Europe’s new consumer data privacy rules have been touted as having a massive impact on the digital advertising world.
But, for companies and countries which already sing from the same hymnsheet, could the impact be muted?
In this video interview with Beet.TV, one of the biggest ad-tech companies discusses the likely effects – or non-effects of the The General Data Protection Regulation (GDPR).
“There is now a very clear distinction as to what is personal data, per the regulation,” says Criteo CFO Benoit Fouilland. “There are two types of personal data on this very important distinction:
- “The sensitive personal data is going to require specific type of user consent before being processed. That user consent should be explicit in the form of an opt-in.
- “The type of data that Criteo is processing, which is user browsing behaviors, so browsing data, is data which is non-sensitive. So it’s a personal data but non-sensitive data. The type of user consent that is required by the regulation is an unambiguous user consent.
“We don’t believe that we are going to be impacted in the way we operate, because the way we today gather consent is very consistent with what the regulation is requiring
GDPR came in to effect back in 2016, whilst the final deadline for compliance comes this May.
Now any global company which deals with EU citizens’ data must comply with a new and more stringent set of demands, risking a fine of up to 4% of global annual turnover, up to a maximum of €20 million.
New GDPR stipulations give consumers new protections including:
- tighter consent conditions for the collection of citizens’ data.
- consumers can instruct companies to stop processing their data.
- automated decision-making and profiling decisions must be made clear.
- consumers can request decisioning by automated processes be stopped and handled by a human instead.
- they have the right to request an explanation of automated decision-making.
- they can request free access, rectification and deletion of data.
That has put many companies of all kinds on high alert for compliance. Some are rushing to proclaim their compliance, others are accused of not being up to speed, even with three months to go.
“It’s still early to understand how enforcement will take place,” Benoit adds. “Enforcement is going to take place first at the geographic level, (by) the data privacy authorities in each of the European member states
“For countries like France who had already put a framework in place, which is very consistent with the spirit of the regulation, I would not expect a significant change in doctrine.
“The extent to which data privacy authorities (in member states) can interpret the law is going to be probably restricted; it’s more the severity of enforcement, and when will they start to be really severe with the enforcement. That might vary from country to country.”