North Thinking
Published in

North Thinking


A monthly look at the world of digital from NORTH’s point of view

What is GDPR and How Does it Affect the US?

By Caroline Desmond, Director of Media Strategy

Image Source: Pixabay

The General Data Protection Regulation (GDPR) is set to roll out in the EU beginning May 25, 2018. This new regulation is meant to foster user privacy and control over personal data in light of the breadth of information consumers (often) unknowingly share with companies and the danger of data breaches. Data based on prior purchases or browsing behavior is increasingly used by companies to personalize online user experiences or to advertise in a more relevant way. Consider, for example, every time you have shopped online and seen recommendations for things you might also be interested in based on products previously viewed, or anytime you’ve seen an advertisement on Facebook for a product you recently viewed on a shopping site. This is significant, because of the share of the US digital advertising market Facebook controls. eMarketer reported that Facebook and Google controlled an estimated 60% of ad spend in the US in 2017.

The key thing to note is that the GDPR does not just apply to the EU. Any entities that process the personal data of EU citizens “for socio-cultural or financial activities” needs to comply. So, for example, Facebook is a US-based company, but it processes the data of EU citizens, so it is also subject to the new guidelines under the GDPR. In fact, Facebook has been taking measures for some time to prepare for changes under this new regime. According to TechCrunch, Facebook has spent the last year assembling its “largest cross functional team” to address GDPR compliance. This means that any US based brands or agencies doing business with Facebook will also be subject to GDPR guidelines.

To a large degree, the guidelines under the GDPR are not new. Since the launch of smartphones circa 2008 — and more recently, wearable technology, smart TVs, and voice enabled speakers — brands have been able to collect significantly more data about consumer behavior. This enhanced ability to understand consumer behavior has given rise to heightened risk and an increase in self-regulatory measures in the US to protect user privacy.

The Regulatory History of User Privacy
In 2009, the Federal Trade Commission began to take a harder look at online behavioral advertising (OBA), which it defines as “the practice of tracking consumers’ activities online to target advertising.” As a result, several advertising industry organizations formed the Digital Advertising Alliance (DAA). One of the DAA’s main goals was to: “Fend off adverse legislation and regulation.” In order to do this, the DAA launched a self-regulatory program governing the use of online user data in October 2010. Regulatory measures were designed to encourage companies to be transparent about data collection and provide consumers with an ability to opt out.

Along those lines, the Interactive Advertising Bureau (IAB) — an advertising trade group in the US responsible for setting industry guidelines and best practices for digital media — released additional guidelines for user-privacy in 2015. In the IAB June 2015 Code of Conduct, the IAB outlined transparency requirements for companies collecting personal data. The Code provided in relevant part that brands and media companies “should give clear, meaningful, and prominent notice on their own Web sites that describes their Online Behavioral Advertising data collection and use practices” with “clear descriptions” of data collected including “any PII [personally identifiable information] for Online Behavioral Advertising purposes.” The Code also provided that brands and media companies must provide “[a]n easy to use mechanism” to opt-out of data collection.

So why all the hype around GDPR? The difference between GDPR and user-privacy measures taken to date is that the GDPR adds teeth to the existing user-privacy measures that have been largely self-imposed by the advertising industry as opposed to mandated by law. There are steep penalties for violators of the GDPR — potentially up to 4% of the violating company’s global annual revenue.

So what are the guidelines? The GDPR consists of a myriad of restrictions across 11 chapters and 91 articles. What I’ve included below are some of the highlights of the GDPR that will affect how companies leverage personal data going forward, including how the GDPR defines “personal data”. For a more comprehensive look at what is covered under the GDPR, see

Person Data Defined

Personal Data = “any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.” For example, name, address, email, phone number would constitute personal information.

Important to note that even personal data that has been encrypted but “can be used to re-identify a person remains personal data and falls within the scope of the law.”

User Consent

Entities that collect personal data will be required to obtain consent from people before using cookies or other unique identifiers to improve site browsing experiences, serve relevant ads, or understand what kinds of users are visiting the site or app. The EU has offered four guidelines for what qualifies as legal consent in this context. Facebook has posted these on their Facebook for Developers site:

  1. Specific and based on appropriate information
  2. Given before using cookies or other storage technology to collect information
  3. Unambiguous
  4. Freely given

Data Transparency

Data subjects have a right to know whether their personal data is being used, where and for what purpose. According to, the data controller — the entity that decides the ‘purposes’ and ‘means’ of any processing of personal data — must “provide a copy of the personal data, free of charge, in an electronic format.”

The Right To Be Forgotten

Also referred to as Data Erasure, this means that data subjects can require the data controller to “erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.” Even if a data subject does not withdraw consent, there is language to suggest data should also be used only as long as it is “relevant to original purposes for processing.”

Legitimate Interest

Article 6(1) of the GDPR provides that there are some instances where a business may be allowed to process personal data. The most likely exception for marketers is under subsection (f) for the “legitimate interest” criteria. This provides that personal data processing may be lawful where it “is necessary for the purposes of the legitimate interests pursued by the [data] controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject . . .” This language is broad and the law does not say at what point legitimate interests are “overridden.”

