Enforcement of the European Union's General Data Protection Regulation (GDPR) is nearly upon us, and with it comes a whole new world of data ownership by individuals, and responsibility requirements for companies. I won't rehash what GDPR is here - many, many others have already done that. Instead, I'm going to focus on two possible scenarios that marketers need to be ready for once we start to see how GDPR is enforced.
There's a lot about GDPR still that, if we're being honest, nobody knows. As of this writing, Google's official compliance page still says "We are working hard to prepare for the EU’s General Data Protection Regulation (GDPR) … We are committed to complying with the new legislation and will collaborate with partners throughout this process." We're a month out from the start of enforcement of regulations that could levy fines up to 4% of global revenue and Google is "working hard to prepare!" If Google ain't ready, ain't nobody ready. Here at Verndale we've seen this across the many industries we work with as well. Many organizations are taking some token measures for now but mostly just hoping not to be one of the first targets for enforcement, so they can see more concretely what standards they can expect to be held to. And who can blame them? There are many gray areas still in GDPR, and accidentally doing more than you have to on the compliance front will take funds away from other valuable initiatives.
We will get a lot of answers in the coming months about just how significant an investment companies are going to have to make in GDPR compliance and, perhaps even more importantly, what impact the regulation is going to have on digital marketing in Europe. In one scenario, digital marketing gets more difficult but, with the proper safeguards, still functions. In the other, digital marketing as we know it almost ceases to exist.
Scenario 1: "Soft" GDPR
Under what I'm calling "Soft" GDPR, enforcement authorities will still allow anonymous or semi-anonymous tracking of user activity via analytics platforms like Google Analytics. You still will have to make sure you don't accidentally capture personal information, but if this type of platform is central to your digital marketing efforts, Soft GDPR would leave them well enough alone. Google and other analytics providers are releasing tools allowing you to mask IP addresses (which are unequivocally considered personal information under GDPR) and to manage data retention policies, among other likely changes, but these would be evolutionary updates, not revolutionary. There's just one problem: Google still almost certainly knows who you are even if they only share non-identifying information with their analytics customers. The question is: will they still be allowed to do that? What level of opt-in will be required?
Scenario 2: "Hard" GDPR
"Hard" GDPR would represent the end of digital marketing as we know it today. Though it's unlikely, high profile data breaches and specifically the Facebook/Cambridge Analytica scandal make this scenario a distinct possibility. Here's one way this could happen: enforcement authorities could decide that there is simply no technically feasible way for companies like Google not to be collecting personal data when tracking users all over the Internet. Both direct and indirect identifiers exist in abundance, and research has shown it doesn't take much data to create a unique browser or device fingerprint. If authorities decide to be strict about the unauthorized collection of indirectly identifying information because of the risk that it could be combined to identify a user, Google and other data companies are going to have a long uphill battle to fight. They are going to have to ask users in a granular way what data they can collect and, since every piece of information you collect could potentially combine with other pieces of information to get closer to uniquely identifying someone, they could be considered indirect identifiers and you will be allowed to collect essentially nothing without explicit consent.
The number of people who will opt in to such collection is likely to be miniscule unless Google can somehow force users to opt-in in order to utilize its other services and products (which it is not clear they will be allowed to do). The result of all this? Google would be extremely limited in the types of information it can share with its customers, and digital marketers face the prospect of extremely limited analytics information.
Will GDPR be the digital marketing Armageddon? Probably not. But there are no guarantees and, as enforcement authorities start to show their interpretation of the law, the industry must be prepared to react quickly and be ready for a whole new world.