The European Union’s General Data Protection Regulation (GDPR) is considered to be the most comprehensive and far-reaching data privacy initiative of the past 20 years. It contains massive penalties for noncompliance, and it is set to go into effect in mid-2018.
One of its most important features: It’s applied based on business activity, rather than physical location, which means that it can impact US (and other non-EU) companies by virtue of their business practices.
This guide provides a comprehensive overview of the GDPR from the perspective of a US media company. It does not provide legal analysis of the regulation’s provisions, nor does it deeply explain how each of the articles will be interpreted. Rather, it is intended to act as a starting point for US ad tech companies, publishers, marketers, and agencies to help them determine whether the GDPR applies to them and what steps they should take to become (and stay) compliant.
This guide provides legal information on the GDPR, and it is intended to help you understand and identify some of the issues that your company may be facing to become compliant. But–and this is very important–this is not legal advice. Your obligations and liability depend on your situation’s specific facts. You will need to hire your own lawyer to determine what those are.
I minimized the legalese as much as possible to make this guide accessible to all readers. I’ve written it in a Q&A format to make it easier to find the subject matter that may be relevant to your business.
To skip directly to a specific section of this guide, use the following links:
- Part 1: The GDPR Explained
- Part 2: Scope of the GDPR
- Part 3: GDPR Compliance
- Part 4: Conducting a Self-Assessment
- Part 5: The Future of Privacy and Data Protection
Estimated reading time: 23 minutes.
Okay, let’s begin with the most basic question.
Part 1: The GDPR Explained
What Is the GDPR?
The General Data Protection Regulation (GDPR) is newly enacted legislation that will regulate consumer privacy in the EU. Until now, EU members were subject to the Data Protection Directive 95/46/EC, which regulated the processing of personal data. The directive, however, was merely a guideline, and each EU member state needed to enact its own legislation that reflected its principles. As a result, the EU had a patchwork of privacy laws.
The GDPR, on the other hand, is a binding legislative act. It unifies data protection laws across the entire EU, with the intention of both strengthening the privacy rights of individuals and simplifying the rules that apply to companies operating in the EU. At the same time, it imposes hefty fines on companies that don’t comply.
When Does the GDPR Take Effect?
GDPR entered into force on May 25, 2016, after four years of debate within the EU Parliament. The GDPR will take effect on May 25, 2018, after a two-year transition period.
What Types of Data Does the GDPR Regulate?
The GDPR regulates the collection and usage of personal data of a data subject. The personal data has to belong to a living, identified or identifiable natural person. This means that the GDPR does not apply to deceased persons or to non-natural persons (e.g., corporations).
It also means that the person must be either identified or capable of being identified, directly or indirectly, by reference to an identification number or one or more factors specific to that person’s physical, physiological, mental, economic, cultural, or social identity.
In this context, personal data includes:
- Email address
- Bank details
- Social media posts
- Medical information
- Computer data (including location data, IP address, cookie data, and RFID tags)
Personal data includes any information that can be used to indirectly identify an individual, such as a user ID, location data, or one or more factors specific to that person’s physical, physiological, genetic, mental, economic, cultural, or social identity.
It also comprises subsegments of information, such as sensitive personal data (i.e., data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic or biometric data, etc.) and pseudonymous data (i.e., data that is rendered unidentifiable because it is hashed and requires the use of an encrypted key to enable the identification of individuals).
The GDPR does not regulate anonymous data; that is, data where no individual can be identified from the data, directly or indirectly.
Not Just Computer Files
The GDPR only applies to personal data that is processed by automated systems or relevant filing systems. While this obviously captures any information in a computer database or spreadsheet, it also captures personal data stored in hard-copy form (i.e., printed physical documents) if it is accessible through a relevant filing system. This means that customer records in a filing cabinet arranged by last name in alphabetic order is captured but a filing cabinet of orders arranged only by date would not be, since there is no effective system to store and access data by data subject.
What Are the Penalties for Breaching the GDPR?
Data Protection Authorities (DPAs) in each EU country are responsible for enforcing the GDPR. If a company does not comply with its GDPR obligations, DPAs can give it a warning, suspend or ban its data-processing activities, or impose heavy fines. Monetary penalties fall into two classifications:
- For less severe breaches, the maximum fine is €10 million or two percent of a company’s annual revenue, whichever is greater.
- For more severe breaches, the maximum fine is €20 million or four percent of a company’s annual revenue, whichever is greater.
The actual fine imposed will take into account a number of factors, including the nature, gravity, and duration of the infringement; whether it was intentional or not; and any previous history of noncompliance.
While the GDPR purports to apply to non-EU companies, it is questionable whether EU authorities would try collect fines against US companies without an EU subsidiary or affiliate.
Part 2: Scope of the GDPR
Who Does the GDPR Apply To?
