Do you know what GDPR is? No?
Then pay attention. If you market products to Europe, it may cost you a fine of 4% of your global annual revenues.
The EU’s landmark General Data Protection Regulation (GDPR) is coming at online marketing companies like a freight train. It is already agreed and comes into effect in April 2018. More to the point, it absolutely applies to American and Canadian publishers and networks.
The GDPR is the EU’s new consumer privacy law. It will be one of the strongest data protection regulations anywhere in the world, specifically designed so that its effects extend well beyond Europe. Indeed, the GDPR is designed to reach U.S. companies that handle EU personal information. It is important because the penalties for breaches have been made deliberately painful.
To get into more detail, in addition to companies established in Europe, the GDPR also “will apply to businesses established outside the EU if their processing activities relate to the offering of goods or services to individuals in the EU or to the monitoring of such individuals’ behavior.”
Now, this is limited in practice to companies or websites that show intent to draw EU residents as customers, for example, by using a local language or currency. So you don’t need to worry about the occasional visitor, but it can certainly be argued that if you advertise for customers on a European website, that is sufficient intent to fit within the parameters of the law. If that’s the case, then you need to be thinking about GDPR and how you treat the personal data of your customers.
The definition of “personal data” in the GDPR is also expanded to cover any online identifiers or any factors specific to an individual’s physical, physiological, genetic, mental, economic, cultural, or social identity. That covers virtually everything you can think of.
So what does the GDPR ask that companies do in order to comply. Essentially it comes down to three bullet points:
- Consent: consent for gathering or processing personal data must be, “freely given, specific, informed, and unambiguous”;
- Portability: consumers must be able to transfer all data from one provider of goods or services to another; this provision was created to foster competition rather than the data monopolies we are seeing arise here in the USA;
- Eraseable: Under the “right to be forgotten” people can have all their personal data erased upon request. If the data controller to which the request has been made “replicated” that data with other companies, then it must also forward the erasure request to those entities.
This list is not comprehensive – there are other associated rights to object to data processing in certain situations, and so on. If you feel the GDPR may affect you, you need to consult an attorney.
What Does GDPR Mean For The Affiliate Marketing Community?
There are lots of areas of concern for any company whose operations are subject in part to the GDPR data protection regime. But for the performance marketing community (and indeed, the entire AdTech and MarTech sectors) in particular, there is a specific danger from the GDPR’s emphasis on clear, explicit consent for how data is collected and treated, when such data includes cookies, IP addresses, and the like. Make no mistake, the EU means business when it comes to protecting its citizens from what it regards as the data/privacy vacuums that Facebook and Google have become (to pull two entirely random examples from the air).
If you believe GDPR might apply to your business, you really should check in with a good attorney. Or take a chance: the maximum penalty under GDPR is only 20 million Euros (about $22 million), so if that is small change to you, there’s nothing to worry about.