How GDPR, Privacy Rules Divert Path of Social Marketing

rishabh-varshney-138805-unsplash-min.jpg

TL;DR: The Cambridge Analytica scandal and the rollout of the GDPR in the European Union are just two events that demonstrate the importance of privacy regulation as users value how their personal data is used by brands and platforms. With new laws emerging, we’re speeding toward the crux of a data ownership battle between businesses and consumers.

Editor's note: As a disclaimer, Sparkloft cannot provide official legal advice. This post is merely educational.

Social media is getting serious. In the past few months, the headlines around Cambridge Analytica scandal plus the roll out of the European Union General Data Protection Regulation (GDPR) have rocked the industry. Although the two are not directly related, they each demonstrate the importance of privacy regulation as users value how their personal data is used by brands and platforms.

These two events forced change in how marketers, like ourselves, reach audiences. Inserting the words “rights” and “safety” are now a part of our content planning conversations.

Everywhere we look, it’s becoming increasingly clear that establishing GDPR compliance will be just the first step toward the new normal for anyone or any brand using personal data.

Just in case the “New Privacy Policy” emails that filled your inbox are the only indication you’ve had to the shift in marketing mindset, we’ll start small.

So what is the GDPR?

The main facets of the new GDPR guidelines include:

  • A broader definition of personal data: This includes IP addresses and cookie identifiers as well as the right to access personal data and inquire where and for what purpose it is being used (Right to Be Informed) (Right to Data Portability).
  • Higher standards for establishing valid consent: GDPR stipulates that consent must be, “freely given, specific, informed, and unambiguous,” and furthermore, EU citizens can now request that their data be erased at any time if they choose to withdraw their consent (Right to Be Forgotten).
  • New concepts of profiling and automated decision making: This gives users the right to object to the processing of their personal data based on either of these two concepts. (Right to Object).

What can I do to stay prepared and compliant?

First, conduct an audit to review existing data: What data you have, how it was obtained and what you are doing with it. Make sure you create processes for ongoing updates to all lists and audiences, ensuring that all opt-out users are removed in a timely manner. Review and update your website cookie policy. Outline how and why you are tracking data and asking all users to opt-in.

Next, be safe. Avoid the transfer of personal data to vendors, offices, tools, etc., internationally. This means transferring or accepting the transfer of data and assets from your international offices.

Finally, be transparent. Your customers, influencers, partners and stakeholders are more likely to trust you if you are open and honest about your data processes.

What about Facebook?

Facebook has been swift to act, making changes that will impact the way marketers collect and use social data on the platform. Here’s how these changes may impact businesses:

  • Brands, not Facebook, are considered the data controllers and are responsible for ensuring data compliance before leveraging their audience lists in ad targeting. If you’re using Facebook audiences, ongoing updates will be required to ensure that all opt-out users are removed from custom and lookalike lists.
  • Any business that installs a Facebook Pixel to measure ad conversions or retarget customers must ensure website compliance. Pixels are one of the platform’s most widely recommended tracking tools, and Facebook recommends creating banners that capture explicit consent. More on Facebook’s compliance recommendations here.

So what’s next?

The GDPR hasn't been in effect for a full week, and we’re already seeing buzz of a new privacy law emerging in California and new European legislation that could further limit data-driven online services and cost European business more than $550 billion: the ePrivacy Regulation.

The ePrivacy Regulation is a pending European privacy law that would create stricter guidelines for electronic communications companies. In essence, it would require sites and apps like WhatsApp, Skype, iMessage and more to collect permission from users before collecting data about their communications or placing any tracking on their devices.

Facebook, Google, IBM and Microsoft are just a few of the giants lobbying against it, but supporters say this is a necessary step to people to take back their personal data. The law is currently under review by the Council of the European Union, who must reach an internal consensus before moving forward.

In California, the California Consumer Privacy Act aims to place privacy regulations on companies in the state, but would undoubtedly have an enormous impact nationwide. The law, similar to the GDPR, would give users rights to their data, requiring companies to disclose what data is being collected. It would also prevent that data from being sold, and it would give users the ability to sue companies who don't follow the rules. The proposed law has already garnered over 600,000 signatures and is expected to go to vote in November.

But wait, there’s more! Vermont also recently passed the country’s first law to place regulations on data brokers.

Everywhere we look, it’s becoming increasingly clear that establishing GDPR compliance will be just the first step toward the new normal for anyone or any brand using personal data.

Our take? Stay informed. As digital speeds toward the crux of an ownership battle between big businesses and their consumers, we’ll be watching closely, staying as up to date as possible on emerging regulations and technologies. Hang with us.

Gio Palatucci contributed to this research.

More blog posts you might find interesting...