Europe has been abuzz this week as details on the new EU Data Protection Laws have been hammered out after four years of negotiating and lobbying.
Tuesday evening marked a historic moment in which the final “trilogue” (Brussels speak for discussion) between the European Commission, European Parliament and Ministry of Justice and Affairs, took place, resulting in a new law designed to give consumers more control over how their data is used by businesses, which all of Europe must implement in 2018.
The general consensus is the laws will be bad for media and advertising. Ad tech companies are likely to be among those hardest hit. The IAB Europe has called the update a “setback for Europe” that could seriously undermine the EU’s ambitious project to create a “digital single market” and hurt innovation and growth in Europe.
We’ve broken out some of the key issues for those who aren’t familiar with the process.
Why does this even exist?
The current EU data protection directive is two decades old. Everyone agrees the laws should be modernized, but nobody can agree on how to create a simple process for businesses that works across all 28 EU member states. Welcome to Europe.
Is this different from the EU cookie directive?
It’s much bigger. A directive is a law each EU member state can customize to fit the status quo in their individual markets. Markets that are more advanced in digital needn’t apply the same exact rules as those that have tougher privacy policies such as, for example, Germany. The new data protection doesn’t have that kind of wiggle room.
How does it affect businesses?
Companies must prove legal grounds for using consumer data, which they can obtain by getting consumer consent. The law, which covers all companies with services available in the European Union, has specified “unambiguous” consent is acceptable, to the relief of the IAB. For example, if you click through a site that drops cookies, you’ve implicitly given consent to have cookies dropped on your computer. No one had to ask you for that consent. The Commission provides the caveat that explicit consent must be given for the use of “sensitive” data.
What’s the problem with it?
In the initial draft, the term “personal data” lumped all data into one bucket, meaning a person’s cookie data used in online advertising would have been subject to the same privacy terms as medical data. The IAB and DMA have lobbied unsuccessfully for more granularity in the definition.
Who will be worst off?
The companies that should be most worried are those that don’t have a direct relationship with the consumer — hello, ad tech. Companies like Criteo or AppNexus, for example, can’t communicate directly to consumers. Even if they could, consumers aren’t likely to recognize their brands and would likely decline.
What are the ramifications for publishers?
Publishers that rely on third parties to sell huge volumes of inventory will suffer. If the intermediaries can’t collect data for targeted advertising, publishers will lose out on revenue and could be “forced” to explore alternative revenue streams or cut costs to offset the lower ad revenues.
Who are the potential winners here?
Google, Facebook and Amazon could do well from the situation because they have the direct relationship with their customers across numerous devices. Independent publishers that lose ad revenue from the fallout may flock to products like Facebook’s Instant Articles and compromise on an ad revenue share but avoid the costs associated with gaining the right compliance, one source speculated.
Will there be fines?
Oh yes. The scale of the fine will depend on the size of the offense and on the annual turnover of the company. The maximum penalty will be 4 percent of global sales revenue.