The General Data Protection Regulation (GDPR) took effect in the EU in May of 2018. With a year of regulation in place, it’s been interesting to observe the impact on our industry and consumers.
For companies deemed non-compliant, fines could be costly – upwards of $22.3 million US dollars (USD) or 4% of global revenues (whichever is greater). Google was in the spotlight when they were fined $59 million USD for violations in France, whereas smaller companies were issued warnings for their data infractions.
These limited infractions and public scrutiny can be attributed to two main causes. First, GDPR had over a year of runway from the time it was approved to when it took effect. This allowed many companies to get ahead of the curve and achieve compliance before the regulation went live. Second, and most important to remember – is that regulators are not intent on destroying companies who are non-compliant, but rather want to ensure businesses are aware so they can become compliant. Compliance is the objective. Additionally, EU regulators appear cautious in making public examples of companies at this early stage of the GDPR adoption – in fact, they just announced in May they were investigating Quantcast and Google for possible infractions.
Some impacts the regulation has had on efforts in the EU include: more private marketplace programmatic digital buys versus open marketplace, less 3rd party data usage and more 1st party inclusion, and purging of many ad trackers. In some extreme cases, US publishers blocked European traffic and cut off EU-based ad exchanges to avoid potential compliance issues.
While many US digital marketers report government regulation or threat of regulation as their biggest impediment in deriving value from data-driven campaign efforts, it seems if GDPR is our example, the impediments are less impactful than marketers anticipated.
What could be a larger challenge is the adoption of Consumer Data Privacy laws across the US and how that adoption occurs. GDPR was enacted on a national/international scale, but the US seems to be taking different route at the current time. California has legislation on the books that will take effect in 2020 while other states including Colorado, Washington and New Jersey are looking to adopt their own data regulations.
Contending with state-by-state regulations could be problematic for advertisers, agencies and service providers. We forecast that a critical mass of state adoptions will reveal the issues of variance legislation by state, before the federal government will take up the case to regulate and simplify.
Read more about GDPR's impact via eMarketer here.