GDPR and Its Impact on Digital Marketing: What We Think We Know
By Leora Halpern Lanz President, LHL Communications | July 2018
This article was co-authored by Elise Borkan
Co-authored by Elise Borkan, Boston University School of Hospitality Administration
In short, GDPR is defined by the EU's Data Protection Agency and "regulates the processing by an individual, a company or an organization of personal data relating to individuals in the EU" (European Commission). As a result of increasingly concerning practices and determination to protect data, regulations in the European Union have pushed these concerns directly to the surface. A new world of GDPR compliance is now upon us. It is here and we must pay careful attention in order to prevent an infliction of hefty financial penalties or perhaps even damaging negative word of mouth.
Businesses are already faced with the ramifications of GDPR since its recent implementation. Facebook had already been very publicly subjected to questioning by the U.S. Congress and foreign governments to instill a new paradigm of protection of users' private information. Additionally, in our hospitality landscape, several of the large global hotel brands had already been victim to data breaches on a grand scale (Hyatt 2017, Hilton 2017, IHG 2016). The issue of personal data and privacy protection has been rampant and now marketers have to be even more in tuned to potential consequences.
As GDPR impacts all industries globally, hospitality companies must become hyper-aware of their digital marketing practices and management of customer personal data in order to comply with the EU's regulations. While GDPR pertains to various disciplines for a company's collection of data (such as HR needs) marketers, particularly digital marketers must note real issues as it pertains to the following areas:
- While GDPR is a law that protects European citizens, "every entity that holds or uses European personal data whether they operate inside or outside of Europe" is subjected to the regulations of GDPR and is responsible for complying (eugdprcompliant.com). Businesses that have yet to update privacy policies and require their customers and subscribers to actively consent to the continuation of data sharing can face hefty fines. There are two tiers of fines imposed by the EU, and they vary depending on the severity of the GDPR violation. Tier One includes a fine of 2% of a company's annual turnover, or 10 million euros, whichever is higher. If a company cannot prove adequate security practices or does not have an established data processor agreement, a Tier One fine can be filed against that company. Tier Two is even more severe, with a fine of 4% of the company's annual turnover, or 20 million euros, whichever is higher. In situations where data subjects' rights have been infringed upon or breaches of main processing principles have occurred, companies can face a Tier Two fine (eugdprcompliant.com).
- Removal of the Automated Decision Making Digital Marketing Ability: Ad targeting is a crucial component of a digital marketing campaign. With GDPR, the manner in which marketers can target ads is significantly impacted. One component of GDPR is the ban on automated decision making: a targeted marketing decision cannot be made by automated means alone; it now requires the need for human involvement. As a result, companies and websites can no longer target ads by drawing assumptions based off of individual's personal data. The term "personal data" encompasses much more than an individual's age, gender, or geographic location. Categories such as social media accounts, workplace or school, phone number, and in some cases, IP addresses, are classified as personal data and are protected under GDPR (eugdprcompliant.com).
- Prior to the implementation of GDPR, digital marketers could use personal data to successfully display relevant ads to customers whose profile classified them as likely interested in a product or service. Today, GDPR's requirement of meaningful and explicit consent for data sharing is changing the game for ad targeting. Now that automated decision making is regulated by GDPR and individuals have the ability to opt out of data sharing, digital marketers will have to create new ways to reach their desired markets.
- Out with Behavioral Profiling. In with Contextual Marketing. As we know, a substantial implication of GDPR is the ability for an individual to deny companies the ability to access and use their personal data. EU citizens have the right, through GDPR, to keep their personal data protected. For digital marketers, a decrease in the volume of a customer's "stats" and information can be crippling. This allows for behavioral profiling, a strategy that collects data points and forms profiles of desired customers or target markets for a business. Because endless numbers of potential customers can deny access to personal information, marketers will have to look to methods other than behavioral profiling to assist with their marketing efforts.
- In the May 21, 2018 online edition of the Harvard Business Review, author Dipayan Ghosh explains that "contextual" advertising is the solution to eliminate behavioral profiling. Contextual marketing "displays ads based on the content that a consumer is viewing in real-time." In other words, ads are placed when the context of the ad matches the content of the webpage that an individual is browsing, rather than placing an ad based on how a consumer's personal data matches a behavioral profile. GDPR's introduction of the right of an EU citizen to protect their personal data means that digital marketers will have to be less reliant on behavioral profiling, and instead more comfortable with content-driven targeting methods.
As the rollout of GDPR continues, global hospitality brands (and smaller companies with European citizens in their database) and digital marketing professionals must proceed and carefully navigate the uncertain path ahead. As previously indicated, on May 26th, the day after GDPR went into effect, Google, as well as Facebook and its subsidiaries Whatsapp and Instagram, immediately faced lawsuits for their failure to comply with GDPR. Max Schrems, an Australian lawyer and advocate for data privacy, led the charge of lawsuits against these major companies.
In a statement published on TechCrunch on May 25, 2018, Schrems spoke out against Facebook's method of obtaining user consent, claiming that it is "not a free choice." Individuals who do not select the "Agree" button for Facebook's terms of service and privacy policies have no other choice but to delete their account or find it blocked by the company. GDPR states that companies cannot force users into consent, and Schrems is set out to prove that Facebook and its subsidiaries are not abiding by this regulation. The immediate lawsuits against these companies following the first official day of GDPR demonstrates the significance of the issue.