GDPR and the United States: The principle is great, so is the cost

Just before the holiday weekend, on May 25, the General Data Protection Regulation known as GDPR went into effect. This major move to protect privacy and personal data in the European Union has been looming for two years, since it was adopted by the European Parliament in 2016. It is the first sweeping legislation of its kind to set a standard for data protection internationally.

The regulation has been headline news in the United States only for the last three months. Initially, American companies planned to ignore the policy; many thought it didn’t affect them. Thanks to Facebook and the Cambridge Analytica scandal, that has since changed. Now data protection and the impending GDPR regulations have U.S. companies in panic mode, unsure of just how far this regulation reaches and how  far companies must go to comply with its standards.

While the regulation was passed in the EU, platforms, apps and websites that American consumers use every day are deeply affected by these new regulations. The usual suspects – giants like Facebook and Instagram – are not the only ones being called out by the major policy change. Banks, health care providers and numerous other companies throughout the world – any organization that collects, stores, or utilizes data of EU citizens is subject to these regulations. With the multitude of ways in which data is gathered these days, that means pretty much any website that collects information on its visitors (who might possibly be from the EU) must comply

Hence, the emails. 

If you use Amazon, video streaming platforms, social media, or bank online – you’ve probably received these emails. The titles are all some variation on the theme: “We’ve updated our privacy and cookies policies!” So far, emails in my personal inbox have ranged from companies like Indeed, USAA, FreeConferenceCall.com, HubSpot, Wodify (yes – even personal CrossFit data is being protected by this regulation). The variety of services provided from just this small sampling of businesses is telling of the colossal scope of this regulation.

So what does this new policy really mean?

The GDPR seeks to give the reigns back to the consumer on the issue of personal data protection. It expands the scope of what companies are to consider “personal data,” requires companies to closely track data and to allow users to request corrections, deletions or copies of said personal data.

Even further, companies are now required to explicitly state the manner in which they use the data they collect – in words the user understands. This allows EU residents to object to the specific ways their data is used and who it is shared with, giving them the option to opt-in, or opt-out of certain data practices. Perhaps most relevant to the international community is the provision that requires companies to report data breaches and hacks within 72 hours of the incident.

One of the industries most affected by these policy changes is digital marketing. The industry relies heavily on data collected by websites and social media. Using platforms like Facebook and Instagram, digital marketers can micro-target their advertisements based on age, gender, interests (by browser history, Facebook data), geo-location and much more. Digital marketers benefit from and target potential costumers with the extensive data collected by these platforms.

Some marketing and email list generation tactics will no longer be feasible under the new policies. Auto-clicked opt-in settings will no longer be allowed, and companies will have to get explicit permission for each of the specific uses of the data they collect, including who they share that data with.

Dzuy Nguyen, CTO at Big Sea, says this is a game changer for EU-based companies and those who operate online, and the U.S. is just beginning to catch up. “The ramifications are huge,” says Nguyen. “They’re giving the control back to the consumer – and that’s a good thing – but it’s murky.” Murky for US companies, because they’re not quite sure how to respond to their broader online audience, and because of the additional costs associated with such monumental changes.

For Big Sea’s clients, Nguyen says, these changes will mean that site visitors with IP addresses originating from Europe will be served a consent wall – here they will be asked to opt-in to site-tracking and cookies by the platforms they use, something that was assumed prior to the regulation – and which will remain assumed for U.S.-based site users.

But these changes are not as simple as adding an opt-in button or some slight form changes, says Nguyen. In order to be in compliance with these stringent regulations while continuing to collect user data, companies with platforms that mine and analyze data – like Facebook, Hubspot or MailChimp – would need to build in capabilities to scrub the data – basically making it anonymous. “We’re talking potentially hundreds of thousands of dollars in technology costs per platform,” says Nguyen. That means major costs for the companies who develop the platforms, as well as the companies who utilize them.

Lucky for many local companies, the onus will not be on them, but on the third party platforms they use to do business – tools like Hubspot, and the many social media platforms that use data to target potential clients. Still, says Nguyen, “It’s up to us to make sure they’re doing business in accordance with these regulations.”

The ramifications of the legislation have already been harsh. Even in the opening hours of May 25, data-driven ad buying plummeted. European programmatic ad buying, through services like Google, plunged 25-40 percent in some cases, according to Digiday.