Europe's new privacy rules are fast approaching and some companies are... just winging it.
There's less than a week left until Europe starts enforcing the General Data Protection Regulation, which will impact every website, brand and digital ad technology company that touches even one consumer across the Atlantic. The new data rules spell out how companies can collect personal information on those consumers, how they can use that data, and how to inform consumers on both those fronts.
"A lot of businesses are getting their heads around this too late," says Patrick Salyer, CEO of Gigya, a consumer data and privacy management company. "They may not even hit the deadline. Not intentionally or purposefully—just for a lot of companies especially in North America, it hasn't been on their radar."
A recent survey of chief marketing officers and e-commerce and marketing executives found that 16 percent of companies had no plans in place to address GDPR, according to SAP, a business software firm that owns Gigya and is based in Germany. Another 10 percent of respondents weren't sure if their company had a plan.
A comprehensive plan would include procedures to obtain consent from consumers to collect their data and use it, and a system for responding to requests from consumers for their data.
The prepared companies are taking the opportunity from GDPR to get a handle on how they collect data, where they store it all and how they apply it across their businesses. They're combing through hundreds of points of contact with consumers from their stores to their websites and events, sorting through the databases and organizing the process.
But some publishers and smaller companies see only small portions of their internet traffic coming from Europe. People who work closely on GDPR compliance, and who spoke on condition of anonymity so as not to out clients, said they have heard from companies that won't make changes to address a small segment of their audience or customer base that's in Europe.
"It is a risk analysis for companies," says Christina Allyn, a partner at Moye White law firm, which works with companies to establish GDPR procedures. "It's so massive and comprehensive, and the requirements so significant. I don't recommend anyone just hope for the best."
Tiffany Morris, general counsel and VP of global privacy at data management firm Lotame, says that there are even large brands waiting until the last second to address GDPR.
"I was surprised how slowly some are moving to comply with this law," Morris says.
Brands are calling Lotame with weeks to go until GDPR's due data on May 25, just now scrambling to understand compliance issues, Morris says.
Then there are companies that think they're in compliance but have done only the bare minimum. The companies that slap a warning label on their websites about collecting data and set up an e-mail for more information are responding lazily to GDPR, Salyer says.
"A lot of businesses take that approach," Salyer says. "Officially they are GDPR compliant, but frankly in a way that is a really poor experience for customers and costly for their business."
There are publishers with websites, brands with online customers, and major social platforms that have had to come up with a whole new model for vetting their data procedures. Any European consumer can call out any company and ask to account for the data they collected and how it's being used.
Companies that have violated the data regulations can face penalties that amount to 4 percent of a company's gross revenues.
That means that not only are brands, say, responsible for complying with GDPR, but they're on the hook for the agencies and ad technology companies they could employ on their behalf.
"That's a pretty big hazard," says Johnny Ryan, head of ecosystem at PageFair, a European-based software company that works closely with publishers on ad technology and data.
Even the biggest internet companies with the most data, Facebook and Google, aren't as ready as they probably think they are, according to Ryan.
Ryan says Google has asked publishers that use Google services to obtain consent on its behalf to collect consumer data, but he calls the wording of its proposed permission slip vague and unlikely to meet the law's requirement for granularity. Publishers have pushed back against Google's approach, which they say coerces them into handing Google control of data on visitors to their websites.
"We find it especially troubling that you would wait until the last-minute before the GDPR comes into force to announce these terms," a group of publisher trade groups wrote to Google CEO Sundar Pichai last month, "as publishers have now little time to assess the legality or fairness of your proposal and how best to consider its impact on their own GDPR compliance plans which have been underway for a long time."
Ryan credited Google with at least having a plan to implement non-personalized advertising through its ad platform.
Google has scheduled meetings with publishers for Thursday, the day before GDPR takes hold, according to The Wall Street Journal. The meetings are meant to bring publishers up to speed on the coming changes and to address any concerns.
"The GDPR is a big change for everyone," a Google spokesman said in a statement. "Over the last year, we've engaged with over 10,000 of our publishers, advertisers and agencies across nearly 60 countries through events, workshops and conversations around the changes we're making to be compliant with the GDPR. We will continue to open our doors to our publisher partners to engage in these discussions on GDPR compliance."
Google also pointed to a company blog entry outlining how the company is preparing for the new data regime.
Facebook has rearranged how it asks users for permission to collect data, but it also tells consumers to either submit or leave the service.
That's a violation of GDPR, according to Ryan and others. "Access to a service cannot be made conditional on data tracking," he says.
Facebook disagrees. "We've been preparing for more than a year to ensure Facebook complies with the GDPR," a Facebook spokesman says.
The wording of Facebook's user agreement could just be a feeler from the company, seeing where the line will eventually be drawn once regulators start enforcing the laws.
It's similar to how many of companies are approaching GDPR.
"It's all a game of chicken with regulators," Ryan says.
RELATED: Data privacy expert Yafit Lev-Aretz explains how privacy practices in China and the U.S. stack up to Europe as GDPR arrives: