The GDPR Effect Will Reverberate Way Beyond Europe

The General Data Protection Regulation (GDPR) may have originated in Europe, but its reach and influence stretches across the globe, including to the US.

For example, it’s actually easier for large enterprises to apply standards globally. Having already made a major effort to comply with GDPR for EU citizen data, it’s only logical to stay consistent across markets, said Mike Anderson, CTO and founder of Tealium.

“Global organizations don’t want one privacy and security policy for Europe and one policy for the US,” Anderson said. “We’ll see them take the most difficult standard and just deploy that across the board.”

Prompted by GDPR, Facebook pushed opt-in privacy notices to users worldwide ahead of the regulation’s enforcement date on Friday. Meanwhile, Microsoft is extending GDPR-like data subject rights to consumers across the globe, including the right to know exactly what data is being collected, the right to correct that data if needed and the ability to delete it outright or port it elsewhere.

On the other end of the spectrum, other entities are taking a different tack. The Washington Post, for example, is trying to monetize compliance efforts by offering tiered subscription packages, including an “EU premium subscription” that charges extra for no on-site advertising or third-party ad tracking.

But regardless of the approach, the takeaway is the same: GDPR, helped along by Facebook’s Cambridge Analytica scandal, has created a climate in which data tracking and collection are daily mainstream news items, even beyond EU borders.

Nation of California

In the US, California is cooking up a GDPR-inspired data protection law that has nearly double the number of signatures it needs – 625,000 – to make it onto the ballot in June. A lot of those signatures will probably be invalidated, which is par for the course with paid petitions, but as long as California’s secretary of state certifies that at least 366,000 of the signatures are valid, which is likely to happen, the California Consumer Privacy Act could be voted into law in November. The validation process is ongoing.

And despite the fact that a lot of big names are fighting against the California proposal, which would cover both online and offline data, a few noteworthy opponents are no longer actively financing the counterattack.

Facebook and Verizon both withdrew from the Committee to Protect California Jobs, an organization created to lobby against the California initiative, which has received money from Google, Comcast and AT&T.

Although the US generally takes a far more pro-business approach to consumer privacy than Europe, “data privacy concerns are mounting in the United States,” especially in the wake of the Cambridge Analytica scandal, said Arndt Groth, president of mobile ad exchange Smaato.

“We expect the GDPR to serve as a model for how the US government will enact new laws around data privacy,” he said, “and it’s only a matter of time before the drafting of these laws take place.”

But even if Californians don’t vote the proposal into law, its very existence is a harbinger of things to come, said Fatima Khan, chief privacy officer at Demandbase.

“Anything that gets introduced within California, whether it comes on the ballot or becomes a bill, sets the stage for what future legislation might look like,” she said. “California is one of the leaders for individual privacy. Don’t think of this in terms of what might be enacted, but rather as a baseline for what we might shift to in the future.”

Although the Association of National Advertisers (ANA) opposes the ballot initiative, which it sees as too restrictive, the ad industry trade org recognizes that what’s happening in California could be the US’s consumer privacy canary in the coal mine.

“California has such a substantial footprint that whatever happens there could have a significant impact everywhere else – it’s like the nation of California,” said Dan Jaffe, group EVP of government relations at the ANA. “For years, companies have been using the opt-out system for privacy, but they may not have that choice if the states or others start to force the issue.”

That group of “others” could include the completely new crop of commissioners at the Federal Trade Commission, who finally got settled into their posts in May. Privacy advocates are pushing the commission to take a far less laissez-faire stance to regulating tech companies than their predecessors.

Setting the world on fire

Beyond the US, regulators and lawmakers around the world have been rolling out their own consumer data privacy regulations, albeit to less fanfare than with GDPR.

GDPR-like privacy regulations already exist in China, South Korea, India, Singapore, Australia and Israel, and other “non-EU countries are already reviewing GDPR as a model for their own privacy legislation,” Groth said.

But not all of this action was motivated by GDPR. There’s been a global zeitgeist brewing around data collection and consumer privacy ever since the Edward Snowden revelations, Khan said.

“People increasingly want their privacy protected in some way,” she said. “One way they can get it is by making sure the companies with whom they share data don’t do it in a way they find offensive.”

But do consumers have the stamina to care about their privacy, at least in practice, for the long term? Transparency and control can become quickly onerous. Just look at the barrage of GDPR-triggered opt-in emails that clogged the world’s inboxes in the days leading up to May 25.

Opt-in fatigue will likely set in, but it’s also indisputable that the buzz generated by GDPR sparked global interest, Groth said. The global worm has started to turn, and the work has just begun.

“There will likely be a drop in consumer attention regarding data privacy – but this is far from over,” Groth said. “Don’t forget that the European Union is also looking to replace the current ePrivacy directive with a new regulation that will both clarify and enhance the GDPR.”

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!


  1. I think the real story is what GDPR could do to every company (outside of FB / Google) the programmatic space. Bloomberg is reporting ( that 50% of all EU ad spend went to Google pre GRPR. Now it’s 95%. May be a short term thing while Google ‘get’s it act together’ (but of course why would they hurry?).

    The second order effect is that everyone else in the ecosystem is getting their revenue cut (starting with Appnexus / Mediamath, DataXu and any other DSP). VC funded companies that are barely profitable that need to support hundreds of employees will collapse (just like Videology, Glam Media and many others that ran out of cash).

    This then flows down to the supply side (Adexchanges / SSP) though perhaps not directly at first. The budget has to go somewhere right? Well, how about all of it to Google properties while brand don’t take the risk of getting a fine? And these are the big adtech guys. For smaller mom and pop companies that don’t even make Google’s Global vendor list, how is this not game over?

    If and probably when this hits US shores….well it’s going to be a game of who has the cash to survive the consolidation (valley of death).

    Yeah and publishers are not immune either. Less demand sources means less revenue and more belt-tightening.

  2. One aspect of GDPR roll-out that I have valued is the rigor with which they are identifying all the various ad tech vendors, making it a liability for any ad tech business to work with a publisher who has not received consent on their behalf.

    This is clearing a path towards more transparent supply-path optimization, which should be good for buyers and sellers, while holding middle-layer companies to a higher standard to prove their value. Publishers moving towards whitelists of ad tech partners (and away from what has been mostly a blacklist approach) will find they are capturing as much, if not more, value, while reducing their risk.

    While it will slow down the adoption of innovative products, increasing the friction for ad tech companies who profit without adding value to the ecosystem, or worse, commit fraud, should be a win for publishers and advertisers.

    The publisher I am employed by is already moving in the direction of whitelisting select DSPs, SSPs and measurement partners and we feel the downside is more than offset by the upside.