The European Union GDPR’s Impact on American E-Commerce and Digital Advertising: A New Era in Digita
The European Union (EU) passed comprehensive privacy regulations last year with its Global Data Protection Regulation (GDPR). These laws will go into effect May of 2018, less than a year away. While companies with a significant EU presence may already be fully aware of the GDPR's mandates, and are taking steps to ensure their compliance, many purely US-based companies, who purposely or inadvertently collect data from EU individuals over the Internet, are still under the mistaken belief that these laws will not apply to them.
The GDPR creates a uniform privacy regime across the EU for the first time, replacing the current patchwork of member state laws implementing the current privacy Directive, and impacting all businesses and industry sectors collecting data from European Union individuals. But now, it’s not just companies with a European presence which may be affected. There is growing concern/anticipation in the online, digital advertising and e-commerce communities that the new EU regulations are “ripping the digital ecosystem apart,” and American companies should take notice.
“I’m surprised more marketers have not woken up to the implications of GDPR. The new regulations will be a significant challenge for the ecosystem and it’s difficult to forecast how technology will adjust.” – said Stepehn Loerke, CEO of the World Federation of Advertisers, in an IAPP article.
To understand the concerns, an analysis of the distinctions between the new regulations and the existing EU data protection directive is appropriate. The GDPR mostly follows its predecessor, the EU Data Protection Directive 95/46/EC, with a few major distinctions:
GDPR Becomes Law Upon Implementation:
The GDPR is a regulation which takes legal effect immediately across all EU member nations, upon its implementation in May 25, 2018, and does not need to be approved and adopted by member states (as did the Directive).
2. Personal Information Now Includes Web Traffic / Device Information:
The GDPR has expanded the definition of “personal information”. Personal information, under the EU Directive, included directly personally identifiable information (such as one’s name, address, credit card number, health information, etc.) and indirectly personally identifiable information (such as “the Reyes & Schroeder Associates privacy attorney working in Los Angeles”). However, it was unclear under the EU Directive if indirect identifiers included IP addresses or cookie strings, which have traditionally been viewed as non-personally identifiable information. Under the GDPR, this ambiguity is resolved. The GDPR’s definition of personal information now includes web traffic identifiers, IP addresses, website history tracking, mobile device IDs and location data, in addition to the more traditional forms of personal information.
The GDPR has a carve-out for, what it calls “pseudonymous data”. This is data that has been subjected to technological security measures (i.e. hashing or encryption), so that the data no longer directly identifies an individual without the use of additional security keys. The use of pseudonymized data allows greater flexibility for companies to conduct data profiling without the data subject’s express consent.
3. Applicable to Data Processors:
Unlike the EU Directive, the GDPR no longer solely regulates data controllers (i.e. those responsible for the collection and storage of personal information), but now also applies to data processors (i.e. any entity that accesses, manipulates and/or processes the personal information in any manner).
Any person who has suffered damage as a result of infringement of the GDPR has the right to receive compensation from the data controller or the data processor responsible for the harm.
4. Extraterritoriality Enforcement:
The GDPR contains explicit extraterritoriality enforcement provisions, indicating the Regulation is meant to apply to any entity offering goods or services to EU individuals or processing the data of EU individuals, regardless of whether or not that entity has offices in, or connections with, the EU.
Article 3 of the GDPR states that the Regulation will apply to the processing of personal data of individuals who reside in the EU, when the processing is conducted by a controller or processor that is not established in the EU, if such processing relates to: (i) the offering of goods or services in the EU, whether payment is required or not (applicable to data controllers); or (ii) the monitoring of such individual’s behavior, to the extent that such behavior takes place within the EU (applicable to pure data processors).
5. Independent Data Protection Officer (DPO):
The GDPR requires all companies, which are subject to its enforcement, employ an independent DPO to oversee the entity’s data collection, use, privacy and security policies and practices. This DPO should be in a position to be an independent auditor, and should not be a member of the company’s IT or security team. Failure to appoint a DPO is a violation.
6. Reporting and Consent Requirements:
Under the GDPR, companies are mandated to report hijacking incidents within 72 hours and ensure parental consent for children under-16.
Finally, (and of particular concern to those who violate the GDPR) the GDPR provides for sanctions of up to 4% of a company’s annual gross revenue for violations of any of its terms; no small cost.
Additionally, as with the current EU Directive, transnational data flows with countries not deemed “adequate” by the EU Council, are impermissible when such data contains personal information of EU individuals. The United States is currently not “adequate”, and consequently, any EU personal data collected or processed in the US would automatically violate the GDPR, unless certain limited conditions (discussed below) are met (such as the EU-US Privacy Shield). Also, like the current Directive, companies will need to follow the GDPR’s standard principles of notice, choice (requiring opt-in consent for the processing of personal information), accountability for onward transfer (aka - restrictions on transnational data flows), security, data integrity and purpose limitation, access, recourse, enforcement and liability.
What Does This Mean For American E-Commerce and Digital Marketing?:
As a direct result of these major changes (in particular, distinctions 1-4), any American website or mobile application that promotes goods or services to EU individuals (for example, if prices for offered goods or services are provided in Euros) is within the scope of the GDPR. In addition, any American company providing a website or mobile application utilizing data profiling for business analytics, such as web traffic information, cookies, beacons, etc., is within the scope of the GDPR, if such website/app is accessed by an EU individual. Not only that, but under the new regulations, even wholly, American-based digital advertising, targeting or tracking companies, who do nothing more than process web traffic or tracking data, exclusively for the purpose of delivering targeted advertising to an American company’s website, are subject to the GDPR, if an EU individual’s information had been processed.
Dr. Johnny Ryan, head of ecosystem at PageFair, an Ireland-based ad serving technology company claims in an IAPP article, “Companies who create value only by using data and tracking people across the internet . . . will have their businesses seriously disrupted. . . . The EU is finally bringing a standard of privacy to digital, preventing the arbitrary collection and exchange of personal data that has been going on for 20 years. Digital has been in cowboy territory for too long – the [GDPR] is ripping the digital ecosystem apart.”
Essentially, under the GDPR, targeting and tracking companies will need to get user consent to continue with their business models, due to the GDPR’s choice requirements and expanded enforcement. Any and all data linked to a user, that follows the user across the Internet, will need to make itself known and seek express consent from the user, or be pseudonymized before it is accessed.
Dr. Ryan predicts, “the whole digital dynamic will move away from third party” as the GDRP will incentivize mergers and acquisitions of tech companies seeking to exploit media owners’ direct relationships with their readers and viewers.
Not only is the third party digital marketing space of concern for American data processing companies’ business models, but American data controllers, in particular e-commerce companies that advertise goods or services online worldwide, may run afoul of the GDPR. If such companies sell to an EU individual, or even offer goods or services in Euros, any data collected from an EU visitor to the website, including web traffic data, potentially violates the GDPR due to its restrictions on transatlantic flows of data to the US. As mentioned above, unless certain, limited compliance methods are met, such transatlantic flows of data containing personal information of EU citizens is forbidden.
How To Comply with the GDPR and Avoid Liability: