Today’s column is written by Todd Ruback, chief privacy officer and vice president of legal affairs at Ghostery.
There has been a vast amount of misguided content on General Data Protection Regulation (GDPR) flying around the internet. Although it is well-intentioned, the content rarely imparts anything new. Rather, it is mostly recycling the same general message of “You need to get ready.”
Companies do need to get ready, but I want to cut through the confusion around systems redesign and policy change. The GDPR, once you strip away the distraction, is very straightforward in that it is all about consent.
The law itself is dense, but its aim is simple: to empower people by giving them control over there personal data. The way organizations will do this is twofold.
First, companies need to look inward to understand what data they collect and how they use it. Second, companies need to reach outward, communicating in simple and clear language what they do with data and how individuals can access and control it. Marketers must be open and honest and provide an easy way for customers to be part of the process through consent.
Empowering the individual is something we can all get behind, and its codification into legislation makes it imperative. However, an overlooked aspect of the GDPR is the impact upon marketers and ad tech or mar tech intermediaries behind the scenes.
The IDC estimates the market opportunity for GDPR-related security and storage vendors alone will grow by $2 billion in the next two years. There’s money on the table because the stakes for noncompliance are so high – penalties of up to 20 million euros (about $21.3 million) or 4% of global turnover, whichever is more.
To avoid the fines, marketers need to understand they have to get the consumers’ consent to engage in “profiling,” also known as “tracking,” which uses technology to collect data such as cookies, IP addresses or device identifiers. The single, most important point marketers should take away from this is that the days of burying notice deep in a terms-of-use policy way down in the footer of a website are gone. Consent to profiling has to be specific and based upon an individual’s action and cannot be given on a “take it or leave it” basis anymore. Finally, even if a person does consent, marketers need to make it easy to withdraw it at any time.
A couple of tidbits no one may be sharing: Ad tech companies will need to fully integrate with the websites and apps where they are collecting data. Expect contract revisions to limit data collection and use practices. Indemnification for GDPR transgressions will become the new normal, spiking up ad tech risk and the cost of doing business. And finally, don’t be surprised if website customers require ad tech partners on their sites to offer clear consumer controls on their own sites.
The GDPR is a clarion call to make notice and consent collaborative, easy and clear. It’s a fair bet that the data-protection authorities in the member states will monitor and enforce the profiling and consent obligations right out of the gate because it’s what they can most readily see.
The regulators will become market-makers by making an unlikely brand the poster child for consent gone wrong. But marketers can avoid bad press and hefty fines by getting a firm grip on tracking and making the notice and consent process clear and easy to understand.
It is pretty easy to lose sight of the importance of consent with all the noise about redesigning internal systems, information life cycle governance and the other buzzwords out there. But if companies are serious about the user experience, it is time to get on this.