On December 15, 2015, three of the major institutions of the European Union — the European Parliament, the Council of the European Union, and the European Commission — reached an agreement on the text of the General Data Protection Regulation (GDPR), a set of regulations concerning the protection of personal data for EU citizens. GDPR was officially put into force in late May of 2016, but companies were given a two-year grace period for compliance. On May 25, 2018, the law will apply across all of the EU’s 28 member states, and the price of compliance is steep: the maximum fine for GDPR violations is €20MM or 4% of gross worldwide annual turnover, whichever amount is higher.
The provenance of the GDPR can be traced back to 1995, when the European Data Protection Directive (“Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data”) was created. Directive 95/46/EC was designed to protect the use of personal data by operators in nascent online industries such as advertising, commerce, and search. The GDPR is essentially a reboot of Directive 95/46/EC, offering expanded scope within a “one stop shop” framework that removes the administrative burden for companies of dealing with the data privacy laws of multiple EU jurisdictions. And, unlike the Directive, the GDPR has explicit muscle to enforce privacy provisions: the GDPR introduces specific punishments across two “tiers” of infringements (€20MM or 4% of worldwide profits for the more serious tier; €10MM or 2% of worldwide profits for the less serious tier).
These are obviously very sobering stakes for most companies — 34% of the FTSE 100 would see its entire worldwide profit wiped out with a fine of 4%. The GDPR applies in any case where the data controller (the entity collecting data), the data processor (the entity processing data on behalf of the controller, eg. a cloud services company) or the data subject (the person whose data is being collected) is based in the EU (or is an EU citizen). For many companies, this renders compliance necessary: if they have any users in the EU (or any users who are EU citizens living abroad!), they open themselves up to the massive penalties outlined above if they’re not compliant with the requirements of the directive.
And what are those requirements? The language of the GDPR is somewhat vague, but the major changes and increases in scope fall into a few different regulatory buckets:
- Territorial applicability. As noted above, any data controller or processor that collects or processes data of people within the EU, even if it doesn’t have a legal entity in the EU, will be governed by the GDPR;
- Penalties. Penalties for breach are clearly defined (and severe);
- Consent. One of the biggest behavioral requirements of the GDPR is that companies collect consent from users in a clear, intelligible, accessible form. These are ambiguous terms, but the spirit of this seems to imply that long data protection / processing waivers full of legalese won’t be acceptable under the GDPR;
- Right to Access. Users will have the right the access the data that controllers collect about them in a common, machine-readable format. Users will also have the right to understand if data is being collected about them, where it is being collected, how it is being collected, and for what purpose it is being collected;
- Right to be Forgotten. Users will have the right to force controllers to destroy all data collected about them and to force third parties to stop processing any previously collected data about them;
- Data Portability. In addition to being able to receive all data collected about them, users will have the right to port data collected about them from one controller to another;
- Breach notification. Data breaches will have to be reported to end users within 72 hours of the controller becoming aware of the breach. Additionally, data processors will have to notify data controllers immediately upon becoming aware of a breach;
- Privacy by Design. Controllers are legally obligated to collect and process only the minimal amount of data required to achieve some purposeful goal;
- Data Protection Officers. Some companies (again, the wording used here is vague) will be required to appoint Data Protection Officers to oversee internal user privacy efforts.
For a more detailed overview of the GDPR’s requirements, see the EU’s official GDPR website.
Much of the above will be onerous for many companies to implement. The GDPR defines “personal data” very broadly, and for mobile advertisers and publishers, almost any data being collected is likely to fall under the expansive umbrella definition:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(edit: according to the IAB, advertising identifiers such as the IDFA are considered personal data under the GDPR)
“Processing” is likewise defined equally broadly to include not just collection and storage but also “adaptation or alteration” and “consultation”, which seems to imply that any modeling done using personal data, even if the underlying data isn’t ultimately stored, falls under the jurisdiction of the GDPR. This essentially impacts any mobile advertiser that uses personal data for building advertising targeting definitions.
And so it’s easy to imagine that many companies will likely opt to forego the GDPR compliance rigors as advertisers completely and to outsource that hassle to their partners. Many ad tech vendors have already begun the process of adhering to the new GDPR standards and of course have advertised that fact, but the patchwork constellation of ad tech systems that many mobile advertisers work with is so convoluted that circumvention could be the only viable path to GDPR compliance: outsourcing all data collection and processing to the largest vendors and avoiding liability in the first place.
It’s easy to see who benefits from this: the largest platforms with the most resources that can spend time and money on compliance and oversight. The Duopoly certainly has an advantage here: their infrastructure is already designed to associate behavioral cues to value, and they’re large enough to afford to allocate staff to compliance (Facebook increased the size of its Irish Data Protection team by 250% in 2017 in order to prepare for GDPR). If advertisers face the choice of auditing every single data handoff their apps and systems have with third party vendors (and ensuring that those vendors are compliant) versus simply working with one of the large platforms and outsourcing all compliance concerns to them, many will no doubt choose the latter option.