Stephan Loerke, CEO of the World Federation of Advertisers,
said, "I'm surprised more marketers have not woken up to the
implications of GDPR. The new regulations will be a significant
challenge for the ecosystem and it's difficult to forecast how
technology will adjust."
Put simply, targeting and tracking companies will need to get
user consent somehow. Everything that invisibly follows a user
across the internet will, from May 2018, have to pop up and make
itself known in order to seek express permission from
individuals.
How this will work in practice is unclear. Johnny Ryan, head of
ecosystem at PageFair, an Ireland-based ad serving technology
company, said, "Companies who create value only by using data and
tracking people across the internet will have to find a way to
build a relationship with the customer. They will have their
businesses seriously disrupted."
Mr. Loerke said, "It will mostly affect companies who rely on
third party data, and agency networks that serve ads on the basis
of data but don't have a direct relationship with the public."
Driven not just by concerns about marketing behavior, but also
by data breaches – such as Yahoo!'s recent admission that a
hacker stole information from 500 million accounts – the EU
has gone all-out to tackle online privacy with a 91,000-word
document that was published in April but is still being digested by
the industry.
Dr. Ryan said, "The EU is finally bringing a standard of privacy
to digital, preventing the arbitrary collection and exchange of
personal data that has been going on for 20 years. Digital has been
in cowboy territory for too long – the [GDPR] is ripping the
digital ecosystem apart."
He believes that "the whole digital dynamic will move away from
third party" and that GDPR will incentivize a raft of mergers and
acquisitions, as tech companies seek to exploit media owners'
direct relationships with their readers and viewers. "Publishers
may finally have the upper hand," he predicted. "There will be a
change in balance – at least online."
Companies can be fined as much as 4% of global revenues for
breaching the regulations. They must also report hacking incidents
within 72 hours and ensure parental consent for under-16s.
Google and Facebook will be
largely unaffected by the GDPR changes, and may also benefit,
because they already have the kind of direct relationships with
customers that will be increasingly valuable to marketers.
"It will be more challenging for brands, but it will be about
creating a more equal relationship and building trust," Mr. Loerke
added. "There will be a more transparent value exchange and
marketers will have to find a way to explain what's going on
without being disruptive." Brands, for example, are likely to
create incentives for people to continue allowing collection of
their data.
Mr. Loerke expects the new EU rules will become a global
standard. He said, "Marketers will work with whatever is the
toughest data protection globally – like the Children's
Online Privacy Protection Act (1998), which was introduced to
protect U.S. children under 13, but has become the international
standard."
The U.K. will still be a part of the EU in May 2018, and the
country's government has already signaled that it intends to comply
with the GDPR long-term.