Power to the Consumer
It shouldn’t come as a surprise that the everyday consumer interacting with brands online has experienced the benefits of the GDPR rollout. After all, this regulation was passed to protect an individual’s personal data by empowering them through corporate transparency. GDPR has forced companies to disclose exactly what user data is collected and what is done with that data.
The lack of trust consumers feel in the digital marketplace has caused individuals to become more cautious prior to giving up their personal information—and that’s a good thing. "What GDPR has done is increased awareness,” says Stewart Room, lead partner for GDPR and data protection at PwC. “There was more outreach done on data protection in the months of May and June 2018 in Europe than has ever been done in the entirety of the world in the history of data protection.”
Woe are the Tech Giants
Even before GDPR’s official rollout, Silicon Valley companies were under intense scrutiny from governing bodies and consumers worldwide for data mishandlings. On the first day of GDPR enforcement, multiple lawsuits were filed against Facebook, Google, Apple, Amazon and a slew of other technology giants by privacy activists and consumer rights groups. While no fines have been imposed (yet), some major American companies are feeling the pain of foreign regulation.
The embattled social media platform can’t seem to catch a break this year. Facebook reported losing over one million monthly active users in Europe—a direct result from GDPR, if you believe Mark Zuckerberg. The Facebook CEO confirmed during the company’s second-quarter results call that GDPR was responsible for the user decrease in Europe. In addition to losing active users, Facebook blames sluggish advertising revenue growth within Europe on GDPR as well.
While Google was recently slapped with antitrust penalties in Europe for the unfair favoring of their own search engine in Android phones, the company hasn’t violated GDPR…yet. A recent investigation is underway to determine whether or not Google’s location tracking practices in the EU are unlawful. An Associated Press exposé revealed that location tracking technology in various Google apps do not fully disable, even if the user chooses to “pause” this service. While there are ways to stop location tracking within account settings, the solution isn’t exactly clear to the user. Stay tuned on this case, as Google could be the first ever organization to be officially fined under GDPR.
On May 25th, when GDPR went into effect, several American news publications denied website access to users in European countries. The Los Angeles Times, Chicago Tribune and Baltimore Sun, all owned by parent company Tronc, displayed messages that read:
"Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism."
Digital advertising has become an important source of income for news publications fighting back against the rapid decrease of print readership. However, privacy advocates argue that targeted ads and cookie tracking on these websites have become increasingly intrusive. Rather than play by GDPR’s rules, American publishers would rather keep their digital advertising revenue now and find a solution later.
What about the 72-Hour Rule?
One aspect of GDPR that left companies with increased anxiety prior to compliance was the 72-Hour Data Breach Window. Article 33 of the regulation states that organizations must alert all European data providers of a data breach within 72 hours of the breach. Businesses immediately criticized this article of the regulation, claiming the time frame was too short and many breaches happen without prior knowledge.
Despite these criticisms, the “72-Hour Rule” has resulted in a dramatic rise in data breaches reported. A report calculated by the ICO determined that in June, 1,750 security breaches were reported. This is compared to 700 reported breaches in the previous month. This is not to say that data breaches are on the rise, but more incidents are being reported to avoid fines for non-compliance.
What’s Next for Data Privacy
Only time will tell how GDPR will continue to affect the digital landscape, but the regulatory atmosphere is already shifting. A mere month after GDPR compliance went into effect, California passed the California Consumer Privacy Act of 2018 (CCPA). Effective January 1st, 2020, the act is extremely similar to GDPR—requiring organizations around the world to observe restrictions on personal data of residents of California. Similar privacy legislations have also been introduced in Brazil and Australia.
As data privacy regulations become more and more commonplace, organizations cannot continue to choose to ignore or abandon their customers as some American publishers have done in Europe. GDPR is just the start of how organizations are expected to behave online. If your organization has not devised an action plan to handle the personal data of your customers, now is the time. Be prepared before we all go through this again in 2020.