Rigorous Consent Requirements
GDPR creates a more rigorous process for consumer consent to data collection. No longer will companies be able to use complex legalese to obtain consent; instead, consent language must be unambiguous and clearly outline why data is collected and how it will be used.
Expanded Definition of PII
For many organizations, PII is currently defined only as identifiers that can be linked directly to a person such as home addresses, email addresses, or telephone numbers. As such, most advertising technology companies have washed their hands of regulatory scrutiny by explicitly saying that they do not handle PII. However, GDPR expands the definition of PII to include identifiers that can be indirectly linked to an individual. This includes digital identifiers such as IP addresses or cookie IDs, all of which are essential to the functioning of most parts of the ad tech stack. Organizations and their tech vendors may have to update their privacy policies and data handling practices in response to this expanded definition.
GDPR has teeth. Companies can be fined up to 4% of their annual revenue or €20 million for the most severe violations.
While previous European privacy regulations affected only businesses located in the EU, GDPR affects any business which collects or processes data from European consumers. So even if your website is hosted in North America or Asia, GDPR affects any data you collect from EU residents.
For EU businesses, GDPR represents a strengthening – and legal codifying – of concepts already present in European privacy directives. Nonetheless, GDPR will require many European businesses to modify their existing data collection and processing practices.
For global businesses who may collect data from EU consumers, GDPR introduces significantly more rigorous privacy requirements than currently employed in markets such as the United States. These organizations will need to weigh the risk of financial penalties due to GDPR non-compliance against the costs (financial and otherwise) of implementing new privacy practices.
Most importantly, GDPR means organizations with strong first-party data strategies and close, collaborative relationships with their marketing technology vendors will have a significant competitive advantage over those reliant on a scattered tech stack. In response to the looming implementation of GDPR, organizations should:
- Build a cross-departmental plan. For any marketer whose product touches EU consumers, we recommend setting up a cross-department working group on GDPR that includes compliance/legal stakeholders, IT, web management, CRM, and any other department that uses for consumer data — it’s not just about digital data or advertising!
- Know what data is collected from your digital properties…and by whom. GDPR places additional regulatory burdens on organizations to police the compliance of data processors who act on their behalf. In programmatic media, complex supply chains can mean your website may contain code from dozens of vendors such as DSPs, DMPs, and ad exchanges who gather data from your site and for whom you may be responsible for ensuring compliance. At the bare minimum, your organization should understand what information these vendors are collecting and what their policies are for handling this data.
- Understand your agency and ad tech vendors’ plans to ensure business continuity. For some ad tech vendors, GDPR may force a significant redesign of certain functionality. Areas such as 3rd party data and cross-device targeting may specifically carry the most risk of disruption. Talk to your DMP and DSP partners about their plans for addressing GDPR and ask which areas of functionality need to be altered – and what development timelines look like – to maintain compliance.