Discussions will begin in the European parliament tomorrow on final edits to be made on the General Data Protection Regulation (GDPR) that is expected to be passed on Thursday. Meanwhile back in the States (and elsewhere), fully half of marketers remain clueless about GDPR and the effect it is likely to have on their digital efforts and their bottom lines.
Marketers surveyed by TRUSTe, a privacy compliance platform, split right down the middle as far as awareness of the bill in France, Germany, the U.S., and the U.K. Those that did know about the law—which will institute standard regulations across all 28 EU states—were most fearful of the possibility of draconian penalties.
Four in 10 said they were in trepidation of fines that, at this writing, were still up for discussion. The numbers most commonly mentioned are maximum penalties of $150 million or 2-5% of “worldwide turnover.” No one seemed to know exactly what the EU meant by “turnover,” but TRUSTe speculated that if it meant revenues, Facebook could be facing fines of much as $250 million. Eleanor Treharne-Jones, director of EMEA and global communications at TRUSTe, told Direct Marketing News today she’d heard the maximum could be as little as $1 million. “We have to wait and see what they come up with later this week,” she said.
GDPR is meant to protect consumers, so marketers might find its stringent privacy requirements more troublesome than its monetary penalties. Tracking and analyzing Web behavior could prove difficult when “the right to be forgotten”—one of the law’s key tenets—takes effect. This concept holds that consumers can ask that marketers delete their data after each engagement unless they have legitimate or legal grounds to keep it.
GDPR favors opt-in permissioning from consumers in all cases and allows them easier access to the data that companies hold on them, as well as the right to transfer it from one service provider to another. The law also includes a requirement that companies issue notifications of serious data breaches within 24 hours of discovering them, when feasible.
Still to be decided in the final wording of the law is the definition of a minor. Originally, GDPR called for children 13 and under to get permission from their parents to share data on certain sites. But just last week, according to The Telegraph, some members of parliament were working to push the minimum age for free access to 16.
Marketers are joined by Homeland Security officials in their concern about the EU legislation. Last week, U.S. Attorney General Loretta Lynch expressed concern, saying that GDPR does not take into account “the critical need for information sharing to fight terrorism and transnational crime.”
