Disclaimer: We are not lawyers, nor do we provide legal advice. This article is an analysis of changes in business regulations. If you are looking for legal advice, consult a licensed attorney or firm in your area.
It has been about a year and a half since the General Data Protection Regulation (GDPR) went into full effect.
The law was put in place to protect the privacy of user data across Europe, but what drove the EU to impose these new laws? The biggest reason is that modern users no longer trust companies with their data—and rightfully so.
Since the regulation, data privacy has become more prominent in the public consciousness. Privacy isn’t a joke anymore—which is something that many top brands have learned the hard way.
In this blog post, we’ll detail how GDPR has changed digital marketing, and what you can expect in the future.
Who Has Been Affected by GDPR?
While the regulation is EU-based, any US company that has a clientele in Europe must abide by GDPR.
That also includes:
- US companies that have employees working in the EU
- US companies with more than 250 employees
Here is how GDPR has impacted businesses and consumers:
Consumers Are Still Skeptical
Overall, consumers still have mixed feelings about user privacy online. According to a survey done by Ipsos Mori:
- Only four in 10 people believe companies are honest about how they use their data
- 43% of men and 36% of women believe that brands don’t care if they are in breach of GDPR laws
- Less than half (47%) of people trust companies who they share their data with
There’s More Pressure for Brands to Use Data Responsibly
There was a time when companies didn’t need any privacy policies or standards. Those days are now over.
GDPR has set a global standard of how companies should deal with user data. Brands can’t just collect data because they want to—they must always provide a legitimate reason to do so.
Companies are also obliged to delete the data after its intended purpose. They can no longer keep user information forever to use as they wish.
It’s worth noting that some US companies have refused to comply with these regulations. For example, rather than implement these privacy measures, about 42% of US newspapers simply block EU users from accessing their websites!
GDPR Has Already Cost Some Businesses Dearly
GDPR had a big impact on how some US companies run their businesses.
Mobile marketing agency Verve shut down its operations in Europe after only two years working in the EU. According to Julie Bernard, chief marketing officer at Verve:
“We have decided that the regulatory environment is not favorable to our particular business model,” says Bernard. “We are focusing efforts on the strength of our US business at this time.”
While Verve only had to put a halt to their presence in Europe, other companies were not so lucky. The owners of social platform Klout had to shut down the site entirely because they could not comply with GDPR.
Notable GDPR Fines
When it comes to GDPR, no company is above the law. Here are our top examples of notable fines we’ve seen so far:
1. British Airways
Airline company British Airways had to go through the most significant fine in history for not respecting GDPR.
In 2018, British Airways went through a data breach that affected 500,000 consumers. This was caused by British Airways’ failure to incorporate strong enough security in their system.
As a result, they had to pay a whopping £183 million fine—about 1.5% of their 2018 gross revenue.
Not only did their trust with clients go down the drain, their stock in the market took a hit too. IAG’s stock in London went down 1.5% following the incident.
In 2019, cyber hackers gained access to more than 300 million guest records from the Marriott chain hotel.
The results of the data breach were catastrophic. We’re talking:
- 5.25 million unencrypted passport numbers
- 8.6 million bank card numbers
- 20.3 million encrypted passport numbers
Because of the violation, Marriott had to pay $123 million in GDPR fines, over 3% of its gross revenue in 2018.
Earlier last year, France fined Google $57 million for breaking privacy laws. France’s data regulator accused Google of lacking transparency and consent in their personalized ads.
It’s the most prominent fine that has been imposed on a US-based technology company. Keep in mind that this is Google, king of the internet—if Google isn’t above GDPR, then neither are you.
As a response, Google released a statement recognizing their fault and dedication to change.
“People expect high standards of transparency and control from us,” said the statement. “We’re deeply committed to meeting those expectations and the consent requirements of the GDPR.”
What Impact Has GDPR Had on Privacy?
When it comes to privacy, the power is now in the hands of the user. Here’s how GDPR has completely changed how we deal with user protection:
With GDPR, users have full control over their data. They can decide who they want to share their data with and why.
