Content Strategy
The Impact of GDPR for American Companies Might Be Bigger than You Think
By Jonathan Crowl on February 14, 2018
When it comes to overhauling privacy practices and improving cybersecurity, GDPR is becoming a top priority for American companies. In fact, a MediaPro survey found that 54 percent of US companies have made GDPR readiness a top focus for 2018.
But the General Data Protection Regulation, set to be enacted on May 25, remains unfamiliar to many professionals working in these companies. The same survey found broad disparity and misunderstanding regarding the regulatory rules framed by GDPR, including how individuals should respond when they believe GDPR has been violated. Fifty-nine percent of respondents said GDPR was a "completely new" concept to them, while 80 percent of respondents couldn't say whether the regulations insisted that sensitive-data theft-one of the focal points of this legislation-should be reported at work.
As many American companies may know by now, these European Union regulations will impact any business that uses data from European consumers. This includes the use of data in targeting consumers for marketing campaigns and gathering information based on their user behavior. Multinational and enterprise organizations likely recognize that their overseas business will inevitably require them to account for GDPR and ensure their marketing practices meet EU regulations. But other businesses may not know the extent to which these regulations affect them.
But if those companies hope to stick their head in the sand and remain blissfully unaware, they're headed for trouble.
Image attribution: Alex Blăjan
America's Slow Response to European Regulation
Some critics argue that this slow response to upcoming EU compliance requirements underscores a pattern of slow response to cybersecurity threats by American companies. IEEE Spectrum notes that many American companies have looked the other way in past instances where there were clear incentives to take better care of customer data and report breaches in a timely manner.
Whether they will take GDPR seriously remains to be seen. The EU has outlined severe financial penalties for businesses that fail to meet EU compliance standards, and it's clear that businesses with a clear presence in the European market, such as tech companies, are intent on coming into compliance. But according to a study from Thales, 53 percent of US businesses believe that GDPR will have no effect on their business operations. This means they either believe their practices are in compliance with Europe's new regulations, or they don't expect their business activities to involve European consumers.
Research from Gartner suggests a good number of those businesses are wrong: The research firm estimates that by the end of 2018, half of all businesses affected by GDPR will still not be in compliance with the regulations. And Thales' survey suggests that among US businesses trying to come into compliance, 35 percent won't hit the May 25 deadline.
Part of the problem is a lack of understanding of the scope and implications of GDPR and how it will force businesses to change their practices. One of the most significant shifts it promises to deliver is the approach companies use to implement programmatic ad campaigns.
How Consent May Undermine Programmatic Campaigns
An immediate and challenging consequence of GDPR for American companies is its role in reshaping programmatic ad strategies. As a report from Martech Today points out, businesses have to receive explicit consent from consumers anytime they want to use personal data for ad targeting purposes. A single digital ad can easily use 10 points of consumer data, which means the consumer would have to opt in for all 10 data points to be shared before the ad could be targeted to the individual.
If that sounds like a big problem, that's because it is. Martech Today notes that one executive for PageFair has already deemed programmatic "unworkable" under the new regulations, for two key reasons: First, consumers opt in for third-party data sharing at relatively low rates of 5 to 20 percent. This means 80 to 95 percent of all users would be excluded from any programmatic campaign, torpedoing its ROI.
Secondly, since current display ad strategies share data between dozens, even hundreds, of different third-party vendors to build up enough data to deliver relevant, high-value ads, it's inevitable that data leaks or breaches develop within that process. Under the new GDPR regulations, every vendor involved in the breach could be legally liable. A single breach could implicate hundreds of businesses, which makes the risk far too great to be practically enacted.
Personal data, in other words, requires extreme care, even when remaining in compliance with GDPR. One viable but unsatisfactory solution for programmatic advertising: Instead of using personal data to deliver relevant ads, brands can settle for "group data," which offers less personalization and inherently lower ROI, because the data can't be precise enough to single out individual consumers.
All that to say, programmatic advertising may not die. But its value could take a serious hit, and its capabilities will be diminished. If you're a business relying on programmatic strategies to target any European consumers, consider those campaigns on life support: Even if they do survive, they will have to be augmented to such a degree that they will barely resemble programmatic as you know it now.
This is just one example of how GDPR regulations will affect American businesses, even if they maintain only a marginal presence in Europe and have no personnel on the ground in this region. These regulations are consumer-friendly and will go a long way toward guarding against cybersecurity threats, but businesses of all shapes and sizes will be required to do heavy lifting and make tough choices regarding their current approach to overseas marketing.
Reaching Compromise Through the Privacy Shield
Even for US businesses dedicated to meeting GDPR compliance, there remain some challenges in how American businesses can fully comply with this new set of regulations. One such challenge is the confusion around how to address user tracking with cookies: Websites use cookies to deliver customized experiences, remember user settings, and support a range of functionality consumers expect when they visit a site. In such cases, full compliance with GDPR would essentially render the experience of these websites useless to consumers.
The Privacy Shield framework is an agreement reached between the US Department of Commerce and the European Commission that provides some adjusted expectations for European data being processed on US servers. Most notably, the need for consent is altered from an opt-in requirement to an opt-out clause, meaning the default user experience in these cases will still involve the use of cookies. The Privacy Shield provides some critical protection for US companies as they seek full GDPR compliance, but it still offers privacy safeguards to European consumers and gives those consumers several potential courses of action to be taken if they believe their data privacy has been compromised.
By implementing the Privacy Shield, the transition to GDPR compliance becomes much more practical for US companies while still increasing consumer protections. Businesses should seek out certification under Privacy Shield standards to ensure their operations are in compliance before GDPR goes live.
GDPR's new security standard will bring growing pains for many businesses, but it has long been viewed as a necessary step to keep consumer data safe while guarding against cybersecurity threats. While this current regulation is based in Europe, it's likely that the United States will someday implement a similar regulatory standard, so avoidance is not a great business strategy. Sooner or later, the changes represented by GDPR will hit home with your company's marketing strategy.
For more stories like this, subscribe to the Content Standard newsletter.
Featured image attribution: Christin Hume