Home Privacy The EU’s GDPR Is A Big Deal: Acxiom Execs Describe The Impact

The EU’s GDPR Is A Big Deal: Acxiom Execs Describe The Impact

SHARE:

Kelly Liyakasa contributed

The European Union’s General Data Protection Regulation (GDPR) will become law in May 2018.

Think it won’t affect you? Think again.

“This kind of legislation impacts every company in the world,” said Acxiom CEO Scott Howe. “Very few companies aren’t collecting or utilizing information to improve their decision making.”

But how the GDPR regulates data across Europe – and how exactly it will affect US companies – isn’t entirely set.

“There’s a considerable amount of work left to do on the delegated acts to clarify how the law will take effect,” said Sheila Colclasure, Acxiom’s global chief privacy officer.

Even with those uncertainties, however, GDPR is still a big deal and will set the tone for data protection regulation globally, Colclasure said.

The stakes are incredibly high for companies that fail to comply. If a European court decides a company has played fast and loose with consumer data, that company could be fined up to 4% of its global annual revenue under the GDPR. And that’s for a single infraction.

AdExchanger spoke with Colclasure and Howe about the coming legislation and its likely impact.

AdExchanger: So, I guess this isn’t a big nothing burger, like Do Not Track.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

SCOTT HOWE: Companies can’t afford to have a different data policy in every country and every state. You need a framework across the world and [to] shoot for the highest common denominator. In any regulated industry, the complexity will kill you, so you have to aim for that highest common denominator.

But it varies so much. The common example is that IP address isn’t PII in the US, but it’s PII in Germany.

SHEILA COLCLASURE: We keep bumping into this data interoperability dilemma. It’s hard to operate in the global economy when you don’t have geographical borders in digital.

We used to have the EU-US Safe Harbor. That failed, and it was replaced by the Privacy Shield, which was designed to establish a means by which data can legally transfer out of Europe into the US. It will be reviewed this fall. But this forced globalization is an issue around the world. Countries like Russia, for instance, are siloing themselves and constraining their economy because data is an economic issue.

Who has influence over how these regulations will be carried out? Do advertisers and marketers have any say, or is it strictly EU regulators?

SC: Every country has a data protection authority. And Germany has about 15, because they do it on a localized basis. In Europe, there’s friction between the body of data regulation and the economists, who understand that data fuels the economy. So, there’s friction between these two bodies in Europe that remains unresolved.

At Acxiom, we engage the regulators directly to help fill in the white space. How do we show legitimate interest in the law? We write a methodology, we work in coalition with groups like the Information Accountability Foundation, Future of Privacy Forum, FEDMA, all who have voices in the European regulatory community.

What questions must be answered before the GDPR gets implemented next year?

SC: We don’t have full clarity on what GDPR’s requirements are. We have guidance on how to implement coming out from the Data Protection Authorities and Article 29 Working Party and commentary from the European Data Protection supervisor, but it’s still very much in play.

In GDPR, there’s a thing called legitimate interest. And that is one of the pieces of the law we care most about. Legitimate interest is the idea that data fuels the economy. If you use data within the scope of what the consumer might expect, that’s legitimate interest.

There’s another body of law called ePrivacy Regulation that’s more digitally focused around things like cookie IDs and IP addresses. It’s an update of the old European cookie law, and it’s coming into force in May 2018, too. But we believe it will be postponed because it is even murkier than GDPR.

Is there overlap between ePrivacy Regulation and GDPR?

SC: EPrivacy Regulation is consent-driven. You can’t do anything with data until you get consent.

Companies are always thinking about new products and services fueled by data, but under ePrivacy Regulations, you have to think of all of the [consumer privacy] implications up front and drop them into a privacy policy.

With GDPR, legitimate interest does the balancing.

Where is it hardest to find common ground with consumer-interest groups?

SC: I can’t single out one thing. But GDPR is so important because it will be a fully baked body of law and a standard the world over, and its development is highly complex. You have nationalists that are very anti-American. There are certain data protection authorities who would like data about European citizens to stay in-country. That doesn’t acknowledge the global nature of data today.

Will GDPR affect what happens in the US?

SC: There’s millions, if not billions or trillions, of [dollars in] commerce that goes back and forth between Europe and the US. [GDPR] will inform the way we set up our systems, so it needs to be well-written, practical and practicable – meaning companies can do what the law requires.

The EU wants consumers to provide clear, explicit consent. That’s easier said than done, though. Who’s responsible for designing it?

SH: In the next few years, this will become one of the biggest board issues. Every board should be asking their management team: Are you doing this? What are your ethical guidelines? How does this factor into your processes and how you manage the business?

It’s a risk right alongside financial reporting, cybersecurity and ethics. And from the board it must trickle down to every line of business and department. The groundswell will come from the public, as consumers worldwide increasingly voice concerns and regulations worldwide raise visibility even further.

Interview has been edited for clarity

Must Read

Comic: Alphabet Soup

Buried DOJ Evidence Reveals How Google Dealt With The Trade Desk

In the process of the investigation into Google, the Department of Justice unearthed a vast trove of separate evidence. Some of these findings paint a whole new picture of how Google interacts and competes with its main DSP rival, The Trade Desk.

Comic: The Unified Auction

DOJ vs. Google, Day Four: Behind The Scenes On The Fraught Rollout Of Unified Pricing Rules

On Thursday, the US district court in Alexandria, Virginia boarded a time machine back to April 18, 2019 – the day of a tense meeting between Google and publishers.

Google Ads Will Now Use A Trusted Execution Environment By Default

Confidential matching – which uses a TEE built on Google Cloud infrastructure – will now be the default setting for all uses of advertiser first-party data in Customer Match.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
In 2019, Google moved to a first-price auction and also ceded its last look advantage in AdX, in part because it had to. Most exchanges had already moved to first price.

Unraveling The Mystery Of PubMatic’s $5 Million Loss From A “First-Price Auction Switch”

PubMatic’s $5 million loss from DV360’s bidding algorithm fix earlier this year suggests second-price auctions aren’t completely a thing of the past.

A comic version of former News Corp executive Stephanie Layser in the courtroom for the DOJ's ad tech-focused trial against Google in Virginia.

The DOJ vs. Google, Day Two: Tales From The Underbelly Of Ad Tech

Day Two of the Google antitrust trial in Alexandria, Virginia on Tuesday was just as intensely focused on the intricacies of ad tech as on Day One.

A comic depicting Judge Leonie Brinkema's view of the her courtroom where the DOJ vs. Google ad tech antitrust trial is about to begin. (Comic: Court Is In Session)

Your Day One Recap: DOJ vs. Google Goes Deep Into The Ad Tech Weeds

It’s not often one gets to hear sworn witnesses in federal court explain the intricacies of header bidding under oath. But that’s what happened during the first day of the Google ad tech-focused antitrust case in Virginia on Monday.