How Are New EU Privacy Laws Affecting Advertisers?

finjanmobileBlog, Mobile Security

New EU Privacy Laws

Issues concerning privacy and data abuse have been hitting the news a lot in recent months, and new privacy laws enacted by the nations of the European Union (EU) have created quite a stir, with their strict provisions and potentially global reach. For advertisers and marketing professionals – whose livelihood may depend on the volume of usable information that they can obtain about the preferences and practices of existing and potential consumers – these new privacy laws and regulatory compliance frameworks are sure to have serious consequences.

In this article, we’ll be looking at these effects, and discussing how advertisers have been responding to the new EU privacy laws and adapting to the new legal environment.

A Summary of the New EU Privacy Laws

Drafted as a replacement for the 1995 Data Protection Directive, the General Data Protection Regulation or GDPR now sets the standard for the way that data is handled and individual privacy is protected in the EU. The GDPR brings together much of the preexisting privacy legislation of the EU and augments it with new conditions that make the statute one of the most strict and comprehensive legal and regulatory compliance frameworks ever devised.

For EU individuals (citizens, and those resident within the EU at the time of the transaction), it sets out powers and rights of access to data which is gathered by primary collectors known as data controllers (major websites, eCommerce portals, online services, etc.), and manipulated or analyzed on behalf of those agencies by organizations known as data processors (analytics platforms, marketing consultants, cloud services, etc.).

Of particular relevance to advertisers are the powers given to consumers to determine how their personal data is treated by commercial organizations and their supply chain partners. These include:

  • Rights of access: Access on demand to information that’s gathered at various touch points.
  • Rights of disclosure: Consumers can request item by item explanations for why certain data has been captured, and what it’s being used for.
  • Editing rights: Powers to amend inaccurate information held by data controllers and processors. The corrections requested can on demand extend throughout the individual’s online presence – and extend far back into the past.
  • The right to be forgotten: EU individuals can at any time demand that an organization erase the entire body of data which has been collected from them.

Since targeting and lead generation are both heavily dependent on the ability of advertisers to acquire, analyze, and manipulate customer data with the minimum of restriction, the individual rights enshrined by GDPR are certain to have an impact on the future conduct of promotional campaigns, customer tracking, and marketing practices.

GDPR also establishes strict conditions for the way in which data-handling practices are made known to the buying public, and comprehensive procedures governing the manner in which data storage and manipulation should occur. Failure to comply with these conditions can result in severe penalties, up to and including fines of 20 million Euros (€20m, around $24.4 million) or 4% of annual global turnover (whichever is the greater) for the worst offenses.

An accompanying set of rules known as the ePrivacy Directive governs electronic communication, as it relates to EU consumers. The Directive is currently in the process of being ratified into law, and establishes affirmative consent on the part of the data subject as the only legal basis for collecting personal data.

Even in the UK (whose status with regard to the EU is still the subject of debate), a data protection bill drafted in line with the guidelines of the GDPR is likely due to become law. So a strict level of privacy legislation will exist there for the foreseeable future, Brexit notwithstanding.

New EU Privacy Laws and Potential Loopholes Favoring Advertisers

With what some may see as an avalanche of new EU privacy laws and compliance conditions adding to the mix of an already complex operating environment, advertisers and marketing professionals have been looking to one of the provisions of the GDPR to provide some comfort.

This clause states that businesses are allowed to process personal data without the consent of the subject if that information is being gathered for “legitimate interests” of the business – among which is “direct marketing,” through mail, email, or online advertisements.

As we’ll see, several organizations have been looking to exploit this loophole, to gain some relief from the restrictions imposed by the new privacy regime.

These New EU Privacy Laws Are Forcing a Behavioral Shift

Largely though, advertisers are reconciling to the fact that changes are now required in both data gathering practices and attitudes towards disclosure, in order to maintain the compliance levels dictated by law.

Specifically, with “affirmative consent” at the heart of the new EU privacy laws framework, advertisers and marketing professionals are having to adjust the nature of their interaction with consumers, so as to successfully invite them to opt in to having cookies deposited in their web browsers, or to agree to the use of their details, and personal or device identifiers.

Counting on users to click “I agree” to avoid having to wade through a Terms & Conditions document couched in dense legalese is no longer an option.

Consent must be actively sought in clearly presented and unambiguous requests, written in plain language that anyone can understand. And the consent must be actively (or “affirmatively”) given: A clear “Yes,” on the part of the individual, rather than a “You didn’t uncheck the I Agree box, therefore you’re OK with it,” approach.

High-profile organizations such as Google and Facebook have made changes to their privacy policies and data-gathering practices already, and rolled these changes out on a global basis (at least in practice, for now), rather than having to create separate sets of procedures for different regional markets.

Shutting Up Shop

Given that the terms of the most stringent EU privacy statute (GDPR) apply to transactions and data-handling organizations based in Europe, a number of EU advertisers have decided to cut their potential losses and simply shut up shop. For example, in March 2018 advertising technology firm Drawbridge (which tracks users across mobile devices) opted to wind down its business in the EU, rather than deal with complications concerning user consent.

Testing the Limits of the New EU Privacy Laws

Other organizations have cited the “legitimate interests” clause of GDPR as their continued justification for harvesting consumer data without affirmative consent.

The German media company Axel Springer (SPRGn.DE) is one example. On its own properties such as the news website Bild, no user consent is requested before data is mined and used for targeted advertising. And newspapers in the UK owned by Reach (RCH.L), including the Ealing Gazette and Grimsby Telegraph, have been loading personalized ads before seeking user consent, according to a review by the Reuters news agency on June 28, 2018.

It’s still early days for GDPR, and the full weight of its enforcement machinery has yet to kick in. But most industry analysts agree that the future will be dominated by a number of legal cases, as advertisers and GDPR regulators hash out the finer points of the law.

Opportunities for Growth – Despite the New EU Privacy Laws

Naysayers and apocalypse prophets in the advertising industry have been warning of the dire effects of the new EU privacy laws, since as far back as 2015, when Townsend Feehan, the CEO of IAB Europe (the European branch of the Internet Advertising Bureau) described the coming General Data Protection Regulation as “the amputation of a significant revenue stream” for advertisers and marketing professionals.

Things aren’t necessarily that bad – or at least, they shouldn’t be, when considered in a certain light. While it’s true that GDPR, the ePrivacy Directive, and other aspects of privacy law in the EU represent restrictions and a challenge to long-established marketing practices, it’s also true that the demands that these new legal frameworks impose give advertisers and marketing organizations an opportunity to evolve, through the establishment of new working practices, and the putting in place of the infrastructure and policies required for greater protection of consumer privacy.

For example, advertisers and digital marketers who didn’t previously have the hardware, software, and protocols needed for deleting collected information on request, or for dealing with consumer refusals or withdrawals of consent to tracking or data gathering will be obligated to acquire these systems – and the enhanced working methods that go with them.

And while operating costs may go up while the pool of available customer data diminishes, the remaining information will tend to be more focused and specific, relating to consumers who – having given their consent to data collection and thereby indicated an interest in the commercial organization concerned – will tend to be more viable as sales prospects.

Seen in this light, the new EU privacy laws may give advertisers and marketing professionals the opportunity to improve their methods of interacting with customers, while benefiting from an increased number of more specific and engaged conversions.

Secure All of Your Devices for One Low Monthly Fee!
Get InvinciBull™ VPN now!

Share this Post