In the European Union, the imminent arrival of the General Data Protection Requirements (GDPR) in May 2018 has companies scrambling to develop comprehensive policies to bring them in compliance with the law. The intent of GDPR is to grant users greater transparency into how their data is collected and used as well as increase their ability to consent (or not) to that usage. [Learn more about what GDPR means for businesses.]
Naturally, large tech companies that have founded their business models on collecting, processing and even selling data are some of the primary organizations affected by the GDPR's implementation. Chief among them is Facebook, which recently suffered a scandal due to its handling of user data when political data firm Cambridge Analytica obtained the profiles of millions of users and targeted them with political ads. Like many companies, Facebook recently altered its policies in preparation for GDPR granting greater insights and control to (some of) its users.
"Facebook will be continuously updating and giving tools to EU users that may not be available to those of us in the U.S.," said Robert LaMagna-Reiter, senior director of IT security at First National Technology Solutions (FNTS). "They'll be granularly allowing people to request how their data is being used and to expunge that data."
What is GDPR?
In short, GDPR is a comprehensive law governing the handling and protection of user data set forth by the European Union. The law is intended to insulate users from data breaches while giving them greater insight into and latitude over how their data is collected and used.
In practice, this means regularly updating users when their data will be used for any purposes other than those which they originally consented to. It also means preserving users' "right to be forgotten," in the event they wish to cancel service and take their data with them.
For companies like Facebook, which derive the lion's share of their revenue from user data, this represents a massive shift in legal responsibility. As a result, they are changing their policies to comply with their best interpretation of GDPR.
How has Facebook changed its policies?
Facebook has already announced policy changes in response to GDPR's impending implementation. Currently, it appears these changes will only affect users in the EU, while Facebook's policies remain status quo elsewhere.
"As soon as GDPR was finalized, we realized it was an opportunity to invest even more heavily in privacy," wrote Erin Egan, vice president and chief privacy officer of policy, and Ashlie Beringer, vice president and deputy general counsel. "We not only want to comply with the law, but also go beyond our obligations to build new and improved privacy experiences for everyone on Facebook."
In essence, Facebook's new policies will ask users to review ads based on data from partner sites, review the information in their profiles, decide whether they want to utilize facial recognition technology, and agree to its new terms of service.
In addition, Facebook will deploy new tools, which empower EU users to access their own data, download desired information, and even delete unwanted data that's been collected. These tools are explicitly in response to GDPR's policies that require users to have more control over how their data is stored and utilized.
What does GDPR mean for advertisers?
In short, GDPR means advertising using Facebook data could become a little trickier. All in all, it's possible that advertising will be the same, but each party involved will need to ensure compliance. Consumer behavior also has a lot to do with how useful the data will be. It's possible that if many consumers opt-out or exercise their "right to be forgotten," some of the data becomes less effective.
"Much depends on what information Facebook makes available for the advertisers," LaMagna-Reiter said. "The advertisers would have to ensure they're also GDPR compliant if they're accessing data on EU-citizens to target them for marketing and sales."
Overall, though, small businesses and advertisers should expect little external change. While it will be essential to revamp policies and procedures of their own in accordance with GDPR, using data as a marketing tool will remain an effective tactic for marketers in any industry.
"Marketers will need to start working closely with their security and legal departments to make sure they are aligning with the company's security requirements," he added. "As long as marketers are following the regulations and taking the security of the customer data they have seriously, there should be little to no impact."
Can Americans expect similar regulations?
The short answer is, in the short term, no. Companies that have founded their business model on the collection and analysis of user data are unlikely to voluntarily extend these protections to geographical locations that are not governed by a law like the GDPR. Doing so would undoubtedly cut into their revenue stream at least a little bit, and they're unlikely to risk that without a clear threat of regulatory pushback.
"Facebook is really going in with a fine-toothed comb and saying to citizens, 'Only in [the] EU will [GDPR] apply, but everyone outside [of the EU] will be subject to standard international law," LaMagna-Reiter said. "I don't think it would be too difficult for Facebook to make the GDPR requirement changes available worldwide, but for them, it comes down to a business decision that they want to have the most access to data as possible, because that directly impacts their business model."
However, it might not be long before the U.S. implements a GDPR of its own, according to LaMagna-Reiter. If that becomes an apparent reality, Americans could find themselves seeing the same types of tools and notifications rolling out on Facebook as well as Google.
"I think the GDPR will ultimately, in some fashion, make its way to the U.S.," LaMagna-Reiter said. "I don't know how soon that will happen, but if organizations feel GDPR doesn't apply to them, this is still an opportunity to begin working on plans of action in spirit, so when the time comes that there is some privacy overhaul in the U.S., they'll be ready."
"I don't think a good outlook is to ignore GDPR," he added. "Keep an eye on it and stay abreast as to how it might evolve to impact you personally or your organization."