MarTech’s guide to GDPR: The General Data Protection Regulation

When the European Union adopted its General Data Protection Regulation in 2018, the law was heralded as a privacy game changer that would usher in a new era of consent around online data collection and put the right to protect personal information directly in the hands of individuals.

It was also meant to standardize privacy laws across member EU nations. GDPR would eliminate the need for individual countries to write their own regulations — as well as requiring any company, regardless of location, that markets goods or services to EU residents to comply with the law.

But five years later, enforcement challenges dog the watershed law, with complaints that were filed the day GDPR hit — alleging that Facebook, Instagram, WhatsApp, and Google forced users to give up personal information without proper consent — still wending their way through the court system.

Meanwhile, technology continues to evolve at a pace with which the glacial legal system simply cannot keep up (this article about GDPR compliance and AI tools like ChatGPT helps paint a picture of the challenges ahead).

This disconnect, along with rumblings over lax enforcement, particularly in countries where big tech vendors are headquartered, are just a couple of the reasons that EU regulators are now looking to fine-tune the way GDPR is administered.

This piece will take a closer look at those procedural changes – as well as other data privacy regulations in the hopper, go over some of the law’s biggest fines to date, and examine what marketers need to know as we head into the second half of 2023.

Procedural changes on the horizon

Streamlining how data protection authorities work in cross-border GDPR cases is a focus this year. The goal is to “support a smooth functioning of the GDPR cooperation and dispute resolution mechanisms,” the Commission noted. The initiative — called Procedural Rules of Enforcement — aims to tackle a host of problems, from how GDPR complaints are handled to the duration of proceedings themselves. And when consensus cannot be reached, the proposed enforcement rules will “clarify” the procedural aspects of dispute resolution.

Critics have said the new enforcement rules are light on specifics, but with close to 800 cases pending under GDPR, procedural reform is critical. As the NOYB, or European Center for Digital Rights, a non-profit based in Vienna, Austria, puts it, GDPR is enforced in theory only, with the tech companies finding ways to stall proceedings, appeal rulings, and circumvent fines. (“NOYB” is short for “none of your business.”)

GDPR’s stateside influence

In the United States, new or amended data privacy laws are on the books in Virginia, California, Colorado, Connecticut, and Utah, with enforcement dates ranging from January 1 of this year (Virginia) to December 31 (Utah), with California, Colorado, and Connecticut effective as of July 1. In California, the California Privacy Rights Act (CPRA) amends the California Consumer Privacy Act (CCPA).

In addition, nine other states have proposed laws that are still pending, but marketers should anticipate eventual enactment.

Except for California, all of these state privacy laws “adapt terminology” from GDPR.

A host of offices and agencies are charged with enforcement. District attorneys, attorneys general, and, in the case of California, the California Privacy Protection Agency, all in the enforcement mix.

For marketers, cookie management will be of paramount importance. Each of the states offers different levels of consumer protection for sensitive data.

At the federal level, there’s a bipartisan effort to establish a new privacy law — called the American Data Privacy and Protection Act (ADPPA) — that would create a national standard around individual rights. And on March 1, the House Committee on Energy and Commerce held a hearing on the proposed law.

While no vote was held, privacy groups and other stakeholders note that the desire for federal privacy legislation exists and may ultimately result in action.

Dig deeper: Only 11% of US businesses fully comply with CCPA privacy law

GDPR enforcement results in hefty fines

Back in Europe, some GDPR enforcement actions have resulted in substantial fines for companies including Meta, Amazon, and Google.

The year started with a $413 million fine against Meta for GDPR violations by Facebook and Instagram. Delivered by the Irish Data Protection Commission (DPC), which, incidentally, has faced extensive criticism for how it handles GDPR complaints, the agency’s actions affirmed a decision by the European Data Protection Board that said “contractual necessity” isn’t an appropriate reason to run behavioral ads. (Behavioral ads refer to online advertisements or marketing messages that are delivered to consumers based on their search history).

For years, Meta had been bundling its user-consent agreement into its apps’ contractual terms of services, which effectively forced users to agree to data harvesting if they wanted to use the platforms.

Meta’s early January fine came on the heels of a very expensive 2022 for the company, which saw penalties doled out to the tune of more than $800 million. It was also told it had three months to put measures into place to ask users for permission to run behavioral ads; at the end of March, the Wall Street Journal reported that Meta would allow users in Europe to opt out of targeted ads. But the company isn’t making it easy, requiring users to submit an online form stating their objections.

Along with the Meta fines, other notable GDPR sanctions include:

• $785 million against Amazon, decided in July 2021 by Luxembourg’s data authority. This decision — to date the largest penalty under GDPR, and which centers on how the company processes personal data — is currently under appeal.
• $237 million against WhatsApp (the Meta-owned messaging service), decided in September 2021 by DPC which signaled the culmination of a three-year inquiry into how the app shared user data with Facebook.
• $52 million against search giant Google, an early GDPR fine (January 2019) that was later upheld on appeal in French court. That country’s National Data Protection Commission determined Google was not in compliance with GDPR’s data transparency guidelines and that the company did not sufficiently make clear how user data was collected and used for targeted ads.

What marketers need to know about GDPR

Marketers who want to successfully navigate GDPR obligations need to understand two concepts: compliance and consent.

Compliance refers to the need for companies with any sort of web presence that market to customers in the EU to understand the regulation, keep up to date on changes as they happen, and be able to react quickly when issues arise.

To achieve compliance, marketers must understand the types of data their company collects, and, more importantly, how that data is processed, stored, and what kind of sensitive personal information it contains. Compliance also hinges on collecting necessary data only.

Consent means getting permission to gather or use users’ personal information. It may sound obvious, but GDPR has a specific definition for consent, which is “any freely given, specific, informed, and unambiguous indication” that the subject agrees to allow websites to gather and process their personal data.

Marketers have a role to play in enabling compliance with GDPR and the US-based rules and regulations it has influenced. While the regulatory landscape continues to evolve, so does consumers’ desire to safeguard their privacy.

Five years in, GDPR’s most significant accomplishment may be that it has elevated the privacy discussion to a priority. Companies that handle data responsibly have an edge over those that don’t, and that aligns the interests of consumers and marketers.

Dig deeper: Build trust, gain sales