Nearly two months into GDPR, is the EU law making a difference?
With new GDPR-inspired US data privacy rules on the horizon and faster websites in the UK, the short answer is yes. But time will tell what its true impact is.
For the past year or so, until the end of May, we were deluged with press releases from companies sharing opinions, predictions, innovations and more about Europe’s General Data Protection Regulation (GDPR) and how it might affect businesses here and abroad.
GDPR is data privacy legislation that governs the handling of personal data from European Union (EU) members, even when they are in other countries such as the United States.
The May 25 deadline came and went, and since then, we’ve heard a lot less.
So, now we’re wondering, nearly two months in, is GDPR having an effect?
Compliance continues to rise
This week, TrustArc released data that said three-quarters of US and European companies will be GDPR-compliant by year’s end — but only 20 percent believe they are now. The report noted that in August of last year, only 38 percent had completed or were in the midst of GDPR compliance, compared to 66 percent now.
It’s clear that companies are taking GDPR — and its staggering penalties of up to 4 percent of annual global turnover or €20 million — seriously.
Not a huge change
Mike Tarpey, chief operating officer of Underdog Media, said that his team spent more time than expected coming into compliance, but that any fears of how the company might change were unfounded.
“It was a race to the finish line and it did have a Y2K feel to it at times (for those that remember the advent of 2000), but we listened to the market and did the correct work,” Tarpey said. “We did expect to see some attrition from EU partners due to GDPR but that hasn’t happened. Honestly, we’re happy to have May 25th in the rearview, but it never changed our focus to drive value for publishers and demand-side platforms (DSPs).”
Bryta Schulz, vice president of marketing at Janrain, told me that “we were pleasantly surprised to learn that our customers and prospects were very receptive to receiving our ads.”
“In our consent-reconfirmation outreach, less than 8 percent of folks in our database declined permission to serve them full advertisements, and only 5 percent went as far as to deny the right to record data for analytics purposes, Schulz said.
But Schulz said that Janrain did have a problem with users completing the double opt-in process:
We have encountered obstacles in re-qualifying contacts on other fronts, however. We determined as a company that we would require a double opt-in prior to engaging EU customers and prospects via email to ensure GPDR compliance. In our re-permissioning campaign, we increased email opt-ins by 36 percent, but only 22 percent of those who began the double opt-in process completed it. Obviously, we would love to communicate with the remaining 78 percent, but GDPR raises the bar for consent and we hold ourselves to that higher standard as well.
Everyone’s watching the duopoly
Even though early data suggests that in the wake of GDPR, Google and Facebook have experienced benefits at the expense of smaller companies and publishers that have more trouble obtaining consent, the so-called duopoly continues to rankle publishers, users and governmental entities with its not-going-down-easy approach to GDPR and other privacy laws. The first day that GDPR was in force, several formal complaints were filed against them alleging consent violations. Last week, Facebook received a fine of £500,000 ($664,000) in the UK resulting from the Cambridge Analytica scandal — a penalty that would have been $1.9B if GDPR had been in effect.
All eyes will remain on these two companies as they continue to grapple with the restraints of GDPR.
It’s inspiring new data privacy laws
Rashmi Vittal, vice president of marketing for SAP Customer Data Cloud, said GDPR is just the start.
“Enforcement is only weeks old, and we’re already starting to see new privacy mandates like California’s AB 375 (California Consumer Privacy Act, or CCPA) and the European Union’s (EU) ePrivacy Directive push the issue of using data with integrity to the forefront,” Vittal said.
Vittal went on to say that “the bar has been raised.”
It’s expected that other states will soon introduce legislation modeled on the CCPA.
Digital monitoring company Catchpoint found that after GDPR went into full effect in late May, many EU site versions for US-based news organizations — suddenly unburdened by a huge number of third-party tags — started running much faster and delivering a better user experience.
Catchpoint Chief Executive Mehdi Daoudi told me that right after GDPR, USA Today’s US version delivered an average web page load time of 9.86 seconds, as opposed to the UK at .42 seconds; France at .75 seconds; and Germany at .51 seconds. EU pages are still running fast: Catchpoint told me this week the US pages were loading in about 10.22 seconds versus Europe’s average of .57 seconds.
“This is a direct result of the fact that many external third-party elements previously integrated into these pages (which could impact user experience and performance) have been stripped away, including ad servers, Google services/analytics, social media plug-ins and more,” Daoudi said.
Brian Byer, vice president and content and commerce practice lead at Blue Fountain Media, has seen similar results.
“Our clients are now actively looking at their tags and removing any unnecessary tracking as it’s being reported to their customers as well as slowing their sites down,” Byer said. “We have clients that are amazed at the quantity of tags that have been built up over the years and are presently unused and as a result, our GDPR clients are taking a first/hard look at these and removing the speed bumps.”
Wait and see
Rules are made to be tested, so we won’t really be able to truly assess how companies are faring in the age of GDPR until we see that first big lawsuit — or learn how many users are exercising data subject access rights (DSAR) to manage, move and delete their personal information. Here at Third Door Media, we received only three requests from readers regarding their data, and those all happened during the first week after the GDPR deadline. But privacy management software OneTrust reported that it processed 10,000 DSAR requests within two weeks of the deadline. We’ll need more DSAR data, as well as a lawsuit or two, before we know just how much of an impact GDPR is having. Until then, I’ll just grab my popcorn and watch.
Questions about GDPR? Download our free guide, The General Data Protection Regulation: GDPR — A Guide for Marketers.