The GDPR has far-reaching application. It applies to all organizations located in the EU, even if the data processing occurs outside the EU. It also applies to any organization located outside the EU, if that company does one or more of the following:
- Offers goods or services to EU data subjects, irrespective of whether any payment is required
- Monitors the behavior of EU data subjects
- Processes or holds the personal data of EU data subjects
Note that the GDPR applies generally to business activities. It does not apply to purely personal or household activities or the activities of police authorities and other EU agencies.
The GDPR Applies to All Organizations Located in the EU. What Does This Mean?
The language in the GDPR states that the regulation applies to companies with an establishment in the EU. The EU courts have interpreted established in a broad and flexible way, so application would not be limited to companies that have a legal entity in an EU country. Rather, it includes any company with permanent and stable business activities in the EU.
While the scope of what this means is as yet unclear, the language in the GDPR suggests that the regulation applies to any activity that envisages offering services in a member country. Hence, companies that have a representative in an EU country or that have a specific website directed at an EU country (e.g., a unique website on an EU-country top-level domain, in the host language, accepting a local currency) could be included. Even a local postal address or local bank account could theoretically be enough to include a company domiciled elsewhere.
It is important to note that if a company has an establishment in the EU, it is irrelevant whether the data-processing activities take place in the EU or elsewhere.
Does your company offer goods or services targeted at a specific EU country? If you have a version of your website hosted on an EU-country top-level domain (TLD) and written in the native language of that country, then you can be deemed to have an establishment in the EU and be subject to compliance with the GDPR. This could be the case even if you provide your goods or services for free.
We Don’t Have an Office in the EU. Can the GDPR Still Apply to My Company?
Yes. Even if your company does not have an establishment in the EU, the regulation can apply if you do any of the following:
- You offer goods or services to EU data subjects, irrespective of whether any payment is required. It would seem that operating a business that is accessible by EU data subjects would not be sufficient to do so. However, a company that takes actions beyond simple accessibility may be subjected to the regulation. For example, the EU courts have, in the past, decided that buying search engine ads targeted at users in an EU member country suggests an intention to target EU customers.
- You monitor the behavior of EU data subjects. Monitoring EU data subjects can take many forms, but it specifically includes the online tracking of individuals in order to create profiles. The regulation further states that this includes any situation whereby the activity is intended to analyze or predict personal preferences, behaviors, and attitudes. In practice, this would mean that the use of personal data of an EU data subject to provide targeted marketing or price differentiation would be regulated by the GDPR.
- You process or hold the personal data of EU data subjects. The definition of processing is so broad that pretty much any activity utilizing personal data is regulated. Collecting, storing, duplicating, structuring, linking, retrieving, using, and deleting data are all types of processing.
Controller vs. Processor
The GDPR applies to both controllers and processors, but the distinction is important as the obligations for each differ.
A controller is the entity (a person or a company) that determines the purpose and means of processing personal data. This is the case whether the entity makes that determination alone or with others. A processor, on the other hand, is the entity that processes personal data on behalf of the controller.
The same entity can be both a controller and a processor, depending on the circumstances. For example, a technology company that provides payment processing technology to online merchants is the processor and the merchant is the controller. However, if that technology company packages the same personal data to provide targeted customer segments to advertisers, it is acting as a controller.
Does the GDPR Apply Only to Personal Data of EU Citizens?
Whether a data subject is located in the EU is not yet conclusively defined, although it appears that it will likely be very broadly defined. Why Research May No Longer Be the Same, a research paper by Els Kindt of the Centre for IT & IP Law, suggests that a person’s location in the EU is the important criterion, regardless of their citizenship or residency. Therefore, any natural person that is domiciled, resident, or travelling in the EU can be a data subject.
Cookies in the EU are already subject to the so-called cookie law. But the EU is planning to implement the ePrivacy Regulation as a counterparty to the GDPR, which will regulate all forms of electronic communication (e.g., websites, email, apps, and instant messaging). There is even an expectation that it will cover communication through the internet of things. Among other things, it will include similar penalties for noncompliance as the GDPR does. The ePrivacy Regulation has not yet been passed, but it is worth keeping an eye on, as it will extend and strengthen the reach of the GDPR.
Part 3: GDPR Compliance
What Do I Need to Do to Comply With the GDPR?
Forrester predicts that 80 percent of firms affected by GDPR will not comply with the regulation by May 2018. Gartner estimates that less than half of companies that GDPR applies to will be in compliance by the end of 2018.
GDPR compliance has many requirements, but the primary ones to recognize are:
- You need to obtain informed consent from an individual before collecting, storing, or using their personal data.
- The individual from whom you are collecting data has the right to withdraw consent and to be forgotten.
- The data you collect must be minimized, accurate, and portable.
- You have specific obligations if the data you store is ever breached.
