On May 25, many of the U.S.’s largest companies will be affected by some of the strictest and broadest regulations in a long time.
The regulations aren’t coming from the Trump administration, which is in a strong deregulation mode, or any U.S. or state regulator. Instead, they’re coming from across the pond via the European Union, which is rolling out broad regulations to allow people to regain control of their digital privacy.
The regulation is called the General Data Protection Regulation, or GDPR. Many companies have already been including the new regulations as part of their “risk factors” in earnings reports because they have the potential to disrupt the way companies make money. For example, one recent analyst note from Deutsche Bank noted that Alphabet (GOOG, GOOGL), Google’s parent company, could lose as much as 2% of total revenue as a result.
Across the board, companies that do international business in Europe have been both preparing for and dreading GDPR’s arrival, quietly re-tooling how they deal with consumer data and privacy, or in the case of Facebook, launching a “privacy center.”
What is GDPR?
In 2018, data is money. For a company like Equifax, data is the currency in which they operate, literally selling it. For others like Google, it enables advertising to work in a way that’s more targeted and specialized than a blunt billboard ad.
With the abundance of consumer data floating around today, European regulators have sought to give power back to the people being researched. Europe has a history of making moves like this, such as the “right to be forgotten” that allows Europeans to petition Google to scrub old search results.
GDPR expands the current privacy frameworks and people’s rights significantly, giving companies much more responsibility. For example, in the event of a data breach, a company must notify its consumers within 72 hours after discovery. “Data subjects,” people who are covered under the law, are also allowed to access their data at will, for free, be forgotten and ask for an erasure, and to be able to port their data over to another service.
If a company is found to be noncompliant, European regulators could issue enormous fines up to 20 million euros ($24.6 million) or “4% of total worldwide annual turnover [revenue] of the preceding financial year, whichever is higher.” Though companies like Apple (AAPL) and Google have paid fines in excess of $20 million for privacy and consent reasons in the past, GDPR fines stand to be potentially much stronger.
As to the enforceability of these fines, Lydia de la Torre, a fellow at Santa Clara University School of Law and former counsel and legal consultant for eBay, Paypal, Intuit, and HP, noted that the E.U. might have to come through the U.S. to collect penalties from American firms. But in Germany, she said, regulators have gone after domestic business partners in the past, so enforcement could be strong and may not continue with the current trends of pursuing big fish like Google.
Consent is key
At the heart of GDPR is consent. One of the biggest parts of the regulation is that any personal data that is obtained must be obtained with a much stronger standard of consent from the consumer. In EU member states, a company cannot serve users a box with “yes” pre-checked that allows a company to collect data on a user, nudging a consumer towards that choice.
Even yes/no buttons next to each other horizontally may be non-compliant as users are more likely to choose the right one.
A problem companies are facing right now is that there are no standards or guidelines yet to guarantee that compliance is adhered to. As the International Association of Privacy Professionals (IAPP) noted, the word “consent” appears 72 times in the regulation text, but details are scarce. The consent needs to be “freely given,” “specific,” “informed,” and “unambiguous.” And once you give it, it must be easy to withdraw.
“GDPR is very specific,” says Susan Etlinger, industry analyst at Altimeter Group. “Companies can only use data for a specific purpose. Any secondary purposes need additional consent.”
All of this means that opt-ins and consent forms for people using apps and internet services in the E.U. will probably see flurries of pop-ups and banners, something that could potentially affect user experience, and change how the internet looks and feels in a big way — in Europe, at least. As Etlinger noted, if a company wants to use a person’s data in a specific way, they have to ask permission for every single thing — whatever it may be.
Some companies might roll out changes broadly to users across the world; so Americans might see changes if a company doesn’t want to have a bunch of parallel systems. Meanwhile, other international companies are used to disparate regulatory environments, so you could see a different version of some services abroad. To a certain extent this already exists, with different versions of Google and Facebook.
“Google has been forced to implement ‘right to be forgotten’ in the E.U. but they’ve not implemented the same kind of principles outside the E.U.,” said de la Torre.
Companies could be affected in interesting ways
Arrays of consent windows may wreak havoc on some companies’ ability to get users to participate, similar to how a long list of unappetizing side effects can discourage someone from using a particular drug.
“If you actually read the precautions on every single pill, would you actually take it?” says Etlinger. “There’s this balancing act between disclosure and risk prevention and usability. That’s something that companies have to deal with.”
When the new rules arrive, companies will have to go back and ask for consent properly, in line with the new standards. There aren’t that many public tests of how well this might work out. According to one survey done by Hubspot, 55% of European respondents would opt out of having companies store their information, and 59% would ask the company to delete their records completely. For example, someone signing up for a newsletter will now be asked whether they are alright with having the company use their information for analytics. Many people would likely say no, given the option.
Further throwing a wrench in company plans is an update to the “Cookie Directive,” which deals with how a company can put a cookie into someone’s browser to enable web functions that are critical to user experience and enable tracking and ad retargeting, revenue-generators for companies.
According to de la Torre and some industry insiders Yahoo Finance spoke with, this will impact the industry to a similarly large degree. If someone has to be asked whether they will accept cookies, the likelihood of saying no goes way up.
In the run-up to GDPR implementation, many companies are testing different ways to gain consent without hurting their business model. For a company that serves up ads, disclosing how key tracking data is used to personalize could pose a major problem. For a commerce company, you don’t want your customers to be interrupted en route to making an impulse buy.
“I think there’s going to have to be a tremendous amount of UX testing to make sure we really understand the best way to get consent and empower people,” said Etlinger. “I think we are definitely going to see designers, privacy pros, and product people start to incorporate consent and notification to the extent they can into products in the least intrusive and most educational ways possible.”
Right now, a lot of questions and worries of unintended consequences
The depth and challenges posed by GDPR are enormous, and many companies have been preparing for years with the help of their compliance departments or outside lawyers. But according to de la Torre, there could be unintended consequences for small companies and startups that don’t have big compliance departments.
The broad nature of GDPR — de la Torre notes that it wasn’t written to target a specific industry — means more questions than answers have come up. While behemoths like Google and Facebook may be able to fully prepare, both de la Torre and Etlinger noted that smaller international firms that do some business in Europe may find themselves in a tight spot. What if you’re a mom and pop business that uses a cloud-based marketing system, said Etlinger?
With the absence of enforcement actions and precedents to help guide the way, companies are somewhat in the dark.
“At some point the EU is going to prosecute someone and we’ll see some case law come out of that, and we’ll start to get a fuller sense of what GDPR looks like in the real world,” said Etlinger.
Until then, some companies are figuring out ways to handle it together through trade groups. According to Quantcast’s deputy general counsel and chief privacy officer Ghita Harris-Newton, some of those questions will be addressed by the implementation of industry standards, something that many in the advertising community are working on.
Even with standards, however, GDPR will prompt people and companies to have perhaps long-overdue conversations about privacy and what it means to have informed consent. According to Etlinger, the changing technological landscape could complicate things considerably.
“In the world of chatbots and voice agents, this idea of a pop-up is a little besides the point,” Etlinger said.
As for whether it’s good or bad? It’s still unclear. Some companies have told Yahoo Finance that GDPR will result in less consent and fewer users and be a headwind — even without considering potential fines. Others have said they are neutral to the changes or that they welcome privacy frameworks that are in line with their thinking. Some businesses, Etlinger noted, suspect that informed consent will make their data more robust and reliable — especially if consumers can delete it — and will foster a better relationship with their consumers.