Today’s blog post is dedicated to an update on privacy regulations that the European Union is planning to implement in less than a year that will have a significant impact on our members and the entire adtech industry. The EU “General Protection Data Requirements” (GDPR) takes effect on May 25, 2018. Hailed as the most significant change in data protection law in over 20 years, the GDPR will impose many new obligations on controllers and processors of "personal data," an expanded definition that encompasses many of the data types typically collected and used by digital advertising technology companies.
GDPR will require companies to provide consumers with clear, unambiguous consent choices, data portability, a right to access data, and consent revocation, among other obligations. The cost of non-compliance is significant. GDPR includes an increased extra-territorial applicability and a significant increase in the penalties for non-compliance. Fines for non-compliance are up to four percent of annual global turnover or 20 million Euros, whichever is greater. An overview of the GDPR’s key changes can be found here.
Many of our members have asked what NAI can do to help companies prepare for the obligations they will face under the GDPR. NAI's current Codes of Conduct and guidance documents are applicable to the United States. However, NAI's technical expertise and knowledge of our industry and its various business models make us uniquely qualified to be of assistance as we attempt to craft solutions that protect consumers' privacy, but also allow for companies to continue to innovate and conduct business in Europe.
I have been travelling to Europe on a regular basis this year to meet with industry colleagues and EU regulators. I am delighted to report that NAI has been invited by the IAB Europe to be an active participant in its GDPR Implementation Working Group (GIG). The GIG, made up of IAB Europe members dedicated to meaningful privacy and business solutions for GDPR implementation, has been working hard to develop position papers and helpful guidance documents on numerous points of GDPR compliance. We meet frequently, both in person and in virtual meetings, to determine the best path for both privacy protection and business continuity.
IAB Europe's GIG has produced a GDPR Compliance Primer, designed to share with executives and business owners within member companies in order to expand companies' understanding of the complex obligations required of data controllers and processors of European consumer data. The full paper can be found here.
As the GIG continues its work, NAI will share its output with member companies. We also want your input on key aspects of compliance.
If you have any questions or wish to discuss any issue of GDPR compliance with NAI staff, please don't hesitate to contact us. If you are interested in participating more actively in the IAB Europe and its GIG, information on membership can be found on the IAB Europe's website.