the people through control over their personal data. The brilliance of the law is that it breaks down traditional borders and applies to any organization globally that merely offers its services to a EU resident or is engaged in website monitoring, meaning it’s set to be a real shake up of the digital advertising ecosystem.

The regulation will be a change management challenge for all, forcing companies to get a handle on all of their data processes and be transparent with customers about their rights. Get it right, and it could make for stronger customer relationships. Get it wrong and companies could be liable for up €20 million or 4% of their annual turnover, whichever is greater. Digital tracking, called profiling, while not prohibited, will require companies to obtain consent, and the bar for valid consent has been raised significantly. Details will be fleshed out over time, however some publishers are preparing in advance by re-negotiating contracts to insist that any third parties on their sites are GDPR compliant, meaning they may need to have a designated Data Protection Officer, and go through their own internal GDPR compliance process. This will indemnify the publisher for any GDPR violations it may cause. Let’s take out the lawyer-speak and translate. If a company causes a publisher to get fined because they inadvertently bring other third parties onto their site without proper permission, the publisher will look to the company to pay them back as a consequence. Remember, the penalty will be based upon the publisher’s revenue, not the company’s, so the figure on the check to the publisher could be alarming.

If this isn’t enough to get your head round, the ePrivacy Directive (ePR) will soon be overhauled as well. The legislation, while at the beginning of the process, could be fast-tracked so it can also go into effect on the same date as the GDPR. The aim of the GDPR is to give the person control over her personal data. The ePR, in contrast, is distinctly different, and that’s why it wasn’t simply folded into the GDPR. The purpose of the ePR is to ensure the confidentiality and privacy of electronic communications — so it will apply to the telecom and over-the-top TV (OTT) industries too.

However, there is also a direct impact upon the digital advertising industry in addition, specifically when it comes to dropping cookies and other tracking technologies onto someone’s browser. When that is about to happen, the ePR requires a website operator to give notice and get consent to send a cookie. You need to ask permission.

If the ePR becomes law as it’s presently proposed, the digital advertising industry will be at significant risk for a couple of reasons. First, the ePR will adopt the GDPR’s penalties. Further, ePR consent, like GDPR consent, will also be tougher to get. As presently constituted the quaint notion of “implied consent” based upon a user’s behavior will be a thing of the past. Instead, there may be a tougher opt-in like approach, not necessarily “explicit”, but a process that is much more prescriptive than what is currently in process.

Digital advertisers, if you feel under assault, you should, even if the assault is hidden behind platitudes and smiles. Certainly there is no small amount of irony in the fact that digital advertising is truly a victim of it’s own success. But so it is, and while the challenges will be real, I’m actually optimistic. This industry is important to many organizations and to both the US and EU economies, and I believe that it will respond logically, innovate technologically, and continue to be the economic engine that is such an integral part of both the EU and US economies. There is time to get it right, but the conversation needs to start now.