At the end of last May, a new law covering collection and usage of data in Europe took effect that has a wide-ranging impact on businesses around the world. In a nutshell, the General Data Protection Regulation (GDPR) requires websites and digital services to do the following:
- State in clear language what data they collect and how it is used
- Provide users with access to and delete collected data
- Allow users to opt-out of data collection
And while this law covers data collection of users who are in Europe, the law covers companies no matter where they are based. That means that any website accessible from Europe is subject to the regulations.
For businesses in the U.S., many were not (and are still not) prepared to address this. According to one industry observer, nearly 80 percent of U.S. business did not have a plan in place 90 days prior to the official implementation, despite the fact that the law was passed in 2016. Even if a company manages data from one EU citizen, it could face fines of up to 4% of its global revenue for noncompliance.
That said, the regulations specifically focus on adverting and marketing to users in the EU. If a user comes across a U.S. publisher’s website that does not display any advertising, or whose display advertising is targeted at U.S. users only, that site would not be subject to GDPR. However, larger sites that use geographically-based advertising, where ads are served up in the local language or are specifically targeted to users based on their geography, would be subject to GDPR.
For US-based publishers, not being GDPR compliant has the potential to have a major, negative impact on their business, either through fines or lost revenue. Some publishers who were not prepared are simply choosing to not display their content to users in the EU. Take for example, the Baltimore Sun and other Tronc-owned media outlets.
Advertisers, on the other hand, are only impacted if they are targeting European users. That said, if an advertiser is collecting user data on their own website, such as using Google Analytics to track digital ad campaigns, they may need beef up their data policies and communications in order to be compliant.
Does this mean you need to panic? Not at all. Because the regulation is so new, most regulators in the EU will likely focus on the largest companies—Facebook, Amazon, Google, etc. It’s unlikely that they’ll be pursuing smaller companies for smaller infractions, at least for the time being.
If you’re concerned about your advertising or website conflicting with GDPR, contact us. We can perform a quick assessment to determine if you’re at risk.