It’s been one year since GDPR went into effect, what was the impact, what did we learn and what’s looming ahead?
In the first few months after GDPR went “live,” our headlines were filled with stories of complaints and violations. According to a report by DLA Piper, over 59,000 data breaches were reported in the first eight months of GDPR going into effect, ranging in severity from errant emails to the wrong recipient to major cyber hacks affecting millions. Large, prominent organizations were “easy” targets, often singled out by specific consumer advocacy groups. While many consumer groups want to hate the “villains,” as marketers, we can learn from their vulnerabilities:
- Netflix, YouTube, Amazon, Apple, and Spotify have reported violations in Austria for failure to provide information regarding how user data is bought and sold.
- The Irish Data Protection Commissioner is investigating Twitter regarding a breach notification received from the social networking site, examining if article 33 was violated. (And if you don’t have your GDPR articles memorized, you must provide notification to users within 72 hours of becoming aware of the breach.)
- The Dutch Data Protection Agency (DPA) cautioned several organizations who denied visitors access to websites after the visitors refused cookies or declined to provide requested data. Of course, cookie consent and data collection must be specific and freely given; requiring permission to access a website is in violation of the visitor’s free choice.
And while we’re on the subject of the Dutch DPA, the Netherlands is also the first country to release a GDPR fining policy, introducing a scale for less severe violations. Factors that can influence where you fall on the scale include duration of the infringement, number of people involved, how quickly the offending organization reacts, and what type of personal data is involved.
But probably the most notorious GDPR event of the year was news of the first major fine issued to Google, a whopping $50 million by the French CNIL for failure to secure user consent to serve personalized ads.
What should we expect next?
Compliance: The Next Phase
Preparing for compliance was just the beginning; now, it’s about maintaining compliance. As marketers, we’re tasked with continuing to be mindful of data collection and storage practices, amidst ever-changing rules. I like the analogy given by Ruby Zefo, Chief Privacy Officer of Uber: “GDPR is a lot like raising a baby. We waited two years for the GDPR baby to be born, and now that it’s here, we can’t leave it in its high chair to fend for itself. You still need to take care of it.”
How should you prepare for the next chapter in compliance and data privacy?
- Cookie practices. We’ve already seen Marketo take proactive measures related to this area, with the newly announced pre-fill form changes. Previously, Marketo landing pages relied on Munchkin cookies to identify known person records and would pre-fill data based on that cookie, regardless if the actual known person was the one viewing the page. (think shared computers here) As a security enhancement and to better align with GDPR requirements, form pre-fills will now only display when the known person clicks through from a link in a Marketo email, to confirm the identity of the data.
- US privacy legislation. We mostly hear about California’s bill, CCPA, but Hawaii, Massachusetts, New Jersey, Rhode Island, New York, Maryland and most recently, Washington state, all have proposed legislation as well. Requirements for companies include disclosing personal information collected and providing the individual opportunity to access, correct, and in some cases, delete their information. Additionally, some proposed state legislation obligates organizations to perform risk assessments regarding their data processing activities. For marketers, all this could translate to a state-level data nightmare— a significant plot twist in our novel. Ironically, the US Senate Judiciary Committee held a hearing on March 12— the actual anniversary date of the World Wide Web launching— to “examine GDPR and CCPA, focusing on opt-ins, consumer control, and the impact on competition and innovation.” Of course, much is still to be defined, including if Federal legislation will preempt state laws, such as CCPA, or set the baseline requirement and allow states to make tighter requirements as they deem appropriate? As our government works through the unknowns, one thing we do know: privacy legislation IS coming to the US and organizations can no longer ignore it.
- Privacy policies and subscription management centers. It’s time to revisit your privacy policy to ensure it’s current and accurately reflects how you collect, use and store user data. Additionally, make sure your subscription center allows users to easily manage their preferences, including an opt-out from sharing or selling their personal data, a CCPA requirement.
- Best data practices. If you haven’t audited your instance recently, now is a great time to clean-up your database and remove outdated, duplicate, incomplete and junk records, which only creates unnecessary compliance liabilities for your organization. To assist in the process, download our free 41-point audit checklist.
Marketing Happily Ever After
My best advice for those following the compliance story: don’t take a wait-and-see approach to protecting your data, enabling transparency of data usage or capturing user consent. We’re one-year in with GDPR and six-months out from CCPA going into effect. As evidenced from the many other state initiatives emerging, data regulation is here to stay and will only gain momentum in the months to come. Those who embrace the new realities will be the companies marketing happily ever after.