GDPR: What’s the big whoop?

This past week, the European Union’s General Data Protection Regulation (GDPR) initiative kicked in. But what does it mean for businesses that operate in the EU region?

And what are the prospects for GDPR-like privacy coming to the USA anytime soon?

First off, let’s review what’s covered by the GDPR initiative. The GDPR includes the following rights for individuals:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to be forgotten
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

The “right to be forgotten” means data subjects can request their information to be erased. The right to “data portability” is also a new factor.  Data subjects now have the right to have data transferred to a third-party service provider in machine-readable format.  However, this right arises only when personal data is provided and processed on the basis of consent, or when necessary to perform a contract.

Privacy impact assessments and “privacy by design” are now legally required in certain circumstances under GDPR, too. Businesses are obliged to carry out data protection impact assessments for new technologies.  “Privacy by design” involves accounting for privacy risk when designing a new product or service, rather than treating it as an afterthought.

Implications for Marketers

A recent study investigated how much customer data will still be usable after GDPR provisions are implemented. Research was done involving more than 30 companies that have already gone through the process of making their data completely GDPR-compliant.

The sobering finding:  Nearly 45% of EU audience data is being lost due to GDPR provisions.  One of the biggest changes is that cookie IDs disappear, which is the basis behind so much programmatic and other data-driven advertising both in Europe and in the United States.

Doug Stevenson, CEO of Vibrant Media, the contextual advertising agency that conducted the study, had this to say about the implications:

“Publishers will need to rapidly fill their inventory with ‘pro-privacy’ solutions that do not require consent, such as contextual advertising, native [advertising] opportunities and non-personalized ads.”

New platforms are emerging to help publishers manage customer consent for “privacy by design,” but the situation is sure to become more challenging in the ensuing months and years as compliance tracking the regulatory authorities ramps up.

It appears that some companies are being a little less proactive than is advisable. A recent study by compliance consulting firm CompliancePoint shows that a large contingent of companies, simply put, aren’t ready for GDPR.

As for why they aren’t, nearly half report that they’re taking a “wait and see” attitude to determine what sorts of enforcement actions ensue against scofflaws. Some marketers admit that their companies aren’t ready due to their own lack of understanding of GDPR issues, while quite a few others claim simply that they’re unconcerned.

I suspect we’re going to get a much better understanding of the implications of GDPR over the coming year or so. It’ll be good to check back on the status of implementation and enforcement measure by this time next year.

Clueless at the Capitol

Lawmakers’ cringeworthy questioning of Facebook’s Mark Zuckerberg calls into question the government’s ability to regulate social media.

Saul Loeb/AFP/Getty Images
Facebook CEO Mark Zuckerberg on Capitol Hill, April 2018. (Saul Loeb/AFP/Getty Images)

With the testimony on Capitol Hill last week by Facebook CEO Mark Zuckerberg, there’s heightened concern about the negative side effects of social media platforms. But in listening to lawmakers questioning Zuckerberg, it became painfully obvious that our Federal legislators have next to no understanding of the role of advertising in social media – or even how social media works in its most basic form.

Younger staff members may have written the questions for their legislative bosses, but it was clear that the lawmakers were ill-equipped to handle Zuckerberg’s alternatively pat, platitudinous and evasive responses and to come back with meaningful follow-up questions.

Even the younger senators and congresspeople didn’t acquit themselves well.

It made me think of something else, too. The questioners – and nearly everyone else, it seems – are missing this fundamental point about social media:  Facebook and other social media platforms aren’t much different from old-fashioned print media, commercial radio and TV/cable in that that they all generate the vast bulk of their earnings from advertising.

It’s true that in addition to advertising revenues, print publications usually charge subscribers for paper copies of their publications. In the past, this was because 1) they could … but 2) also to help defray the cost of paper, ink, printing and physical distribution of their product to news outlets or directly to homes.

Commercial radio and TV haven’t had those costs, but neither did they have a practical way of charging their audiences for broadcasts – at least not until cable and satellite came along – and so they made their product available to their audiences at no charge.

The big difference between social media platforms and traditional media is that social platforms can do something that the marketers of old could only dream about: target their advertising based on personally identifiable demographics.

Think about it:  Not so many years ago, the only demographics available to marketers came from census publications, which by law cannot reveal any personally identifiable information.  Moreover, the U.S. census is taken only every ten years, so the data ages pretty quickly.

