The Bottom Line
- With fines that can reach up to €20 million or 4% of worldwide annual revenue, the cost of non-compliance under the GDPR could be much more significant than it has been under the prior data privacy framework in the EU.
- With a little more than one month before the GDPR becomes enforceable, all ad tech companies, even those located outside of the EU, must now find a solution to meet the GDPR’s requirements before collecting, using or sharing personal data from consumers in the EU and EEA.
The European Union’s General Data Protection Regulation (GDPR) becomes enforceable on May 25, yet some U.S.-based ad tech companies still seem to believe (or hope) that it will not impact them. That is potentially a very risky position to take, because the GDPR applies not only to companies located in the European Union (EU) and the European Economic Area (EEA), but to any companies that monitor the behavior of people in the EU and EEA or offer goods and services to them. Because of the GDPR’s broad reach and many nuances, all ad tech companies, regardless of their location, should immediately and carefully consider whether their businesses are subject to the requirements of the GDPR.
The GDPR’s Broad Reach
A number of elements of the GDPR make it applicable to the ad tech community in the United States.
The GDPR imposes new privacy requirements on companies that collect, use or share personal data from consumers in the EU and EEA, whether or not the companies are located there, with little exception. This means that, for example, an ad tech business with offices in the United States that collects or processes “personal data” of an EU resident is subject to the GDPR.
A significant provision under the GDPR is its comprehensive definition of “personal data” as any information relating to an identified or identifiable natural person in the EU (a data subject). An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
To be clear, personal data for purposes of the GDPR includes online identifiers such as cookie IDs, device IDs and location data. While the GDPR may not include all possible online identifiers within the definition of personal data, it will certainly include most, even if those identifiers are not considered to be personal data in the United States.
Implications for Ad Tech
One of the primary goals of the GDPR is to give individuals in the EU more control over how and by whom the personal data they share is used. The GDPR generally seeks to do this by requiring that individuals affirmatively “opt in” to consent to the use of their personal data. This opt-in consent standard creates compliance challenges for ad tech companies who have become accustomed to the opt-out approach common in the United States or the implied consent approach sometimes used abroad.
Some may suggest that, in addition to consent, having a “legitimate interest” may provide a sufficient legal basis to allow the processing of personal data for purposes of online behavioral advertising. However, the European Commission does not seem to agree, and at least one member of the European Parliament recently stated that changes in EU privacy law may mark the end of behavioral advertising.
Whether that view ultimately will be proven correct remains to be seen, but as of now, there seem to be a number of steps that the ad tech community can take to address the consent requirements of the GDPR.
Possible Compliance Solutions for Ad Tech Community
As discussed in a previous Davis & Gilbert Alert, the Interactive Advertising Bureau’s Technology Laboratory (IAB Tech Lab) has proposed a possible solution for the entire ad tech community. In particular, the IAB Tech Lab solution (which has not been officially endorsed by EU regulators) proposes the use of a signal transmitted between parties engaged in an ad call which conveys whether GDPR-compliant consent has been obtained. Companies subject to the GDPR could also consider other third-party cookie consent technologies which promise to help achieve compliance by offering user-centric consent controls.
Additionally, companies can also adopt other GDPR-compliant solutions on their own or by collaborating with others. For example, ad tech companies could consider excluding EU audiences altogether from targeted advertising campaigns. Another possible approach would be to utilize contextual advertising methods, which target ads based on the content of a webpage and not the personal data of consumers that may be interested in such content.