Immediate Implications

So far we know there will be at least some effect on US brands and ad agencies who work with global media companies that are subject to the GDPR’s restrictions — e.g., Facebook, Google, Amazon, etc. Specifically, the kinds of data that brands and agencies can access may evolve. Although Facebook has said it won’t extend GDPR privacy protections beyond the EU, it also just announced that it will be phasing out data from third party brokers from its ad platform — also referred to as Partner Categories. For reference, Partner Category data includes insights like past purchase behavior supplied provided by companies that access credit card or store loyalty card transaction data. Advertisers layer this kind of third party data onto Facebook interests and reported demographics to home in on opportune consumer audiences. The issue Facebook has with this data is that it is a few degrees separation removed from the original consumer opt-in. A consumer might voluntarily turn over their purchase history to a retailer through a store loyalty card, but that same consumer does not knowingly consent to that data being used to target them on Facebook based on what they bought. This would seem to suggest that Facebook is, in fact, taking some moves outside the EU to adopt GDPR principles.

Other media companies, not currently under fire for data breaches (see Cambridge Analytica) will likely take less drastic measures in the US. These companies will likely try to use the legitimate interest defense available under the GDPR. They’ll argue that personal data serves a legitimate business interest — enabling advertising clients to optimize their marketing programs and improving user experiences for consumers on sites and apps.

Additionally, companies will begin to strongly encourage clients and upstream partners to ensure they are gaining user consent so that those in the advertising supply chain are accessing “clean” data obtained through knowing and voluntary user consent. For example, a brand that solicits email addresses for an e-newsletter should tell consumers upfront that they use emails submitted to keep consumers up to date about the brand and product recommendations in other channels beyond the e-newsletter. Under the GDPR, this level of transparency and ability to opt-out would make it permissible for the brand to then use the email list to retarget current e-newsletter subscribers on other channels, or consumers that exhibit similar online behaviors and interests to current e-newsletter subscribers.

The Digital Dystopia Narrative Has Arrived

Devon Brown, Performance Marketing Manager

Image Source: Bored Panda

Futurists have long wondered whether our rapidly changing technological advancements will point us toward a utopia or a dystopia. The utopia narrative paints a lush society. Machines do all of the farming and heavy labor; they are our servants, our chauffeurs, and our answer to everything that is mundane or difficult. In that narrative, humans are left to relax and bask under the shady palm of technology, free from worry and tension. In the dystopian narrative, machines trap and enslave us. We can’t do the most basic tasks without them. We rely on them for food, clothing, shelter. They chain us to assembly lines, control who we talk to, what we think, who we vote for. We are manipulated and restrained to their capabilities, our privacy gone, while the world around us falls into decay, poverty and disrepair.

In a postmodern apocalyptic future, a digital dystopia has taken form. Vehicles for manipulation and corruption, the most advanced communication technologies ever invented, are being exploited by the wealthiest and most powerful members of society. Foreign and domestic governments are creating and distributing propaganda and fabricating news stories in an attempt to influence elections and control the population. Once created to empower the vulnerable, those technologies are being used to bolster fear and rouse feelings of unrest. Their personal information traded and exchanged as currency in the shadowy corners of the web.

Our “postmodern apocalyptic society” is really just our “data mining society.” Our personal information is traded below our awareness, analyzed and mapped to our emotional triggers, all in an effort to make us dependant. And this time, we really are screwed. We are living in the waking dystopia that grows a little firmer each day. The Cambridge Analytica/Facebook saga is the most well known, but the past few years of headlines have shown us that, at this point, maybe we’re the silly ones to have an expectation of privacy at all. MoviePass, Equifax, and almost every social media platform we know have come under fire for selling our data. Even when it’s done legally and states it right there in the T&C’s, people are outraged for a brief moment, then do nothing to stop it. We let the whole system get a little more powerful each day.

Facebook hardly came from noble origins. It was invented to objectify students and campus troll. But once adoption scaled beyond anyone’s wildest dreams, it was quickly re-positioned to be the Garden of Eden — a blissful paradise to exchange ideas, give impoverished citizens a voice, and empower the vulnerable. And Mark Zuckerberg is a story as old as sci-fi — an optimistic college kid with dreams of changing the world, only to create a machine so powerful he can no longer control it. He quickly finds himself in over his head, at the mercy of corrupt politicians or powerful businessmen or whatever, and in trouble with the government, summoned to speak in front of a congressional committee. Instead of Facebook riding in on a white horse to save us from the Putins and Ailes of the world, it becomes the instrument for which Machavellianism thrives.

And it’s easy to color Cambridge Analytica as the boilerplate personification of evil, using machines and the personal information of innocent citizens against them. But honestly, we let this happen. We gave them more information than we knew we should, we acted surprised when we thought of shower loofahs one day then saw it as a Facebook ad the next. We relied on it too much for news, let it dictate which friends we paid attention to, and we didn’t delete Facebook when this exact same thing happened in 2011. And most of us won’t delete it today, and frankly, are tired of hearing about this stupid story. We need Facebook to stay relevant. Without it, it’s impossible to truly understand culture, even the bad parts. 7 out 10 smartphone apps sell our information, and you cannot pry those out of my cold, dead hands.

