Happy Birthday GDPR

This week marks the first anniversary of the European Union’s General Data Protection Regulation (GDPR). When it became enforceable on May 25, 2018, the GDPR was clearly the most significant privacy experiment to that point in history. It provided a great opportunity to watch, discover, and analyze the impacts of its sweeping rules and restrictions.

It is still too soon to draw final conclusions, but already some clear trends are evident. First, nearly everyone admits that GDPR has led consumers in the EU to be bombarded with opt-in requests. This requires consumers to either constantly agree to opt-in or not allow companies to utilize their data. It is not clear how carefully consumers investigate privacy policies before agreeing or disagreeing to opt-in.

Compliance costs have also been extremely high. Many companies have had to spend multi-millions of dollars to meet the multitude of restrictions. Despite this fact, already a substantial number of major companies have been found not to be in compliance with GDPR requirements and been hit with significant penalties (in one case for more than $57 Million).

Also, a number of American companies, including some of our country’s largest newspapers, determined that the costs, risks, and burdens of GDPR make continuing to do business in the EU either cost prohibitive or not worth the regulatory hassles.   

In addition, in the very short period of the GDPR’s existence, an analysis carried out by the DLA Piper law firm found that there has already been more than 59,000 data breaches that needed to be reported to EU privacy regulators, creating an enormous burden on the limited staffs of these organizations. 

Furthermore, the opt-in model, instead of the predicted leveling of the marketplace playing field, appears to have strongly advantaged well-known established companies, as consumers are far less likely to be willing to opt-in for startups and companies that have not been able to create a strong marketplace presence.

As the U.S. continues to wrestle with privacy and data security issues, it is important that we carefully examine the EU experience so that we develop systems for this country that are most likely to enhance consumer privacy while protecting a vibrant competitive data-driven marketplace.

ANA, in conjunction with many groups within the business, marketing, and advertising communities has launched the Privacy for America Coalition to develop a better approach to privacy protection rather than the GDPR model. Instead of constant pressure on consumers to determine if they want to opt-in to data collections, the Privacy for America approach delineates per se forbidden uses of data, appropriate allowable uses of data, and provides the FTC the power to determine how all other data should be treated. We will continue to report on the progress of this initiative while continuing to provide careful analysis of the strengths and weaknesses of other models like the GDPR.