Common GDPR myths, debunked
Noise around the threat the European General Data Protection Regulation poses to publishers, ad tech companies and marketers is getting louder as the 2018 deadline for enforcement approaches. Naturally, a flurry of “GDPR experts” — some of them helpful, others compounding the confusion — have surfaced over the last year to help businesses navigate the challenges.
Robert Streeter, News UK’s data protection and privacy officer, emphasized the importance of separating fact from fiction regarding the regulations at Rubicon Project’s Automation event in London on Sept. 6. “When you read about ‘expert’ comment on GDPR, I’d advise taking that with caution and examining your own approach to it,” he said. “There’s a lot of misinformation circulating.”
Here are some of the myths, debunked:
Myth: The biggest threat is eye-watering fines
While it’s true that companies that don’t comply with the new laws will face fines of up to 4 percent of their revenues or a maximum £17 million ($22 million), these kinds of fines will be rare, at least in the U.K. They will only be applied to companies that flout the laws or fail to notify the Information Commissioner’s Office of data-privacy breaches that “affect people’s rights and freedoms.”
The ICO has already stated it prefers “the carrot to the stick” in this case. So while it has the power to fine up to that amount, imposing huge fines will be a last resort. “It’s scaremongering to suggest that we’ll be making early examples of organizations for minor infringements or that maximum fines will become the norm,” wrote Elizabeth Denham, the U.K.’s information commissioner, in a recent blog post. Other sanctions the ICO will use to get companies to comply: warnings, reprimands, corrective orders. These many not hit organizations’ pockets, but they won’t do the companies’ reputations and public perception any good, she added.
Myth: ‘Consent’ is the only way to process data
The GDPR’s more stringent rules around companies obtaining explicit consent for collecting and processing customer data have caused a fair amount of hand-wringing across the ad market. The new array of adjectives used to describe different forms of consumer consent — “explicit,” “unambiguous,” “informed” — are enough to make hearts race. But as with most things, there are more ways to skin a cat. “Consent is the most viable and perhaps only option when it comes to some aspects of collecting and using personal data for digital advertising purposes. But, importantly, there are other ways, which may work for other aspects of data use,” said Yves Schwarzbart, head of policy and regulatory affairs at the Internet Advertising Bureau. So, it’s advisable not to just wait until the ICO gives guidance on consent. In fact, there are six other ways the GDPR allows for personal data to be processed, added Schwarzbart.
For example, before ascertaining what legal basis they have to process the data, companies need to know what partners they’re working with, and where and how the data is shared and traded by those partners, said Nick Stringer, public policy consultant at Entropy Data. They should also look into whether they need to appoint a data protection officer that will help establish a compliance map, he added. That’s what News UK is now doing. “We’re looking at how to get a sense of collecting user information and how the various third parties we’re working with are using it, further down the chain,” Streeter said.
Myth: GDPR is a Europe-only issue
Far from being some typically bureaucratic issue that applies to the 28 members of the EU (including the U.K., as Brexit won’t affect its compliance), GDPR will affect any American company that offers goods or services to consumers in the EU or monitors the behavior of people located in Europe, regardless of where their offices or ad servers are based.
Myth: GDPR is limited to personally identifiable information
GDPR won’t be restricted to collecting sensitive data relating to individuals. Personal data under GDPR applies to IP addresses and cookie tracking, too. “Traditionally, the digital ad sector treated cookies and IP addresses as anonymous, but now, that’s no longer the case,” said Stringer. “People are using language they’re used to, like PII and non-PII, which is confusing things. It’s important people treat non-PII as personal data, too.”
Myth: Google and Facebook will benefit
While numerous articles have been written detailing how Facebook and Google stand to gain from the data-privacy laws, not everyone believes that to be true. “In terms of revenue, Facebook and Google have the most risk tied to raising the bar on consumer privacy in the EU,” said Jason Kint, CEO of Digital Content Next. “Anyone who believes their lobbyists’ myth that privacy regulation will only help Google and Facebook is having the wool pulled over their eyes.”
‘Still understanding that behavior’: What BuzzFeed learned from a year of livestream shopping
BuzzFeed's shoppable live streams were watched for more than 1 million minutes in 2021.
Member ExclusiveMedia Buying Briefing: As independents set bullish goals for 2022, they grow their consultative powers
Many independent agencies enter 2022 extremely optimistic because they just closed the books on a banner '21. Will they be able to keep it up?
Publishers use subscriber-only events to sweeten subscription pitches
The Washington Post and The Information's events exclusively created for subscribers can add more value to paying readers.
SponsoredHow the relationship between live events and mobile devices is evolving in 2022
Sponsored by AdColony The pandemic has accelerated changes in the way people consume content — and live events are part of that transformation. For advertisers, the questions are the kind on which campaign success depends: In what ways (and numbers) have people returned to watching sports, e-sports and events such as the Grammys? Are they […]
Tinuiti Report: Facebook still in hot demand with clients, despite Apple ATT hit
According to a report from agency Tinuiti, it clients increased their ad spend 32% YOY in Q4 on Facebook and its ever-growing cousin Instagram.
With Marquee, Jellysmack looks to turn non-digital natives into a new generation of internet stars
Jellysmack, one of the largest creators of social video on the internet, is trying to use its insights to make real-life celebs more internet-famous.