The New Data Privacy Law that Could Have Major Repercussions for Marketers

By Anne Field



Perhaps the most confounding part of a global data-based marketing campaign isn't the technology, analysis, or even cultural differences. It's the complex array of rules on consumer data privacy throughout the world — an array of regulations that vary from country to country and region to region. And it's a particular headache now, thanks to looming changes in privacy law in the EU known as the General Data Protection Regulation (GDPR).

Passed in 2016 by the European Parliament and slated to take effect in May 2018, the GDPR is an 88-page data privacy law that will replace the Data Protection Directive previously adopted in 1995, which had established a set framework for individual laws that were then enacted by each member country. "The GDPR weaves the 28 different laws into one," says Simon Morrissey, partner and head of data and privacy at Lewis Silkin, a London-based law firm. For marketers, the most relevant aspect is how the law addresses the collection and protection of consumer data, from personally identifiable information inputted by customers to similar data inferred about them through the use of data profiling techniques.

While having one piece of legislation to follow instead of almost 30 may sound like an improvement, for now it means a period of confusion for many marketers trying to understand what the changes mean and how to prepare for them. It's a matter of some urgency, since the GDPR amounts to the first global data security protection law by expanding the scope of rules to cover businesses monitoring individuals located in the EU or offering them products and services — whether the companies are based in the EU or not. Thus, it covers the processing of personal data pertaining to individuals physically located in the EU, no matter who does the processing. The bottom line: If a U.S.-based brand collects information about individuals in the EU, it will need to comply with the law, according to Morrissey.


What the GDPR Entails

In addition, the new law broadens the definition of what's known as personally identifiable information to any data collected by marketers that can potentially be used to identify an individual. According to the legislation, it's quite a wide range of data that includes genetic, psychological, cultural, economic, and social information. Even at least some digital information will qualify as personal information under the new law, based on a recent ruling by the European Court of Justice, which determined that a device's IP address can sometimes be considered personal data, since it can be used to track the owner's identity. That's a much broader definition than what's used in many states in the U.S., which in some cases only includes such specific information as an individual's name and Social Security and financial account numbers, according to Catherine Bate, a partner at Canadian law firm Miller Thomson.

Then there's the matter of getting consumers' consent to use their data.

Brands have to make sure they clearly spell out how consumer data will be used and be specific in their explanation. "You can't say you're using data related to your products," says Søren Pietzcker, a partner at German law firm Heuking Kühn Lüer Wojtek. "You have to name the product lines." Plus, consumers need to be able to opt in, not merely opt out. According to Pietzcker, a brand planning to use data for separate campaigns doesn't need separate consents, but it must be clear to consumers that their consent covers several campaigns.

If that weren't enough, the law calls for the appointment of a data protection officer (DPO), a new senior management role within the company. The officer would be responsible for overseeing the company's compliance with the new law. U.S. brands dealing with data about EU citizens might need to appoint their own DPOs, according to Pietzcker, who points out that fines for not complying with the law are steep: a maximum of 20 million euros or 4 percent of a company's annual global revenue, whichever is higher. Generally, violators pay a blanket fine for non-compliance. "If you get caught, it's a really big penalty," Pietzcker says. He warns that, while smaller companies are unlikely to meet with such steep penalties, regulators are apt to set their sights on bigger brands.


How Can Brands Prepare?

According to privacy experts, U.S.-based brands have to establish a plan for easing into the new law. That means appointing a team to audit the data protection policies at the company, or any outside agencies that process or control consumers' personal information on the company's behalf, to identify where changes need to be made. That should include understanding what categories of personal data are collected, what is the source of the information, with whom the brand shares the data, and from which countries the data is collected or where it will be used. "Map out the data flows: What information is coming in from where and where it's going," advises Bate. It's particularly important to pinpoint any new developments that may have occurred, such as where the data is being stored, she says. In addition, brands should review their policies regarding how to respond to data breaches, particularly making sure they report problems within a designated time frame.

Start with the brand's website, since it's particularly visible — and vulnerable. According to Pietzcker, if a client receives a complaint from another company for non-compliance, his first line of defense is to investigate the complaining company's website privacy policy, because evidence of that firm's lack of compliance is good leverage for settlement negotiations. "They never get it right," he says. "But it's something that should be done right."

Especially critical is introducing opt-in policies for consent to use an individual's personal data. Brands also need to train employees dealing with data so they understand what the policies are and how to make sure they remain in compliance.

