MarTech’s guide to GDPR: The General Data Protection Regulation

When the European Union adopted its General Data Protection Regulation in 2018, the law was heralded as a privacy game changer that would usher in a new era of consent around online data collection and put the right to protect personal information directly in the hands of individuals.

It was also meant to standardize privacy laws across member EU nations. GDPR would eliminate the need for individual countries to write their own regulations — as well as requiring any company, regardless of location, that markets goods or services to EU residents to comply with the law.

But five years later, enforcement challenges dog the watershed law, with complaints that were filed the day GDPR hit — alleging that Facebook, Instagram, WhatsApp, and Google forced users to give up personal information without proper consent — still wending their way through the court system.

Meanwhile, technology continues to evolve at a pace with which the glacial legal system simply cannot keep up (this article about GDPR compliance and AI tools like ChatGPT helps paint a picture of the challenges ahead).

This disconnect, along with rumblings over lax enforcement, particularly in countries where big tech vendors are headquartered, are just a couple of the reasons that EU regulators are now looking to fine-tune the way GDPR is administered.

This piece will take a closer look at those procedural changes – as well as other data privacy regulations in the hopper, go over some of the law’s biggest fines to date, and examine what marketers need to know as we head into the second half of 2023.

Procedural changes on the horizon

Earlier this year, the European Commission announced that it would seek to streamline the way data protection authorities across the EU work together when enforcing GDPR in cross-border cases. “This will support a smooth functioning of the GDPR cooperation and dispute resolution mechanisms,” the Commission noted. The initiative — called Procedural Rules of Enforcement — aims to tackle a host of problems, from how GDPR complaints are handled to the duration of proceedings themselves. And when consensus cannot be reached, the proposed enforcement rules will “clarify” the procedural aspects of dispute resolution.

Critics have said the new enforcement rules are light on specifics, but with close to 800 cases pending under GDPR, procedural reform is critical. As the NOYB, or European Center for Digital Rights, a non-profit based in Vienna, Austria, puts it, GDPR is enforced in theory only, with the tech companies finding ways to stall proceedings, appeal rulings, and circumvent fines. (“NOYB” is short for “none of your business.”)

GDPR’s stateside influence

In the U.S., new or amended data privacy laws are on the books in Virginia, California, Colorado, Connecticut, and Utah, with enforcement dates ranging from January 1 of this year (Virginia) to December 31 (Utah), with California, Colorado, and Connecticut effective as of July 1 (in California, the California Privacy Rights Act (CPRA) amends the California Consumer Privacy Act (CCPA)).

In addition, nine other states have proposed laws that are still pending, but marketers should anticipate eventual enactment.

These laws are notable in the present context because — with the exception of California — they all “adapt terminology” from GDPR, yet diverge in how they are enforced, with district attorneys, attorneys general, and, in the case of California, the California Privacy Protection Agency, all in the enforcement mix.

For marketers, cookie management will be of paramount importance as brands/websites continue to understand how consumer rights around sensitive data are protected under the state laws.

At the federal level, there’s a bipartisan effort to establish a new privacy law — called the American Data Privacy and Protection Act (ADPPA) — that would create a national standard around individual rights. And on March 1, the House Committee on Energy and Commerce held a hearing on the proposed law.

While no vote was held, privacy groups and other stakeholders note that the desire for federal privacy legislation exists and may ultimately result in action.

Dig deeper: Only 11% of US businesses fully comply with CCPA privacy law

GDPR lobs hefty fines

Back in Europe, GDPR enforcement issues aside, some complaints have resulted in large fines, levied against companies like Meta, Amazon, and Google.

The year started with a $413 million fine against Meta for GDPR violations by Facebook and Instagram. Delivered by the Irish Data Protection Commission (DPC), which, incidentally, has faced extensive criticism for how it handles GDPR complaints, the agency’s actions affirmed a decision by the European Data Protection Board that said “contractual necessity” isn’t an appropriate reason to run behavioral ads. (Behavioral ads refer to online advertisements or marketing messages that are delivered to consumers based on their search history).

For years, Meta had been bundling its user-consent agreement into its apps’ contractual terms of services, which effectively forced users to agree to data harvesting if they wanted to use the platforms.

Meta’s early January fine came on the heels of a very expensive 2022 for the company, which saw penalties doled out to the tune of more than $800 million. It was also told it had three months to put measures into place to ask users for permission to run behavioral ads; at the end of March, the Wall Street Journal reported that Meta would allow users in Europe to opt out of targeted ads. But the company isn’t making it easy, requiring users to submit an online form stating their objections.

Along with the Meta fines, other notable GDPR sanctions include:

• $785 million against Amazon, decided in July 2021 by Luxembourg’s data authority. This decision — to date the largest penalty under GDPR, and which centers on how the company processes personal data — is currently under appeal.
• $237 million against WhatsApp (the Meta-owned messaging service), decided in September 2021 by DPC which signaled the culmination of a three-year inquiry into how the app shared user data with Facebook.
• $52 million against search giant Google, an early GDPR fine (January 2019) that was later upheld on appeal in French court. That country’s National Data Protection Commission determined Google was not in compliance with GDPR’s data transparency guidelines and that the company did not sufficiently make clear how user data was collected and used for targeted ads.

What marketers need to know

Two words need to be high on every marketer’s list when it comes to GDPR: compliance and consent. Compliance, of course, refers to the need for companies with any sort of web presence that market to customers in the EU to understand the regulation, keep up to date on changes as they happen, and be able to react quickly when issues arise.

Of course, tangential to that is the need for marketers to understand the types of data their companies collect, and, more importantly, how that data is processed, stored, and what kind of sensitive personal information it contains. Compliance also hinges on collecting necessary data only.

Top of mind for marketers should be the other key word: consent. Broadly speaking, companies are more likely to remain in compliance with GDPR when they have gotten the proper permission to gather or use users’ personal information. It may sound obvious, but GDPR has a specific definition for consent, which is “any freely given, specific, informed, and unambiguous indication” that the subject agrees to allow websites to gather and process their personal data.

Unsurprisingly, marketers have a big role to play, not only in understanding, but in enabling compliance with GDPR and the US-based rules and regulations it has influenced. While the regulatory landscape continues to evolve, so does consumers’ desire to safeguard their privacy.

In the five years that it has been on the books, GDPR has proven if nothing else that protecting data is a corporate responsibility. Companies that handle data with care and show users that their concerns over online privacy are valid will have an edge over their less prudent competitors.

Dig deeper: Build trust, gain sales