This week marks a year since General Data Protection Regulation (GDPR) came into effect across all 28 member states of the European Union (EU). The privacy laws were enforced to increase and protect the rights people have over their personal data being held by companies strengthening security and protection in today's media landscape.
The changes brought plenty of panic, debate and anxiousness in 2018 about what it would mean for businesses in the creative industry with them firms having to adapt to the new regulations. So, with the help of hindsight, what have we learned a year on? Below, a host of business leaders offer their insight and observations on the matter.
Gabe Morazan, director of product management at Crownpeak
Has the predicted disruption from GDPR’s implementation become a reality?
In a way, yes. In the lead up to its introduction there was a fair amount of panic among some organisations about how the actual implementation would go and be received by consumers. However, if you consider that privacy laws were meant to disrupt data collection practices across the web, some of this disruption – the type that came as a result of being prepared and introducing a compliant system – could be seen as a success.
Organisations that avoided any disruption at all may have done so because they failed to implement any – or minimal – changes to become GDPR compliant and instead opted for a risky ‘wait and see’ approach hoping for a lack of regulator activity. Taking such a ‘business as usual’ attitude is a gamble; the disruption to business might be low, but the risk of non-compliance is high. Of course, this also ignores the cost of delivering poor customer experiences, even in privacy. The penalties aren’t the only penalties to worry about.
Who are the winners and losers?
The companies who are winning are those that looked beyond just complying with the law and took a strategic approach that enabled them to prioritise the customer experience. These same organisations saw through the hype and recognised that GDPR represented a shift in consumer sentiment and trust.
The losers are those that have adopted the ‘wait and see’ approach. Not only do they risk joining the 200,000 reported cases of breaches to GDPR so far this year, or receiving a hefty fine like the €50m CNIL issued to Google, they’re also failing to see the customer experience benefits that such regulation can bring.
By ignoring these new customer mandates, these brands are eroding customer goodwill and trust. As we’ve seen with the recent Apple product announcements, brands are starting to compete on trust and transparency. Brands choosing the ‘wait and see’ approach risk being left behind. Beyond that, the California Consumer Privacy Act (CCPA) and other global regulations are on the horizon including 17 different states in the US, which all focus on the need for transparency, disclosure and control of user data. This largely reactionary approach will result in major disruptions each time a new data privacy law comes to market.
What’s next in the world of consent?
Companies should already be planning for the CCPA so they’re ready to be compliant when it takes effect in early 2020. There’s also the EU’s ePrivacy Regulation, which has been delayed but is likely to be revived again soon. Elsewhere globally, there are Brazil’s General Data Protection Law (LGPD), Indonesia’s Initial Draft Law and Hong Kong’s Personal Data (Privacy) Ordinance.
Even those companies that implemented the most successful GDPR compliant processes shouldn’t be blasé about the next round of privacy laws. Use 2019 wisely, learn about future regulations and the differences between them and consider how you can start to incorporate privacy into the core of your customer experiences.
Lindsay McEwan, VP and MD of EMEA at Tealium
"Data is no longer just a focus for marketers. GDPR is having an effect across all areas of business and plays a key factor in meeting increasing demands for personalisation.
Companies are still trying to find the balance between great customer experience and compliance and at the heart of this is having a clear understanding of consumer behaviour across all interactions.
Millennials provide a challenge for brands looking to create a loyal customer base. This generation has been raised in a field of choice with a plethora of apps available at the single touch of a button and loyalty to brands is not their priority.
Millennials are quick to drop a company if they don’t deliver a seamless, personalised experience across channels. Achieving this is not as simple as inserting the consumer's name and hoping for the best; companies must deliver a tailored experience based on a deeper understanding of the individual. This remains just as important as meeting the requirements set out by GDPR was a year ago and balance remains the key challenge for companies moving forward."
Adam Singolda, CEO at Taboola
"It's already been a year since GDPR came in, but privacy is still at the forefront of Taboola's mind. We're keeping an eye on new global privacy requirements and continuing to work with others to strengthen our industry best practices in accordance with IAB EU's updated Transparency and Consent Framework 2.0.
We remain engaged in the global privacy evolution, appreciative of the opportunity to better understand our audiences' preferences and dedicated to providing the highest levels of transparency and control when it comes to the use of their data for online advertising."
Marino Gualano, General manager and co-founder of MainAd
"The past year has been the tip of the iceberg when it comes to data regulation and compliance. Looking to the future, we’re seeing regulations such as ePrivacy, the CCPA in the US and the Personal Data Protection Bill in India marking a truly global movement.
In the future, companies will continue to advance their data protection and regulation policies revealing a more uniformed approach across the industry which will enhance positivity and trust from consumers and clients.
It’s important we see and understand the ramifications of non-compliance and that businesses failing to comply are reprimanded to help instil trust in the system.
It’s hoped that GDPR will continue to contribute to restoring confidence among consumers, which in turn will benefit companies that offer users transparency, clarity and choice."
Brian Kane, co-founder and COO at Sourcepoint
Has the predicted disruption of GDPR implementation become a reality?
Ahead of implementation, many publishers were concerned that GDPR would disrupt their ability to continue monetising their content. In reality, the publishers who experienced the lowest level of disruption were those that gave themselves enough time to develop a thorough approach to achieving compliance, implemented a Consent Management Platform (CMP) and embraced the regulations to develop a conversation with their audiences.
In the early days, many publishers sat on the fence or went with lightweight solutions. The problem with this was that over time, ad tech vendors started to pay closer attention to GDPR consent signals from consumers, and as a result, stopped buying impressions from EU users that didn’t supply consent. This is when some of the initial fear became reality and there was a realisation from many publishers that they needed to revisit their consent strategy and implement more robust CMPs.
Who are the winners and losers in the new-GDPR era?
The savvy publishers are the ones who identified that the requirement to capture consent allows them to take advantage of the ‘regulatory friction’ to engage with their consumers and develop stronger, one-to-one relationships with their audience, to not only collect consent signals but to also explore wider content consumption preferences.
In terms of financial losses, there have been several fines, particularly from the French regulator – including the above mentioned €50m fine by CNIL for Google in January.
However, we need to look beyond the financial impact to consider who’s utilising GDPR to build trusted relationships with audiences. The publishers that look to meet basic GDPR compliance are losing out on the opportunity to drive engagement and optimise future monetisation.
There are also some publishers – particularly in the US – that still aren’t tackling the issues surrounding GDPR and are instead blocking EU traffic contradicting the concept of free flowing information which the internet was founded on.
What’s coming next in the world of consent?
The focus on privacy regulation is only going to grow with the CCPA due to launch in early 2020 and other state laws also being considered in the US and globally. With just over half a year to go, the CCPA should be a top priority for publishers looking to understand how best to ensure minimal risk resulting from new legislation.
While CCPA is different to GDPR in that it features an opt-out rather than an opt-in requirement, publishers should still think beyond it in terms of how to manage privacy and consent regulations.
It will also be interesting to consider the implications of identity in the wider consent environment. With recent moves such as Apple’s ITP 2.0 and Google’s privacy related announcements, publishers that rely on cookie-based consent collection must think more broadly about their approach to compliance to ensure consent durability. Authentication-based consent – linking consent preferences to a user profile – allows publishers to strengthen their relationship with users in a direct way and improve the user experience.