This new power all ties back to consent. Educating the user on how their data will be used empowers them to make a decision whether or not they want to use an organization’s products and services. If they don’t want to share their information, they don’t have to.
Under GDPR, the consumer has eight privacy rights that need to be respected. These rights include:
- Right to be informed: Visitors to your website have the right to know what information you are collecting from them and how you will use it.
- Right of access: Consumers have a right to access their data. You have one month to respond to the request, and you cannot charge a fee.
- Right to rectification: If a visitor’s data is inaccurate or incomplete, they can request to have it rectified.
- Right to erasure: Also called ‘the right to be forgotten;’ users can demand that brands erase their data.
- Right to restrict processing: Users have the right to demand that you limit or suppress their personal information.
- Right to data portability: Visitors can get and reuse their data for their own purposes across different devices.
- Right to object: Consumers are allowed to refuse to let their data be processed by companies.
- Right in relation to automated decision-making and profiling: Users have the right to not participate in automated decisions that can have a legal effect on them.
If you’re looking for more information, you can check this resource from ICO that explains each right in more detail.
The goal of GDPR is to protect users from companies violating their privacy rights.
There are two types of transgressions in the eyes of GDPR: external and internal. Let’s take a look at each type.
These data infringements happen when the company is not at fault.
For example, let’s say that cybercriminals gain access to client data without consent. In this case, the company must let users know what happened and provide information on the breach.
You have 72 hours after becoming aware of the breach to notify consumers about it. You’ll have to provide details on how the breach happened and how you plan to manage it.
Failing to notify may mean a fine of up to 10 million euros or 2% of your global turnover.
Internal infringements occur when the corporation is at fault for violating privacy rights.
In this case, the user has a right to file a complaint. From there, the company has three months to deal with the complaint before the user can take the case to court.
Companies can expect to be fined up to $20 million or 4% of their global turnover. GDPR takes into account which fee is higher.
An example of internal transgression was Facebook’s 2018 privacy scandal. The tech giant was caught willingly providing the data of 87 million users to Cambridge Analytica, a political consulting firm. The data became a source for political advertisements during the 2016 US election.
What Comes Next?
This upcoming decade will be a vital time for user data and privacy protection. Many companies in Silicon Valley have expressed their support for GDPR and believe the US should follow the example.
At the 40th International Conference of Data Protection in Brussels, Apple CEO Tim Cook applauded Europe’s fight for data protection. During his speech, he suggested the US do the same and put a stop to unethical practices.
“It is time for the rest of the world, including my home country, to follow your lead,” said Cook. “We at Apple are in full support of competence federal privacy law in the United States.”
While the US’ federal government has yet to implement a universal privacy law, the increased desire for privacy regulations is pushing states to make their own laws.
For example, as of January 1st, 2020, California’s Consumer Privacy Act (or CCPA) will go into full effect. Brands will be required to let Californians know what data they hold on them and how they process it. This applies to any business that collects data about California residents and employees, regardless of whether or not your business is in California.
Microsoft has expressed full support for the regulation on its company blog. According to one of their blog posts from November 2019:
“We are strong supporters of California’s new law and the expansion of privacy protections in the United States that it represents,” says Microsoft. “Our approach to privacy starts with the belief that privacy is a fundamental human right and includes our commitment to provide robust protection for every individual.”
GDPR is only the beginning of what’s to come in the future.
Privacy regulations are changing. This upcoming decade, brands can expect data protection to play a more vital role in how we do business.
If your company has a presence in the EU and you’re still not GDPR compliant, you’re putting your brand in danger. From hard fines to potentially losing your business, it’s a risk you don’t want to take.
For businesses outside of the EU, there’s good news: changes are coming, but there’s still time to prepare. By making your site GDPR-friendly now, you’ll get ahead of the competition and won’t fall behind when regulations are inevitably updated.
Still haven’t made your website GDPR compliant? We can help! Contact us for a free website audit.