Beyond census information, advertisers using print media could rely on audit reports from ABC and BPA.  If it was a business-to-business publication, some demographic data was available based on subscriber-provided information (freely provided in exchange for receiving those magazines free of charge).  But in the case of consumer publications, the audit information wouldn’t give an advertiser anything beyond the number of copies printed and sold, and (sometimes) a geographic breakdown of where mail subscribers lived.

Advertisers using radio or TV media had to rely on researchers like Nielsen — but that research surveyed only a small sample of the audience.

What this meant was that the only way advertisers could “move the needle” in a market was to spend scads of cash on broadcasting their messages to the largest possible audience. As a connecting mechanism, this is hugely inefficient.

The value proposition that Zuckerberg’s Facebook and other social media platforms provide is the ability to connect advertisers with more people for less spend, due to these platforms’ abilities to use personally identifiable demographics for targeting the advertisements.

Want to find people who enjoy doing DIY projects but who live just in areas where your company has local distribution of your products? Through Facebook, you can narrow-cast your reach by targeting consumers involved with particular activities and interests in addition to geography, age, gender, or whatever other characteristics you might wish to use as filters.

That’s massively more efficient and effective than relying on something like median household income within a zip code or census tract. It also means that your message will be more targeted — and hence more relevant — to the people who see it.

All of this is immensely more efficient for advertisers, which is why social media advertising (in addition to search advertising on Google) has taken off while other forms of advertising have plateaued or declined.

But there’s a downside: Social media is being manipulated (“abused” might be the better term) by “black hats” – people who couldn’t do such things in the past using census information or Nielsen ratings or magazine audit statements.

Here’s another reality: Facebook and other social media platforms have been so fixated on their value proposition that they failed to conceive of — or plan for — the behavior inspired by the evil side of humanity or those who feel no guilt about taking advantage of security vulnerabilities for financial or political gain.

Facebook COO Sheryl Sandberg interviewed on the Today Show, April 2018.

Now that that reality has begun to sink in, it’ll be interesting to see how Mark Zuckerberg and Sheryl Sandberg of Facebook — not to mention other social media business leaders — respond to the threat.

They’ll need to do something — and it’ll have to be something more compelling than CEO Zuckerberg’s constant refrain at the Capitol Hill hearings (“I’ll have my team look into that.”) or COO Sandberg’s litany (“I’m glad you asked that question, because it’s an important one.”) on her parade of TV/cable interviews.  The share price of these companies’ stock will continue to pummeled until investors understand what changes are going to be made that will actually achieve concrete results.

Google’s Wi-Fi Data Collection Snafu

One of the news items that’s been bounding about the web and on the airwaves in recent days concerns an admission by Google that it “screwed up” by gathering private wireless data while taking pictures for its Street View mapping initiative.

The mishap came to light first in Australia, where Google was caught capturing 600 gigabytes worth of wi-fi data from personal and business wireless networks without owners’ permission. Google has since been accused of unauthorized interception of user personal data including e-mails, audio and video, which potentially could be linked to specific addresses.

Google insists that the personal data were “inadvertently” collected during the street sweeps by its large fleet of vehicles cruising cities in more than 30 countries.

[For those who are unfamiliar with Google’s Street View mapping tool, you can view an example here by vicariously sauntering down quaint, quiet Robinwood Avenue in Detroit’s North End – home of the late, lamented Marabel Chanin, the most famous inner city resident you’ve never heard of.]

Some observers may be content to take Google management at its word that personal data were “mistakenly” gathered during its street sweeps – despite the fact that this blunder was evidently repeated in Germany, Italy, France, Denmark, Austria, Ireland, Belgium, Spain, Switzerland and the Czech Republic … as well as here in the U.S. in states like Connecticut and Missouri.

Consumer Watchdog calls Google’s action “a flagrant intrusion into consumers’ privacy.” And the Connecticut and Missouri attorneys general are now weighing in as well with their own investigations.

Perhaps the biggest takeaway from this story is not whether Sergey Brin, Larry Page and the other honchos at Google might or might not have nefarious plans for the use of personal wi-fi data. It’s the realization that such information can be collected at all.

And the next time, it might not be by such a benign organization.

What’s the latest news in this juicy story? Google reports that it has deleted only the personal data it collected in Ireland, Denmark and Austria. For the time being, it’s holding onto the rest.