While the true impact of the GDPR and ePrivacy regulation won’t be felt until after they come into force, we can already get a sense of the effect they’ll have on the online advertising and marketing industries.
So we created an infographic to highlight the main areas of the European Union’s General Data Protection Regulation (GDPR) and ePrivacy that will have an impact on online advertising and marketing vendors.
Click here to open the infographic in a new tab.
Here’s the text from the infographic:
Infographic: The Effect the GDPR and ePrivacy Will Have on AdTech and MarTech Vendors
Numbers worth knowing
May 25, 2018: The date when the GDPR will come into full force.
€20M: Companies can be fined either 20M Euro or 4% of the previous year’s turnover for serious infringements.
€10M: Companies can be fined either 10M Euro or 2% of the previous year’s turnover for less-serious infringements.
510M: The GDPR and ePrivacy will protect the data and privacy of over 510 million EU and EEA citizens and residents.
What is the GDPR?
The General Data Protection Regulation (GDPR), or Regulation (EU) 2016/679 as it’s known in official contexts, is a regulation spearheaded by the three legislative European Union institutions: the European Parliament, European Commission, and Council of the European Union.
It will replace the current Data Protection Directive (Directive 95/46/EC) when it comes into force on May 25, 2018.
The goal of the GDPR is to return control to data subjects in the union over their data and make the regulatory environment simpler for international business.
EU and EEA member states
If your company collects data about citizens and residents in one or more of these countries, then you’ll be bound by the rules in the GDPR and ePrivacy
What is ePrivacy?
The ePrivacy directive is a piece of EU legislation that also aims to protect the data and privacy of EU and EEA citizens and residents, but with a focus on respecting their private lives when using electronic communications.
Currently, ePrivacy is a directive, but is in the process of being transformed into a regulation, which will also repeal the current directive.
It is not known when the ePrivacy regulation will come into force, as the proposal is being negotiated between the three EU legislative institutions (see below). Some within the industry say that it will likely be enforced around the same time as the GDPR — May 25, 2018 — while others see a late-2018 commencement date.
Key Terms of the GDPR
Data subject: Online users
Data controller: Websites and apps (e.g. brands and publishers)
Data processor: Software vendors (e.g. AdTech and MarTech vendors)
4 Main Areas of the GDPR & ePrivacy that Will Affect AdTech & MarTech Vendors
1. Personal Data
- Any piece of information or data that can be used to identify a data subject is classed as personal data.
- The GDPR now considers identifiers such as cookies, cookie IDs, location data, and device IDs as personal data.
- AdTech & MarTech vendors will need to implement measures to ensure the data is protected at all times, for example, via encryption and pseudonymization.
2. User consent
- AdTech & MarTech companies will need to obtain clear, unambiguous, and explicit consent from data subjects if they want to collect and use their data.
- Publishers won’t be able to deny or restrict access to their website or content if data subjects don’t provide consent.
- Companies will need to obtain consent for each data-processing activity, explain what their data will be used for, whom it will be shared with, and how long it will be kept.
3. Data breaches
- AdTech & MarTech vendors will need to inform a supervisory authority and their clients about a data breach within 72 hours.
- They’ll also need to inform data subjects without undue delay after having become aware of a data breach.
- Companies aren’t required to inform data subjects about a breach if the appropriate technical and organizational protection measures, such as encryption, have been put in place and applied to the data.
4. Data Protection by Design and by Default
- Companies should put data protection and user privacy at the forefront of all their activities.
- Where possible, data should be pseudonymized, anonymized, and encrypted to provide added levels of protection.
- A process known as data minimization, which involves only processing the amount of data absolutely needed to complete the given activity, should be carried out by companies that collect user data.
The Cost of Not Complying With the GDPR
The GDPR has two tiers of fines depending on the severity of the infringements:
€10 million or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Applicable to violations and infringements relating to:
- Obtaining consent from a child to use their data (Article 8)
- Processing which does not require identification (Article 11)
- Designating a data-protection officer (DPO) and their tasks (Article 39)
- Obligations of certification bodies and obligations of monitoring bodies (Article 41, 42, and 43)
- Data protection by design and by default (Article 25)
€20 million or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Applicable to violations and infringements relating to:
- Processing personal data and the lawfulness of that processing (Articles 5 and 6)
- Conditions for consent (Article 7)
- Processing of special categories of personal data (Article 9)
- User rights (Articles 12–22)
- Transferring user data to recipients in a third country (Articles 44–49)
Get our FREE guide!
Download our FREE guide and discover what the GDPR and ePrivacy mean for AdTech & MarTech vendors, and find out what they'll have to do to complyDownload Now
Share this article
FREE AdTech & MarTech Resources
Thousands of C-level executives, software engineers, marketers, and advertisers all learn about the inner workings of AdTech and MarTech with our bimonthly newsletter — and so can you! Subscribe today and get access to the latest and best articles, videos, and guides!