So, we might be at a crossroads of human history to turn this narrative around. On one hand, regulations are coming with a vengeance (see above regarding the GDPR). Soon we’ll be given options to control how our data is shared. And it will be more transparent that in order to use certain apps or services, data is the price to be paid. Or, it might be too late and we passed the fork in the road long ago. We know what is at stake (elections, power, money), and we known how our culture and politics are being influenced by this technology.

Will we learn and make effective change? Our machines are so powerful that they’ve made an art and science of diverting our attention. All it would take is one big natural disaster or political scandal (or a new season of Westworld) for all of this to become old news and forgotten about, making the new regulations and data options largely ignored, just like ad-blockers.

All I know is whoever is controlling my simulation, I’d like to be let out now.

Cars and Advertising

Izzy Kramer, Media Planner

Image Source:

We all are used to advertising that sells cars and advertising plastered on cars, but the latest in vehicle technology seeks to make ads in cars just as commonplace. TeleNav, a company that specializes in recording and supplying wireless, location-based information and automotive navigation, “has built a platform to support advertising in automotive infotainment systems, and it plans to work with automakers to get ads into internet-connected vehicles.” TeleNav’s technology would support serving ads on smart consoles located in the middle dash of vehicles. For years cars have been installed with wireless connection and software that is able to track and collect data on the vehicle, but these smart consoles allow for ads to be viewable to drivers and passengers.

In this article, I’ll explore the pros and cons of this technology and give my POV on it’s viability given other trends in the auto industry and related to user-privacy.

Image Source:

In-vehicle ads would be supported by the incredibly valuable location-based data already being collected, including where the car goes, where it parks, how long it dwells in one location, etc. And with smart consoles becoming increasingly popular, it is crucial for car manufacturers to include them to keep pace with the demand and competitors. Between the mountains of data and the popularity of smart consoles, this is the perfect storm for a new ad platform that is supported by data.

What are the pros? This could take location-based mobile opportunities to the next level. Being able to understand where someone is based off their phone location and car location opens up so many possibilities in terms of retargeting capabilities and better understanding an audience. (Where you go can shed light on what you do and what interests you.) This insight can be used to serve up more relevant communications to consumers. For example, there’s a fair probability that someone who drives everyday to an ad agency works in advertising. Moreover, driving data might show they work long hours, because they park it at that agency between the hours of 9–8pm. Maybe that same person also frequents a yoga studio every Sunday, and every other week they visit a vegan cafe. A consumer packaged goods (CPG) brand specializing in healthy, vegan snacks for busy professionals might find these insights gleaned from driving data useful for identifying an opportune audience for their next product launch.

But this technology has its drawbacks too. Consider this — companies like TeleNav are currently focusing on personally owned vehicles. This potentially leaves out a blindspot non-owner exclusive cars, such as cars available through vehicle sharing services (ZipCar, Car2Go, ReachNow, etc.) Cars available through these services are all smart enabled, and therefore, their activity data is able to be tracked. However, the driver of the vehicle changes constantly. That is the entire purpose of these services: quick and easy access to vehicles you don’t own.

But people not owning their own cars? I must be crazy. Nope. We are seeing a continued trend in people ditching their vehicles and opting into a car-sharing options (myself included). From 2008 to 2016 we saw a dramatic increase in car sharing members, nearly doubling from 2012 to 2014. In mid-2017, Market Insider wrote the “car sharing market is slated to record a massive double digit y-o-y growth (34.8%), with a projected revenue collection of more than USD 16.5 billion by 2024” based off a study done by Global Market Insights Inc. With that said, a car-less lifestyle is quickly becoming a desired and feasible option for those living near and around cities. It is the way of the future! So keeping this in mind, it is already worth wondering about the future of a future car-based ad platform that doesn’t even exist publically yet.

Image Source: Flickr

Additionally, it is worth noting that car-sharing services protect the information of their members by erasing the previous driver’s info from the vehicle after their session is over — and rightfully so given user privacy concerns. The kind of information stored by car sharing services is highly personal and includes device data connected via bluetooth, aux, or USB and user passwords.

Even if car-sharing services eventually stored driving pattern data in the cloud tied to individual accounts, drivers would need to receive clear notice of this tracking and an easy way to opt-out if they prefer to drive incognito. Additionally, any driving pattern data would need to be anonymized, like other modern forms of location based targeting that do not show personal identifiers. So for example, driving data collected via TeleNav or a car-sharing company should only show that driver 1234 works long hours at an ad agency, practices yoga, and eats vegan based on where they drive and dwell. It should not reveal any personally identifiable information about the driver like their name, email, address, etc.

It would be too speculative to say where this technology is headed. The key will be for technology companies to be transparent with consumers about the data that is collected to be respectful of user privacy.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


North is an independent advertising agency in beautiful Portland, Oregon that creates fans for brands and good companies who give a little more than they take.