The Effect the GDPR and ePrivacy Will Have on AdTech and MarTech Vendors [infographic]

While the true impact of the GDPR and ePrivacy regulation won’t be felt until after they come into force, we can already get a sense of the effect they’ll have on the online advertising and marketing industries.

So we created an infographic to highlight the main areas of the European Union’s General Data Protection Regulation (GDPR) and ePrivacy that will have an impact on online advertising and marketing vendors.

Click here to open the infographic in a new tab.

Here’s the text from the infographic:

Infographic: The Effect the GDPR and ePrivacy Will Have on AdTech and MarTech Vendors

Numbers worth knowing

May 25, 2018: The date when the GDPR came into force.

€20M: Companies can be fined either 20M Euro or 4% of the previous year’s turnover for serious infringements.

€10M: Companies can be fined either 10M Euro or 2% of the previous year’s turnover for less-serious infringements.

510M: The GDPR and ePrivacy will protect the data and privacy of over 510 million EU and EEA citizens and residents.

What is the GDPR?

The General Data Protection Regulation (GDPR), or Regulation (EU) 2016/679 as it’s known in official contexts, is a regulation spearheaded by the three legislative European Union institutions: the European Parliament, European Commission, and Council of the European Union.

It replaced the current Data Protection Directive (Directive 95/46/EC) when it came into force on May 25, 2018.

The goal of the GDPR is to return control to data subjects in the union over their data and make the regulatory environment simpler for international business.

EU and EEA member states

If your company collects data about citizens and residents in one or more of these countries, then you are bound by the rules in the GDPR and ePrivacy

Austria
Belgium
Bulgaria
Croatia
Cyprus
Czech Republic
Denmark
Estonia
Finland
France
Germany
Greece
Hungary
Iceland (EEA)
Ireland
Italy
Latvia
Lithuania
Liechtenstein (EEA)
Luxembourg
Malta
Netherlands
Norway (EEA)
Poland
Portugal
Romania
Slovakia
Slovenia
Spain
Sweden
United Kingdom

What is ePrivacy?

The ePrivacy directive is a piece of EU legislation that also aims to protect the data and privacy of EU and EEA citizens and residents, but with a focus on respecting their private lives when using electronic communications.

Currently, ePrivacy is a directive, but is in the process of being transformed into a regulation, which will also repeal the current directive.

It is not known when the ePrivacy regulation will come into force, as the proposal is set to be negotiated between the three EU legislative institutions (see below). Some within the industry say that it will likely be enforced in 2019 or 2020.

Key Terms of the GDPR

Data subject: Online users

Data controller: Websites and apps (e.g. brands and publishers)

Data processor: Software vendors (e.g. AdTech and MarTech vendors)

4 Main Areas of the GDPR & ePrivacy that Will Affect AdTech & MarTech Vendors

1. Personal Data

• Any piece of information or data that can be used to identify a data subject is classed as personal data.
• The GDPR now considers identifiers such as cookies, cookie IDs, location data, and device IDs as personal data.
• AdTech & MarTech vendors need to implement measures to ensure the data is protected at all times, for example, via encryption and pseudonymization.

2. User consent

• AdTech & MarTech companies need to obtain clear, unambiguous, and explicit consent from data subjects if they want to collect and use their data.
• Publishers can’t deny or restrict access to their website or content if data subjects don’t provide consent.
• Companies need to obtain consent for each data-processing activity, explain what their data will be used for, whom it will be shared with, and how long it will be kept.

3. Data breaches

• AdTech & MarTech vendors need to inform a supervisory authority and their clients about a data breach within 72 hours.
• They also need to inform data subjects without undue delay after having become aware of a data breach.
• Companies aren’t required to inform data subjects about a breach if the appropriate technical and organizational protection measures, such as encryption, have been put in place and applied to the data.

4. Data Protection by Design and by Default

• Companies should put data protection and user privacy at the forefront of all their activities.
• Where possible, data should be pseudonymized, anonymized, and encrypted to provide added levels of protection.
• A process known as data minimization, which involves only processing the amount of data absolutely needed to complete the given activity, should be carried out by companies that collect user data.

The Cost of Not Complying With the GDPR

The GDPR has two tiers of fines depending on the severity of the infringements:

Tier 1

€10 million or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Applicable to violations and infringements relating to:

• Obtaining consent from a child to use their data (Article 8)
• Processing which does not require identification (Article 11)
• Designating a data-protection officer (DPO) and their tasks (Article 39)
• Obligations of certification bodies and obligations of monitoring bodies (Article 41, 42, and 43)
• Data protection by design and by default (Article 25)

Tier 2

€20 million or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Applicable to violations and infringements relating to:

• Processing personal data and the lawfulness of that processing (Articles 5 and 6)
• Conditions for consent (Article 7)
• Processing of special categories of personal data (Article 9)
• User rights (Articles 12–22)
• Transferring user data to recipients in a third country (Articles 44–49)