The EU’s General Data Protection Regulation

March 16, 2018

The GDPR means significant changes to the way marketers all over the world collect and use data. What do these rules entail? How will they affect U.S.-based marketers? What will be the wider impact of GDPR on digital advertising globally?

EU citizens have certain rights relating to how their data can be collected, shared, and used. The General Data Protection Regulation (GDPR), established as of May 2018, enables them to exercise these rights and provides guidelines for organizations on how they must handle user data. There are four main topics related to marketing compliance of the GDPR: universal consent and preference management, cookie consent and website scanning, data subject access request (DSAR), and policy and notice management.

GDPR doesn’t only affect European companies. It applies to any company that offers goods and services in the EU or monitors the behavior of people in Europe. It represents the beginning of a shift in the way regulators and consumers think about data protection globally and will result in significant changes to the way digital advertising is done. Needing to obtain consent and be transparent puts a bigger emphasis on building trust with consumers.

According to the transparency principle in Article 5 of GDPR, companies need to provide individuals in the EU with specific types of information. For example, a web form can be provided for users to fill out online to request a consultation or a brand can add a cookie banner at the bottom of a page where users can opt to accept cookies or change their preferences. Brands are obligated to keep track of data consent and to provide easy access to users to make requests regarding their data.

Universal Consent and Preference Management

There are six legal ways to process personal data under GDPR: legitimate interest, contract, compliance with legal obligation, consent, vital interest of the individual, and public interest. Consent is often not the most appropriate one to rely on, and there are three critical areas for consent compliance in GDPR:

  1. Notice. Information must be provided to the data subject so that consent is considered informed at the time it is collected.
  2. Method. Consent must be given with a clear, affirmative action on the part of the user. In practice, this means that pre-checked boxes are not a proper method of collecting consent. Users must either check a box or have the ability to adjust their settings.
  3. Record. There is an obligation to demonstrate valid consent by keeping records of who consented, when they consented, what they were told at the time, and how they consented.

In practice, consent must be unbundled from other terms and conditions, include an active opt-in, be granular with separate options for different types of consent, be informed through access to sufficient information, not considered freely given if there is an imbalance in the company/user relationship, and easy for users to withdraw. Brands might use notices, like pop-ups, to provide relevant information to users at data collection points. They can use these in connection with privacy notices.

For all these reason, it’s important that marketers evaluate all of their current processing activities and the legal basis for them. The World Federation of Advertisers recommends taking the following steps:

  • Outline processing activities.
  • Categorize all processing activities by purpose.
  • Identify current or planned legal basis.
  • Determine if existing records of consent meet GDPR requirements.

Cookie Consent and Website Scanning

In 2009, an update of Europe’s ePrivacy Directive led to implied consent for cookies to become the norm. However, this did not clearly define consent, and left room for interpretation. The GDPR, established as of May 2018, affects cookies by clarifying consent as “unambiguous,” and implies that consent is no longer an option but an active requirement. The ePrivacy Directive will be updated again to complement the GDPR. It is expected to clarify consent as the main legal basis for cookies and mandate explicit consent with exceptions for web analytics and strictly-necessary cookies. There are three approaches to cookie consent:

  1. Opt-Out Consent. This requires organizations to drop all cookies and show the cookie notice, and requires users to take action upon accessing the notice. An individual needs to have the ability to refuse or withdraw consent without detriment. Information must be located on a website where people are likely to see it, and separate, specific consent must be given for each matter that they consent to.
  2. Implied Consent. This requires organizations to drop strictly-necessary cookies only, show the cookie notice, drop the rest of the cookies, and give users the option to continue browsing or click “okay” on the cookie banner. In practice, users can opt out of consent. Brands can show the cookie notice and let them exercise their choice. This is the most common approach and has the least impact on user experience, but it’s not compliant with the requirements of the ePrivacy Directive.
  3. Explicit Consent. This requires organizations to drop strictly-necessary cookies only, show the cookie notice, and drop the remaining cookies, and requires affirmative action by the user. It refers to the way consent is expressed by the data subject. For instance, users will confirm their consent in a written statement or a two-stage verification process. The downside is that it negatively affects the user experience and a higher percentage of users decline tracking.

Data Subject Access Request (DSAR)

Traditional rights give users the right to access the personal data a company holds about them and to have it deleted or corrected. The GDPR forces companies to figure out ways to allow individuals to exercise these rights and to track requests internally. There are even prescriptive requirements on how to respond to data requests. Violating data subject rights could result in fines of up to $20 million.

Policy and Notice Management

Organizations need to provide people with information when data is collected. Because of the new accountability principle, organizations are faced with the challenge of keeping track of privacy notices, making them available in multiple languages, and figuring out ways to display them properly.

Q&A with Catherine Armitage, Head of Digital Policy at The World Federation of Advertisers and Bénédicte Dambrine, Privacy Counsel at OneTrust

Q. For brands with no market outside of the U.S., how important is it to adopt GDPR processes?

A. I would ask them: How sure can you be that your company is never going to touch anyone in Europe? Can you be 100 percent sure that no one from the EU will go on your website? That’s a difficult thing to be sure of. You need to be extremely certain that you’re not subject of the GDPR. Trust comes into play. It might be in your interest to apply the rules even if they don’t apply to you. The U.S. could get a similar laws in the future. The EU is now at the forefront and is taking the lead for privacy globally, so it’s not impossible that the U.S. won’t want to align.

Q. Can you give us an idea of how the GDPR relates to the ePrivacy Directive?

A. ePrivacy is being reformed and is going through a legislative process. It’s meant to be a specialized rule, while the GDPR is a general rule. ePrivacy is more narrow in scope, but if there is personal data not covered by the GDPR, it is applied. They work together. The consistency between them is important because the revision has a lot of gray areas and confusion about why certain elements are even necessary because of GDPR.

Q. Do these regulations apply to demographic information?

A. It all depends on if data is considered personal data. The definition of personal data is broad, and if you have enough points to identify a person, it would be considered personal data, so you need to be careful there.


"The EU's General Data Protection Regulation." Catherine Armitage, Head of Digital Policy at The World Federation of Advertisers; Bénédicte Dambrine, Privacy Counsel at OneTrust. ANA Advertising Law and Public Policy Conference, 3/16/18.

You must be logged in to submit a comment.