The General Data Protection Regulation (GDPR) went into effect in May of 2018 and has caused internet businesses with European Union users to shift their data collection, storage and usage practices. The spirit of the GDPR is to give individuals greater control of their data in a world in which practically all computer devices are connected and some estimate the internet of things to be a $9 billion industry by 2020. The EU has recognized that it is important that users be able to control the valuable information they provide on the internet, especially in light of how often regular internet users input personal information.
Amongst the requirements of the GDRP is that data is collected in accordance with one of the following justifications: (1) with the consent of the user; (2) in performance of a contract with the user; (3) in order to comply with law; (4) for the purpose of health and safety; (5) to perform an official governmental function; or (6) based on the legitimate interests of an organization or third party. For ad-tech companies who do not have a prior business relationship with the user, consent is the primary justification for processing personal information. Another requirement of note is that websites, apps, and online platforms be able to provide users with their data upon their request, and also delete data upon request.
The GDPR particularly affects ad-tech businesses that base their marketing practices on third-party data used to target consumers. The inability of websites to share data is causing them to rethink their customer service, communication, and business strategies. Online marketers are no longer able to chase users around the internet with a bombardment of the same advertisements.
There have been different approaches by ad-tech companies for shifting their behavior while remaining relevant and complaint. One is a hands-off approach, where companies have stopped collecting and handling personally identifiable information for users located in the European Union, which obviously hurts a company’s bottom line. A second approach has been to rely on the GDPR’s exemption of collecting data for a “legitimate business purpose,” which includes requested marketing, fraud prevention, and sometimes market research. A third approach is the passive approach of hoping that the EU only goes after big players in the tech industry, and will have to make concessions and changes to the GDPR before going after the smaller fish.
Companies can still collect cookie-less data like keywords and search data and be GDPR compliant, which highlights the importance of creating a trustworthy relationship with users. This type of first-party data, or data that the consumers have directly provided through a company’s website, should be prioritized in marketing efforts.
The GDPR is persuading many businesses to provide the same rights to all users, including those outside the EU, because of the momentum towards similar data privacy regulations in other jurisdictions. However, it is important to realize that the GDPR does not consist of static regulations. Over the next months and years, there will be challenges and changes to the regulations, so it will be interesting to see how the EU changes the regulations and publishes clarifications to vague and ambiguous portions of the law.
Overall, the GDPR requires businesses to move away from third party data collection and marketing campaigns based on this data, a practice that regularly annoys customers. While this may seem like a hinderance on marketing efforts, the silver lining is that the regulations present an opportunity to create a unique value exchange with consumers that leads to more consumer trust, and better bottom line results. Companies that send too many irrelevant marketing materials and create bad customer service interactions are more likely to be contacted by consumers with burdensome GDPR information requests, so it is important to create relationships with users that make them feel comfortable providing first-party data and consent to receiving marketing materials.
The post GDPR world means that ad-tech companies need to be more open and stop sales tactics that irritate consumers. One positive effect of the GDPR is that companies are being forced to be more open, deliver more value, and enhance their relationship with consumers. It should cause a constructive impetus for improvements across the tech industry, and companies that bear this in mind will do well to grow their bottom line.
Disclaimer: This article discusses general legal issues and developments. Such materials are for informational purposes only and may not reflect the most current law in your jurisdiction. These informational materials are not intended, and should not be taken, as legal advice on any particular set of facts or circumstances. No reader should act or refrain from acting on the basis of any information presented herein without seeking the advice of counsel in the relevant jurisdiction. Bend Law Group, PC expressly disclaims all liability in respect of any actions taken or not taken based on any contents of this article.