This article was originally published on CFO.com.
The EU’s new General Data Protection Regulation will force companies to change how they handle consumers’ online data.
Figuring out who owns or can work with the “information exhaust” of an individual consumer’s online activity has always been something of a challenge. On the one hand, there are many opportunities to look for patterns in this data and make helpful suggestions or predict future actions and position to create a commercial advantage. On the other hand, it’s easy to deliberately or inadvertently go beyond what’s generally considered to be acceptable (if that’s even defined in any useful way) behavior and trespass on an individual’s personal and economic footprint — in other words, to invade their privacy.
The more we move everyday life online, the more urgent it becomes to get some workable ground rules established. Today’s combination of opt in unless you explicitly opt out (and who reads all that fine print anyway) is common in the United States and some other jurisdictions. But it isn’t really working as well as it should.
“Do not track” functions and ad blockers can help, but are often turned off by default and can be confusing to use effectively. The ability to securely manage all the data that’s being collected continues to be an issue. We clearly need everyone involved (including the consumer) to get this under control before it gets out of control.
To make matters worse, there is probably $80 billion or more of online advertising spend and additional, uncounted, billions of data collection and predictive analytics services revenues tied up in these un- or under-regulated processes.
In the European Union, all that’s about to change. After several decades of un-harmonized national policies and laws, the European Union has agreed to a common “framework” – the General Data Protection Regulation, or GPDR. This framework for consumer data privacy is supposed to be implemented by all member states (assuming it gets ratified by the member states – likely but not guaranteed) by 2018.
Under this framework, member states can still have local additions to the rules, but must implement a set of common regulations founded on a set of principles, originally enshrined in EU Directive 94/46/EC (that, as a directive, provided guidance only) which the regulation (which must be implemented) is intended to strengthen and effectively replace:
- Notice: Subjects whose data is being collected should be given notice of such collection.
- Purpose: Data collected should be used only for stated purpose(s) and for no other purposes.
- Consent: Personal data should not be disclosed or shared with third parties without consent from its subject(s).
- Security: Once collected, personal data should be kept safe and secure from potential abuse, theft, or loss.
- Disclosure: Subjects whose personal data are being collected should be informed as to the party or parties collecting such data.
- Access: Subjects should be granted access to their personal data and allowed to correct any inaccuracies.
- Accountability: Subjects should be able to hold personal data collectors accountable for adhering to all seven of these principles.
Member countries were free to interpret these principles as they saw fit, resulting in a confusing mixture of national rules that sometimes conflicted with each other. The new regulation harmonizes implementation of the principles and extends them in some important ways:
- Consumers must be notified of what data are being collected as a byproduct of a transaction (both in advance of the transaction — while browsing, for example — and as the transaction is executed), and must be able to opt out of anything not explicitly required to complete the transaction. Even necessary data must be able to be “forgotten” once the transaction is completed, if the consumer requests this and unless doing so would impede the delivery of contracted warranty or support services.
- All use of collected data for any purpose beyond the original transaction requires the consumer to explicitly opt in for each such proposed use. Blanket opt in will not be allowed and consumers can change their minds at any time and opt out of a use they previously approved.
- Companies can be audited by the EU and failure to follow the rules exposes companies to significant penalties, up to 4% of annual revenue for each breach of the rules.
- Intermediaries (data collectors and data analyzers who sell analytic services to others) will be equally liable – essentially forcing them to police use of their products and services.
These rules are going to fundamentally change things for many businesses. It’s an improvement to have a single set of rules across all 27 member states and 320 million consumers (saving EU businesses several billion euros a year in compliance costs). But a lot of information-based businesses will have to figure out how to make the principles real in their online and actually all (paper records count too) interactions with their customers. They will have to so without annoying those same customers with additional burdens of effort or time. Every loyalty program, cumulative discount, or cash-back program and consumer activity database will be affected.
Data collectors will have to design mechanisms to allow consumers to access, verify, and correct their own data. I lived this challenge as chief technology officer at TransUnion, and it’s a major headache. Even if every consumer were an honest citizen with no malice of thought or intent, data get corrupted in many ways that may be hard to correct; there is seldom a single source of truth to consult. In the real world, even otherwise honest consumers encounter data they don’t like and would rather have erased or changed to look “better.” They will also have to have a nominated Data Protection Officer who will oversee their data privacy processes and protections. No easy answers here, and maybe no practical answers are possible.
The regulation also applies to information related to EU citizens whether or not they (or their transaction) are located in the EU. It would also apply to non-EU citizens transacting while in the EU. How the actual jurisdiction gets applied and managed isn’t clear, but it’s certainly going to get complicated — potentially requiring the collection of more data that would have to be regulated and then erased. Ugh.
The regulation might be modified before it’s approved as business lobbies push back. Or it may go forward as proposed and become a template for use everywhere, including here in the United States. Time to start thinking about potential impacts and strategies to address them.