GDPR turns one. What's changed and what's next?
May 13, 2019
May 25th marks one year since the General Data Protection Regulations officially came into effect, flooding all of our inboxes with frantic privacy-policy reviews. The GDPR has forced companies across the globe to re-evaluate their definitions of “personal data” - as well as the means by which they obtain and process it - while consumers have been empowered by their new-found rights to access and erasure, which enable them to request any data a company has on them and/or request for all said data to be deleted. One year on, we’re taking a look at the impact of this legislation on the global market, the mobile ad space, and on Remerge.
What's changed globally?
The legislation requires that data security breaches be reported to the information commissioner within 72 hours of occurring, and GDPR has been largely successful in increasing transparency around such breaches. The head of enforcement at the U.K. Information Commissioner’s Office, Stephen Eckersley, has estimated that the total number of data breaches reported in 2019 is expected to be 36,000. This represents a significant increase on previous annual reporting rates, which range between 18,000 and 20,000.
However, the large fines threatened for the mishandling of personal data have yet to materialize. After the first nine months, the fines totalled €55,955,871, €50 million of which consisted of a single fine against Google which amounted to only 0.04% of their 2018 revenue (for context, GDPR can impose a maximum fine of 4% of a company’s annual global revenue). There is talk of developing a matrix for harmonising penalties, which may enable the EU to impose more regular fines across companies of all sizes.
What's changed in the mobile industry?
On the one hand, GDPR has given mobile users more power than ever in terms of having their privacy preferences respected. The trade off, however, is that users are constantly bombarded with consent-related pop-ups while browsing mobile apps. These pop-ups not only have a negative impact on the user experience but have proven largely ineffective as they fail to inform users on the full extent to which their data could be used: A recent article by Ad Exchanger outlined how the CMPs (Consent Management Platforms) that power these pop-ups may not even be GDPR compliant. They found that only two of the top 15 CMPs provided an “obvious way” to update consent and there was no obvious way for CMPs to honor a user’s wish to revoke consent if their data had already been shared with multiple vendors.
In order to combat these issues, the IAB (Interactive Advertising Bureau) introduced the Transparency and Consent Framework - a guideline intended to set a standard in transparency and data protection for digital marketers. However, the French supervisory authority, CNIL, critiqued the framework’s binary approach to user consent (users could only select ‘yes’ or ‘no’), determining that it failed to inform users of the myriad ways in which their data could be used.
The IAB has now started working on a second version of the policy (TCF 2.0), which will give users more granular control over their data preferences. Google are supportive of this second iteration but have requested that some amendments be made before they attach their name to the policy.
It’s clear the next challenge facing the mobile industry will be to create a smooth and effective way for users to customize every aspect of their privacy preferences, without interfering with the customer experience.
What's changed at Remerge?
GDPR did not have a huge effect on Remerge’s business model, as our clients obtain users’ consent before sending their data on to us and we act only as a processor. We have also been acting in compliance with strict German privacy laws (which formed the basis for GDPR) for many years.
However, we have noted some important changes in the last year:
- Clients are now sending us regular updates with lists of users who have opted-out and no longer wish to be targeted by personalized campaigns. This demonstrates the success of the clients’ opt-out services and we are able to remove these users from our database as soon as the info is received.
- These users only constitute a very small number - 0.1% of our user base, demonstrating that the vast majority of people still see the benefit in receiving personalized content based on their previous behaviour.