GDPR: A ‘Y2K’ moment or a sea change for the digital ecosystem?

There was a lot of hand wringing leading up to last May’s implementation of GDPR. But since that time there have been few fines or enforcement actions, with the notable exception of a $57 million fine imposed on Google and a new investigation in Ireland. This raises the question: is GDPR is the current digital generation’s “Y2K” moment — a highly anticipated event with little real-world impact.

Limited impact on consumers

From a consumer standpoint, GDPR has had not had a significant effect on people’s daily lives. According to survey data from TrustArc and Ipsos, 66% of more than 2,000 UK consumers said they didn’t know or disagreed with the idea that GDPR been effective. And only a tiny minority had exercised any of their personal data rights under GDPR.

Another UK-based survey from BounceX found that while 71% of UK consumers were familiar with the term GDPR and 56% supported the regulation, most consumers had not changed their online activities in its wake. Further, a global survey from Ogury, of more than 287,000 consumers, found only 8% of consumers had a better understanding of how companies use their data since GDPR.

Source: Ogury (n=287,000 global consumers)

While this was a global sample and one would not expect equal awareness of GDPR across all regions, “In European countries where GDPR has been in effect for more than a year now . . . 39% of European respondents were unaware of what GDPR is at all.”

Marketers more cautious

But what about marketers and their day to day activities; how have those changed? Here there was a more pronounced impact on daily life. However, there was also still a good deal of uncertainty.

According to Darren Abernethy, Senior Counsel, TrustArc, “GDPR forced marketers and brands–including many with no offices or employees in the EU–to evaluate whether their pre-GDPR contacts and leads were still adequate as-is for today’s use.” He added, “Because of GDPR’s potentially global reach, many marketers continue to work through using updated EU vs. non-EU campaign parameters, different flags within databases and their CMS, and potentially different website cookie/tracker load experiences. It has also led to a greater wariness in relying on bought-in lists without strong contractual guarantees and consent audit trails to support them.”

Paul Harrison, CTO at Simpli.fi said, “Many targeting methods that are threatening to PII can no longer be employed. Advertisers, brands, marketers, etc. cannot touch data or media that does not have the appropriate consent strings attached, forcing them to think differently and implement new ways of targeting and connecting with consumers.” He further explained, “User requests that come in can be difficult to manage as people do not want any advertising versus not just tracking. Engineering efforts take much longer to meet compliance, not to mention the additional costs associated with the day to day requests and management of compliance and audits.”

Benoit Grouchko, CEO of Teemo, pointed to “privacy by design” as a significant shift in the wake of GDPR. “Everyone now thinks about potential impacts on privacy for any data-driven product: how users would feel about it, potential risks, how to limit impact on privacy, etc. This is a significant change in mindset and strategy. Whenever data is involved in a marketing plan, marketers make sure they know where this data comes from, how it has been collected and consent has been given, whether it’s compliant, etc.”

Johnny Ryan, Chief Policy and Industry Relations Officer at Brave Software, told us that most of the changes that he anticipated hadn’t happened yet. “Most marketers are not aware of the risk that RTB companies expose them to,” he said. “Change has yet to happen . . . we are at the very start of the application of the GDPR.”

Google, Facebook and unintended consequences

One popular perception is that a GDPR “unintended consequence” is the strengthening of Google and Facebook. This is arguably the opposite of what the EU wanted to accomplish with GDPR.

Teemo’s Grouchko said that it “has strengthened Google and Facebook vs. smaller competitors as a side effect indeed. Google and Facebook have so many touchpoints with their users that they can find ways to have them accept pretty much anything. For smaller publishers or vendors, having much fewer interactions with users makes it harder to gather the same level of consent, and as a consequent to remain competitive from a data standpoint.”

Simpli.fi’s Harrison generally agreed. “The big marketers ended up with more market share and less competition,” he argued. And TrustArc’s Abernethy opined, “The so-called ‘walled-gardens’ have enjoyed the benefits of owning the first-party relationships with consumers and setting the terms of transparency disclosures and consents for processing purposes.”

Market-share data also seem to support the idea that Google and Facebook’s relative competitive positions in Europe are stronger than they were before GDPR. However, Brave’s Ryan disagreed with the others’ assessments.

“Let me dispel this idea that Google and Facebook benefit from the GDPR in the medium term. The GDPR is risk-based. That means Big Tech that creates big risks get big scrutiny and potentially big penalties. Regulators are only starting to enforce the GDPR and it will take years to have full effect. But already, things are looking bleak for our colleagues at Google and Facebook. Their year-over-year growth declined steadily in Europe since the GDPR – despite a buoyant advertising market,” he argued.