Why E.U. Privacy Regulations Spell Trouble for U.S. Publishers
American publishers have benefited from the largely self-regulated regime that has governed the U.S. digital advertising market. Though it has upended traditional business models and forced publishers to develop new and different tools of the trade, it has also provided a lucrative source of revenue. Since most U.S. publishers sell advertising into the domestic market, there hasn’t been much reason to fret about regulatory doings within the European Union. However given the global reach of the internet and global scope of the regulations, it might be a good idea for American publishers to pay attention.
The new regulations were published in December 2015 and are expected to take effect in the 28 E.U. jurisdictions early in 2018. Some key features of these market-wide uniform regulations:
- Coverage: If your company gets any data on a European citizen, it is obliged to comply to E.U. regulations -- even if it is based in the U.S.
- Data Scope: In the U.S., data privacy rules focus on “personally identifiable information” like name, address, phone number, and email address. But the EU regulations also cover cookies, tags, pixels, and data collected through passive techniques.
- Consent: Consumers must affirmatively opt in to the collection of data with full awareness of how it is collected and used.
- Limits on Re-Use: Data collected for one purpose cannot be used for another purpose -- a limitation that might prohibit many third-party data transactions common in the digital advertising market.
- Deletion: Consumers are given the “right to be forgotten” -- which imposes on companies the obligation to be able to sync deletion across multiple platforms and systems.
- Profiling: The regulations exempt traditional market research tools (sampling, segmentation) but they prohibit “profiling”. At face value, this would seem to pose a challenge to behavioral targeting as widely practiced today. Same problem for tracking and re-targeting.
- Broader Liability: Data owners are liable if any of their subcontractors or partners breach the regulations. So publishers need to be on top of the practices of their ad tech firms, their cloud storage providers, their third-party data suppliers, and all other parts of the complex digital advertising ecosystem.
- Enforcement: The new regulations have the force of law, replacing the weaker “directive” that guided E.U. practices since 1995. Penalties for non-compliance are steep -- up to 4% of annual global revenue or €100M (whichever is highest).
- Compliance Officer: Companies are obliged to appoint a Data Privacy Officer to manage compliance and ensure that employees are aware of the new regime.
Of course, there are many more details to be found in the published regulations and the ultimate impact on the digital advertising marketplace will take time to sort out. However it is difficult to see how these new requirements square with contemporary practice in digital advertising. Though U.S. firms for many years were shielded from the worst inconveniences of European data regulations by the “Safe Harbor” agreement between the E.U. and the U.S., that agreement was voided by an E.U. court last October in response to an Austrian activist’s lawsuit against Facebook. In February of this year, negotiators reached a new agreement that awaits ratification and implementation, but that is much tougher in its requirements for compliance by U.S. companies. So it will be interesting to see how this plays out over the next year or so. My own guess is that US publishers will need to get much more conversant with these new E.U. data protection regulations.