On May 25, the General Data Protection Regulation went into effect, legally prohibiting marketers from collecting, storing, or using European Union residents’ personal data without their explicit consent. The GDPR presented a huge challenge to companies because failure to comply means a hefty fine.
Two weeks later, data privacy management company TrustArc and Dimensional Research surveyed 600 IT and legal professionals in the EU, US, and UK about their compliance efforts. At the time, even with two years to prepare, only 20% believed themselves to be fully compliant, though 53% were in the implementation phase.
If the GDPR were a human employee, it’d be subject to the standard 90-day review. And while Google searches around GDPR have flatlined, that doesn’t make the regulation any less significant. How have things changed since that fateful day in May?
Consumers understand the GDPR better, but do they care?
For consumers, they largely haven’t. Marketing Week recently commissioned a survey of more than 1,000 consumers and found that while 27% believe their overall experience with brands is better, nearly two-thirds don’t see any difference at all.
From the general public’s perspective, the main thing that’s changed is their level of awareness. Leading up to the GDPR, it’s safe to say that anyone reading this website had an above average understanding of what that entailed. But for many people, the regulation likely meant an avalanche of privacy policy updates they blindly accepted. In December, Deloitte surveyed 2,000 Americans and found that 91% consent to legal terms and conditions without reading them. That number is even higher among millennials, only 3% of whom read the fine print.
Since the GDPR went into effect, 57% of Marketing Week’s respondents have a better understanding of how companies use their data than they did before. However, many of them don’t actually care.
Twenty-one percent of people believe companies are collecting and using data illegally. Nearly everyone agreed that would cause them to trust brands less. However, they were pretty evenly split as far as whether they would boycott the brands as a result.
The costly consequences of noncompliance
The EU’s Supervisory Authorities are responsible for enforcing GDPR compliance. Of course, consumer sentiment isn’t a factor.
Earlier this month, Associated Press News reported that even after consumers turn off their location tracking, Google still collects that data in incognito mode. Continuing to track users in Maps, search and weather updates, the search giant updated its location history feature shortly after the story broke.
The argument can be made that Google continues to track people’s location in order to refine its algorithms, rather than to benefit advertisers. But if the Supervisory Authorities don’t find that compelling, Google could face heavy fines. The penalty for violating GDPR compliance is either 4% of a business’ global revenue or €20 million, whichever is higher.
We all know which one is higher for Google. Last year, global revenue was more than $109 billion; 4% is roughly €3.7 billion. That fine is more than the gross domestic product for 30 countries around the world.
Similarly, Facebook is facing a fine over the Cambridge Analytica scandal. Because that happened in March, two months prior to the GDPR, the fine is “only” £500,000. Still, Facebook has experienced a decline in European active users and ad revenue growth.
What this means for advertisers around the world
Google and Facebook can afford those hefty fines. Most companies can’t.
Within hours of the GDPR, European ad exchanges experienced a dramatic decrease in ad demand. Though the programmatic marketplace has recovered somewhat, many marketers continue to move their ad dollars from open exchanges to programmatic guaranteed and private marketplace deals.
Last month, Demandbase also found that are 80% of marketers are concerned that martech vendors may expose them to legal risks because they’re not GDPR compliant. At the same time, only 32% were compliant at the time of the survey. Lack of knowledge and challenges around data management were cited as the biggest reasons for that low number.
When TrustArc surveyed marketers just after the GDPR, the company found that 74% expect to be compliant by the end of the year; 93% by the end of 2019. It’s crucial that they get on board, especially as the GDPR has inspired an increased prioritization of privacy. Similar data regulations are already in the works in Brazil and India.
Stateside, California will also give consumers control over their personal information. Starting January 1, 2020, Californians can determine what data, if any, is collected, sold or shared with third-parties.
Technology has enabled marketing to move at lightning speed and a lot can happen between now and then. Will more companies achieve compliance? Will anyone become a GDPR guinea pig, forced to pay millions of dollars in fines? When will data privacy regulations become the norm? We’ll check back in a few more months.