If you work anywhere even remotely adjacent to digital data right now, then you have likely heard the letters “GDPR.” Also known as the General Data Protection Regulation, this is a set of European Union (EU) rules around how users’ personal data must be collected, stored, and shared, and it goes into full effect on May 25, 2018. And even if you don’t have operations in the EU, it may affect your business. In this piece we review the major themes of the GDPR that mobile marketers and app publishers should be aware of.
The GDPR was passed in April of 2016 and will go into enforceable effect in May of 2018 after a two-year transition period. It replaces the 1995 Data Protection Directive and brings more unity to data regulations across the EU. It covers all personal data collected from EU citizens, which includes anything that may be used to identify a person: IP address, email address, mobile ad ID, photos, social media posts, location data, biometric data, and more.
The law distinguishes between two different types of data handlers: data controllers and data processors. A data controller is any entity that collects first party data or directly decides what data will be processed and how, such as a mobile app or a website. A data processor is an entity that performs basically any operation on data, such as collecting second party data, storing, transferring, or analyzing first or second party data, etc. on the instruction of the controller.
Data controllers have the heavier burden because they are ultimately responsible for ensuring that their processors are compliant and that the many requirements of GDPR are met. But don’t be fooled: processors too must sign up to and comply with various contractual and regulatory requirements. Further, anytime a processor determines the purpose and means of processing (rather than acting only on the instructions of the controller),it will be considered to be a joint-controller and will have the same responsibilities and liability as a controller.
The GDPR carries heavy fines for noncompliance: for lower tier infractions penalties can go up to €10M or 2% of annual worldwide revenue; for major non-compliance with the fundamental aspects of the regulation, companies can expect to see enforcements of up to €20M or 4% of annual worldwide revenue, whichever is greater.
Although some people think the GDPR limits data collection entirely, the reality is more nuanced than that. A business may process (collect, store, analyze, etc.) data under these lawful circumstances:
It is a long-established practice for companies to gather data on customers to better power product development and business decisions. Their ability to gather data creates a proprietary asset that gives firms a defensible advantage.
The GDPR clarifies that individual data subjects are the owners of the personal data relating to them and establishes processes for individuals to assert control over their data by giving or withholding permission to use this data in specific ways. And just as you might have the right to, for example, review marketing lists you’re signed up for and unsubscribe or change your subscriptions, the GDPR gives data subjects unprecedented new rights around seeing and managing the data that has been collected on them:
In the face of these changes some companies have reacted by putting off expansion into the EU—or even by withdrawing from countries where they had already expanded. However, this might not be sufficient: the regulation can be interpreted to mean that it covers the data of EU citizens even when they are not on EU soil.
It’s not clear how swift or successful regulators will be in enforcing EU regulations outside the EU; lawsuits may be the bigger risk here. At any rate, it will make sense for companies to be aware of the requirements of GDPR even if they aren’t necessarily involved in the EU at this time. They will want to understand their exposure to any potential fines or lawsuits that may occur.
If you are collecting data on your users, even simple usage data tied back to a mobile ad ID or other persistent identifier, you should at a minimum figure out with a lawyer how much the GDPR will impact you. Remember, getting even one EU install means that the regulations could apply to you, and you could be at risk.
You’ll also want to work with your network of ad tech and other partners to make sure that they are also compliant. One critical area to review is whether partners are willing and able to delete user data on demand. If you get a revocation of permission from a user, will your partners be able to honor it? If not, you could find yourself in violation of the regulation.
For ad tech firms, agencies, and brands that use mobile data for analytics or targeting, it will be vital to understand exactly where your data comes from and to have a plan for how to deal with EU data that you might get. Even if you don’t plan to use the data, the fact that you are collecting or storing it will make you subject to the GDPR. Review each data source to make sure that they are following best practices, and phase out those that aren’t.
The GDPR represents a sea change in how companies will have to collect, store, and manage user data. Understanding its effects on your business will be key to avoiding costly litigation and fines.
(This article was prepared with the assistance of Kari Kelly of Centric Legal and cross-posted on Medium. Nothing in this article should be construed as legal advice or as a comprehensive understanding of everything you need to know about data privacy and protection. We recommend that you retain an attorney to lay out your GDPR strategy.)
Subscribe For Updates