How Do I Obtain Consent to Collect, Store, and Use an Individual’s Personal Data?
The concept of obtaining consent to the collection and usage of a person’s personal data is central to the GDPR. Consent must be clearly and specifically requested by the company seeking to use it, in easy-to-understand language. Correspondingly, the person whose data is being collected must specifically, unambiguously, and freely consent to the collection and intended usage.
In practice, this means that the traditional ways of obtaining consent are noncompliant. This includes burying the consent in long and hard-to-understand terms of service documents, requiring a user to opt out of giving consent, and pre-ticking boxes granting consent.
Do You Have the Appropriate Consent?
Every business subject to the GDPR will want to assess what personal data it is collecting, storing, and using and for what purpose. Furthermore, you will want to review your process for obtaining consent from users and ensure that it meets the GDPR requirements. Do you clearly explain what data is being collected and why? Does the data subject explicitly agree to this? How do you know? It may be necessary to go back to your customers and re-obtain the consent in a compliant manner.
Can Children Provide Consent?
The GDPR requires parental consent for the collection, storage, and usage of personal data for anyone under 16 years old. EU member countries can choose to reduce the age of consent to as low as 13 years old, if they choose.
What Is the Right to Be Forgotten?
Basically, this means that every individual to whom the GDPR applies has the right to have their personal data securely, completely, and provably deleted. And deletion must be done without any undue delay. In practice, this means that companies will have to ensure that their systems are able to support not only the erasure of data but also the creation of an accessible paper trail to provide evidence of when and how this was done.
What Must I Do If There Is a Data Breach?
While there is no federal security breach notification law in the United States, all states besides Alabama and South Dakota have legislation in place requiring companies to provide notification when personal information has been breached. The GDPR requires that companies notify individuals of a breach of their personal data where the risk of harm to the individual is high. Such notification must include:
- The name and contact of the company’s data protection officer
- The anticipated consequences of the breach
- Any measures taken by the company to remedy or mitigate the breach
Companies are not required to notify an individual of a breach if the risk of harm is low (e.g., because the breached data was encrypted), the company has taken measure to protect against harm (e.g., the hacked account was suspended), or the company has issued a public notice of the breach.
Data Across Borders
The GDPR imposes specific rules on the transfer of personal data across borders. This is the case not only when it is transferred across borders to a third party but even when the data is transferred for internal business uses. For example, if an employee in your US office logs in to a CRM system that displays the personal data of a client of an EU office, then the personal data is deemed to have been exported and the GDPR export provisions must be met.
How Does the GDPR Impact Media Companies?
Each media company will be impacted differently depending on its business model. Data brokers–such as Acxiom, Experian, and Epsilon–will need to revise their processes for collecting and selling user data. They will need to obtain informed, explicit consent from users, which will make it much harder for them to continue to operate their businesses as they currently do.
The impact on social networks–such as Google or Facebook–remains to be seen. Presumably, they will need to modify their consent policies to obtain informed, explicit consent to utilize user data—but, given network effects and the utility of their services, most expect that they will be able to do so. That said, there are some interpretations of the GDPR that suggest that they will not be able make consent a condition to accessing their services, thus bringing them on par with other publishers.
Finally, retargeting companies–such as Criteo and AdRoll–could be hit especially hard. Their entire business model is based on using data to track users across the web, showing ads based on prior behavior (e.g., the user having added a product to an ecommerce shopping cart). But, retargeting companies do not usually have any direct relationship with the end user, instead relying on information passed by both the advertiser and the publisher. Lacking the opportunity to obtain consent directly from the end user can have a detrimental effect on a remarketer’s performance; basically, handicapping its value proposition to the market.
Part 4: Conducting a Self-Assessment
Are My Privacy Policies in Order?
- Is it easy to understand?
- Does it clearly spell out what data is being collected and for what purposes?
- Does it provide your users with all the information that they need to make informed decisions about their data (e.g., how they can access it or amend incorrect information)?
- Most importantly, does it actually reflect how your business operates?
One of the biggest threats will be to businesses that think they are safe because their written policy is compliant only to discover that their actual business operates in a way that is drastically different from what is written.
Are My Contracts in Order?
Under the GDPR, data controllers (i.e., companies that collect data from users) are only permitted to work with data processors (i.e., companies that do anything with that data, including store it) that can provide sufficient guarantees that they meet the regulation’s requirements.
