Unlike most newborns, the GDPR came into effect 12 months ago bearing a sharp and fully-developed set of teeth. Fines of up to €20m ($22m USD) or 4% of global annual turnover suggested the EU wasn’t messing around when it came to data protection, and many privacy champions salivated at the prospect of the Googles and Facebooks of the world being hit with multi-billion dollar fines.
So, one year later, what has actually happened?
Although the anticipated headline fines haven’t taken place, there has been plenty of action from local regulators enforcing GDPR’s principles. Most notably, the French regulator CNIL imposed a €50m fine ($56m USD) on Google in January for making it difficult for users to take control of their data.
That was the most significant penalty we’ve witnessed so far, but there have been others.
Authorities in Germany, Poland, Denmark, Austria and Portugal have all announced fines for organizations determined to have violated the regulation. There have also been thousands of complaints issued to bodies across Europe, forcing review panels on to the defense.
Although some may view GDPR’s impact as being relatively light in terms of fines and case law so far (and increasingly heavy from a bureaucratic perspective), the more immediate effect of the regulation has been to initiate privacy discussions and actions around the wider world.
In the US, the California Consumer Privacy Act comes into effect from January 1, 2020, with principles largely based on and influenced by GDPR. Though only applicable at a state level, many fellow states are watching acutely with a view to drafting their own subsequent versions. It may follow that a federal data law is drafted with the newly-formed coalition of trade body Privacy for America advocating for national legislation that would curb data collection and its use by advertisers there.
Meanwhile, Australia and Brazil have both updated or initiated their own data protection laws in the wake of Europe’s example, too.
Yet, these regional versions of the regulation are only small, local pieces of a global legislative puzzle wthat is arguably leading to a ‘Balkanization’ of the web. With disparate local authorities struggling to harmonize data laws, global internet companies operating across borders will find it increasingly difficult to function properly and offer the services users around the world have enjoyed accessing for so long.
Perhaps the most important consequence since GDPR came into effect has been its influence on some of these companies themselves. In being forced to take data privacy seriously and create solutions that are sensitive to this requirement while still allowing them to function globally, we’re beginning to witness a new frontier in the development of the web.
Apple’s ITP updates have already sounded a warning shot for the wider ad tech industry around the use of unnecessary consumer data and tracking. Combined with Google’s recent announcement that it plans to make its Chrome browser far more robust in terms of allowing third-party cookies and fingerprinting and Microsoft’s update that the new Chromium-based Edge browser will give users better control over their privacy settings, GDPR’s principles are clearly being heeded.
A year in, ‘privacy by design’ is increasingly becoming a fundamental tenet of how internet companies plan to operate in the long-term.
Happy Birthday GDPR.
GDPR and its likely effects upon the affiliate and digital industry was just one of the issues we discussed with our legal counsels in Italy, the UK and the US in this year’s Awin Report. Read more on their insights and opinions here.