Europe's new privacy regime is likely to disrupt global digital advertising by preventing companies from using an individual's data unless they have direct consent from the consumer.
The European Union's General Data Protection Regulation (GDPR) doesn't come into force until May 2018, but when it does it will have a profound effect on businesses. The regulation will apply to data about every one of the EU's 500 million citizens, wherever in the world it is processed or stored.
Stephan Loerke, CEO of the World Federation of Advertisers, said, "I'm surprised more marketers have not woken up to the implications of GDPR. The new regulations will be a significant challenge for the ecosystem and it's difficult to forecast how technology will adjust."
Put simply, targeting and tracking companies will need to get user consent somehow. Everything that invisibly follows a user across the internet will, from May 2018, have to pop up and make itself known in order to seek express permission from individuals.
How this will work in practice is unclear. Johnny Ryan, head of ecosystem at PageFair, an Ireland-based ad serving technology company, said, "Companies who create value only by using data and tracking people across the internet will have to find a way to build a relationship with the customer. They will have their businesses seriously disrupted."
Mr. Loerke said, "It will mostly affect companies who rely on third party data, and agency networks that serve ads on the basis of data but don't have a direct relationship with the public."
Driven not just by concerns about marketing behavior, but also by data breaches – such as Yahoo!'s recent admission that a hacker stole information from 500 million accounts – the EU has gone all-out to tackle online privacy with a 91,000-word document that was published in April but is still being digested by the industry.
Dr. Ryan said, "The EU is finally bringing a standard of privacy to digital, preventing the arbitrary collection and exchange of personal data that has been going on for 20 years. Digital has been in cowboy territory for too long – the [GDPR] is ripping the digital ecosystem apart."
He believes that "the whole digital dynamic will move away from third party" and that GDPR will incentivize a raft of mergers and acquisitions, as tech companies seek to exploit media owners' direct relationships with their readers and viewers. "Publishers may finally have the upper hand," he predicted. "There will be a change in balance – at least online."
Companies can be fined as much as 4% of global revenues for breaching the regulations. They must also report hacking incidents within 72 hours and ensure parental consent for under-16s.
Google and Facebook will be largely unaffected by the GDPR changes, and may also benefit, because they already have the kind of direct relationships with customers that will be increasingly valuable to marketers.
"It will be more challenging for brands, but it will be about creating a more equal relationship and building trust," Mr. Loerke added. "There will be a more transparent value exchange and marketers will have to find a way to explain what's going on without being disruptive." Brands, for example, are likely to create incentives for people to continue allowing collection of their data.
Mr. Loerke expects the new EU rules will become a global standard. He said, "Marketers will work with whatever is the toughest data protection globally – like the Children's Online Privacy Protection Act (1998), which was introduced to protect U.S. children under 13, but has become the international standard."
The U.K. will still be a part of the EU in May 2018, and the country's government has already signaled that it intends to comply with the GDPR long-term.