Among other things, GDPR Article 28 sets out specific terms that a data controller must include in its contract with a data processor, if that processor will have access to EU personal data. If you, as the data controller, are working with a data processor, your written contracts will need to ensure that the processor:
- Only processes the personal data on your documented instructions
- Gets your written consent before engaging any subprocessors (and, if it does, it will impose the same requirements on those subprocessors as it must adhere to)
- Ensures that only authorized personnel (who are subject to a contractual or statutory duty of confidentiality) will be allowed to access the data
- Deletes or returns all personal data upon completion of the processing
- Takes all appropriate technical and organizational measures to ensure compliance with the GDPR obligations
- Makes available all information necessary to demonstrate compliance
- Will cooperate fully with audits, inspections, and the like
These requirements are irrespective of whether you are entering into a new business relationship or continuing an existing one. If your contracts do not include these terms already, they will need to be renegotiated. One important thing to look at is what the contract says about who bears the cost of making changes to the services as a result of the changes in laws or regulations. Sometimes this will be explicitly stated; other times, it won’t and will need to be negotiated by the parties.
Is the Data Center That Hosts My Servers GDPR Compliant?
If you send EU customer data to a data center or if your data center has servers located in the EU that will process your data, you as the data controller will want to determine whether it is GDPR compliant. Here are a few managed data center providers and whether they operate EU data centers:
Check with your provider to determine whether it owns or operates data centers in the EU and ensure your contract either prohibits the transfer of data there or meets GDPR compliance requirements.
Why Should a US Company Care About GDPR Compliance?
US companies have had to deal with privacy concerns in the past, either through direct regulation (e.g., for data related to certain industries, such as healthcare) or as a result of self-regulation (e.g., compliance with the NAI Code of Conduct). There is no US federal law regulating the collection and use of personal data. Rather, US companies are subject to a patchwork of federal and state laws and regulations.
But GDPR imposes real liability in the form of substantial monetary penalties. In addition, it purports extra-territorial reach, so that US companies can be held liable even if they don’t have a physical presence in the EU (offices, employees or even sales). Any action will be in Europe, and EU law will be applied. That is to say that even defending such an action will be expensive for a US company.
Am I Prepared for a Data Breach?
In addition to notifying data subjects (see “How do I obtain consent to collect, store, and use an individual’s personal data?” above), the GDPR also requires that a data controller that suffers a data breach to notify the appropriate regulator without undue delay. The GDPR goes on to state that, where feasible, this notification should be made within 72 hours.
You should work under the assumption that it’s a matter of when–not if–you will suffer some sort of data security breach. What that happens, what will you do?
As the recent breach at Equifax shows, a company’s reaction can have as important consequences as the breach itself. At the very least, every organization dealing with personal information should have a written policy in place setting out what to do in the event of a data security breach:
- What constitutes a breach?
- Who needs to be notified?
- What legal obligations (as a result of statute, contract, regulatory requirement, or otherwise) does the company have to report the breach?
Beyond legal obligations, who should the company notify to minimize reputational risk?
- How will the company notify the appropriate parties (e.g., email, phone call, etc.)?
- How quickly will the company provide such notification?
- Who will make the final determination for breach edge cases (e.g., determining whether a breach has occurred such that the company’s obligations are triggered)?
Every company should also appoint a representative to act as a point of contact to manage external interests, including EU regulators.
What Are the Opportunities?
Companies and marketers that are GDPR compliant ahead of their competitors may have a distinct advantage that they can capitalize on. For example, ad tech companies may win a request for proposal (RFP) they might otherwise not if they can show that they have the systems and process in place to meet GDPR requirements, if their immediate competitors cannot. This could especially prove to be the case for industries that deal with highly sensitive information.
And as sophisticated players start implementing GDPR-mandated contractual requirements with their suppliers, there could be a knock-on effect, as those suppliers look to work only with vendors that can provide the same assurances.
It is also likely that opportunities will emerge for new business models that enable ad targeting and attribution, without utilizing personally identifiable information (PII). And data portability will mean that incumbent platforms cannot simply rely on network effects to maintain market leadership, opening the door to new players and business models.
Part 5: The Future of Privacy and Data Protection
While it is obviously impossible to predict what legislation will be enacted in a rapidly changing world, it is safe to say that both consumers and national lawmakers are taking a greater interest in how personal data is collected, used, and shared by corporations.
What will happen if a GDPR-like regime is implemented in the US market? Will your company be ready?
While nothing appears imminent, it is important to keep in mind that the companies most likely to benefit from GDPR are the ones with direct relationships with customers and the market power to require consent: Google, Facebook, and Amazon. These companies are also among the largest lobbyists of US legislators. It would behoove any US-based company to at least be cognizant of what a GDPR-compliant world might look like if it ever makes its way to this side of the pond.
A forward-thinking company should look to embrace the spirit, if not the letter, of the GDPR. Specifically, that means being clear as to what information you collect and how you use it. Obtain informed consent from your customers, including providing them the ability to easily revoke such consent. And take reasonable precautions to protect collected data from unauthorized access. Even today, there are competitive advantages for a US company to be thinking about GDPR compliance; in the future, it may be imperative to its very survival.