These steps are likely to be pricey. Pietzcker, for example, points to a prospective client who recently called him about what to do regarding the EU law. The man was so shocked by the extent of the work — and cost — that he hung up and never called back.


Playing It Safe

In the meantime, while brands prepare for the new regulations to become the law, they still need to comply with individual country regulations and follow their previous practices. "If you're running a marketing campaign in Europe, there are potentially 28 permutations on the theme," Morrissey says. In fact, there are significant differences among the EU countries, ranging from the age when minors need parental consent to provide personally identifiable information to the definition of "personal data."

Generally, marketers operating in multiple countries have two choices. One is to keep a campaign located in a limited number of places. The other is to not bother spending the time and money evaluating each area's idiosyncratic laws and focus instead on the places with the strictest policies and that offer the most important markets. As an example, experts point to what is widely seen as the strictest country in the EU, Germany.

To comply with current German rules on relying on consent to use personal data, a brand not only needs an individual's active consent, but, if the information is gathered through a web site, it also has to verify that consent through a follow-up communication, like an email. Similarly, if a brand needs parental consent to gather personally identifiable information on a minor in Germany, it would base the cutoff age on the GDPR's default age limit of 16 as opposed to, say, the U.K.'s cutoff age of 13.

By adhering to the strictest set of privacy laws, a brand can be confident its campaigns will run safely in any of the surrounding countries. "You apply the highest common denominator," Morrissey says. It's the safest way to ensure your data-based campaigns are playing by the rules.



Data Privacy Laws Around the World

Countries all over the world have different consumer data protection policies. Here's a look at four noteworthy nations or regions:

  • United States of America. The U.S. has a patchwork system of federal and state laws and regulations, as well as guidelines developed by governmental agencies and industry groups. But there are changes marketers have to absorb. For example, in February the Digital Advertising Alliance started enforcing guidance on cross-device tracking that it initially proposed in 2015. In cross-device tracking, marketers can get information about consumer behavior across their different devices, like smartphones, tablets, and laptops. The guidance includes disclosing tracking activity to consumers, offering choices about how their cross-device activity is tracked, and getting consent before engaging in cross-device tracking on sensitive topics and before collecting and sharing precise geolocation information.

    Another issue, of course, is what potential changes to the Federal Trade Commission under the current presidential administration will mean for the enforcement of privacy rules. Several new commission members have yet to be appointed.

  • Canada. According to Catherine Bate, a partner at Miller Thomson in Toronto, Canada has one of the strictest anti-spam laws in the world, covering emails, text messaging, and direct messaging through social media platforms. Most countries don't regulate all three. Specifically, the law requires that consumers opt in before a brand can send them commercial messages.

    Also notable is the rule about disclosure. If a Canadian company uses a website host located in the U.S., then the business needs to let consumers know their personal information may be subject to U.S. laws. Expected soon, according to Bate: a national standard governing how to manage a data breach.

  • China. While there's no comprehensive privacy law, China has a great many related regulations, according to Justina Zhang, a partner at Beijing-based TransAsia Lawyers. Generally, brands looking to collect personal data or sell to a third party need to get consent, though no rule specifies whether users have to opt in or out. A major issue relates to "data localization requirements," which went into effect on June 1. Specifically, certain data collected in China by what the rule calls "critical information infrastructure operators" needs to remain in a server located in that country. Since there isn't a clear definition of what an "infrastructure operator" is, it could include a great many businesses. And if marketers want to share any of that data abroad, they need to get security clearance approval from the appropriate authority. Ultimately, the goal is to place many companies and users under greater state control.

    Also important: Last September the government issued new rules about email advertising, paid search results, embedded links, and images and videos advertising goods and services. For example, companies have to get government approval to run ads for healthcare products, food, medical devices, veterinary medicine, and pesticides.

  • Latin America. Eight countries — Argentina, Colombia, Costa Rica, the Dominican Republic, Mexico, Nicaragua, Peru, and Uruguay — have data privacy laws based on Spain's national legislation, many passed in the past five years, according to Uri Weinstok, a partner at the Costa Rica–based law firm BLP. In some countries, companies using, sharing, or selling to a third party a database with information that can be linked to an individual must register — that is, report the existence of the database — with a data protection authority, which oversees compliance. Also, like the Spanish law, legislation rests on five basic rights — consent, access, rectification, cancellation, and objection. "Make sure you guarantee these rights and you'll be in good shape," Weinstok says.

— A.F.



You must be logged in to submit a comment.