GDPR And Lessons From The Credit Card Chip Rollout

Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Ryan Eney, director, legal, at OpenX.

In 2016, the retail and finance ecosystem was shaken up with the US introduction of EMV, the global credit card chip technology retailers were required to use when consumers made in-store purchases.

In years leading up to 2016, highly visible credit card fraud schemes surged. Privacy and fraud were top of mind for everyone in the supply chain, from retailers and payment providers that facilitated the transactions to the consumers who ultimately suffered the most. The industry recognized that substantial changes and a standardized approach were needed for greater consumer protections, and EMV – named after Europay, MasterCard and Visa, which created the standard – was rolled out.

While it was a big step forward for consumer protection, it also had a large impact on retailers that were forced to revamp their payment infrastructure. New systems were rolled out across the country, and banks and credit card providers issued hundreds of millions of new cards, allowing the EMV chip to become the norm in less than 24 months.

Like the EMV requirement rollout, the upcoming General Data Protection Regulation (GDPR) makes progress toward protecting consumers’ privacy, and the businesses affected must complete significant upfront work to comply. Ahead of the fast-approaching May deadline, the successes and failures of the EMV rollout can serve as a useful example.

EMV was one of the largest changes to payments in decades, and the first step toward compliance was to understand its scope.

With EMV, retailers became responsible for any fraud that occurred with their credit card processors, a liability that was previously carried by credit card companies. Similarly, advertisers and publishers face serious financial implications if they fail to comply with GDPR – up to 20 million euros in fines, or 4% of revenue.


Ahead of GDPR, advertisers and publishers should overcommunicate. During the EMV rollout, consumers were justifiably confused and frustrated. The chip insertion process is much slower than the traditional credit card swipe, and consumers directed their frustration at retailers. But had they known that the chip is more secure than the swipe, they likely would have been more open to the change.

For GDPR, an analogous issue will arise when publishers ask for consumers’ consent to use their data. Under the new regulation, publishers must clearly ask consumers to give consent for the use of their data rather than relying on obscure terms and conditions. They should clearly remind customers that it’s designed to protect their privacy to circumvent any pushback and confusion as the regulation goes into effect.

Consumers may be confused or alarmed by the sudden ask from brands, perceiving that their information is less secure if publishers are communicating more thoroughly about their process.

Watch partnerships

With the EMV rollout, retailers needed payment processors that could accept EMV payments and ensure a seamless process that was consistent from retailer to retailer. If they didn’t pick the right partners, they risked missing the deadline and, even worse, taking the blame for the poor user experience.

With GDPR, liability is also shared among all partners. A publisher could be compliant, but if it works with a single partner that is not compliant, then the publisher isn’t compliant either.

Think beyond May 25

The EMV rollout forced retailers to overhaul credit card terminals. It was costly and time-consuming, but smart retailers viewed it as an opportunity rather than a challenge. Retailers update credit card processors infrequently, which made the EMV rollout an ideal time for retailers to consider new payment options, such as Apple Pay.

Similarly, advertisers should view GDPR as a catalyst for positive change. Quality is the No. 1 issue in digital media and advertising. Protecting consumer privacy is important, but that’s only one element of the quality discussion. We should use GDPR’s privacy discussions as a time to also address fraud and subpar advertising experiences.

While there was short-term pain for retailers and consumers during the EMV rollout, the regulation was a positive development for the industry. GDPR will likely do the same. As EMV showed us, change can be a good thing.

Follow OpenX (@OpenX) and AdExchanger (@adexchanger) on Twitter.

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!