GDPR and the death of third-party data

Jason Rose from Gigya explains why GDPR will impact data brokers’ business model and marketers’ practices

This is a contributed piece by Jason Rose, senior vice president of marketing at Gigya

G-D-P-R, could spell doom if you run marketing programs built on third-party data.

The European Union’s General Data Protection Regulation, commonly known as GDPR, takes effect on May 25, 2018, and it will likely cause the death of third-party data. Not right away and not without a fight from the data brokers who make a living by scooping up vast amounts of information on consumers, but the writing is on the wall.

Let me explain. GDPR, love it or hate it, is the EU’s attempt to put consumers back in control of their online data and compel businesses to keep that data safe from hackers. One of the most important aspects of GDPR is a radical revision of what constitutes personal data and how to obtain consent for its use. Organisations must obtain verifiable consent from EU residents that is explicit, informed and freely given.

Under GDPR, consumers must be presented clearly understandable terms for each instance in which their personal data will be used, with no pre-checked boxes and no requirement to accept those terms to access the business’s product or service. This also means no more obscure 50-page terms of service agreements that we all accept with a single click and never read.

Consumers will now be asked to check a box that says, in effect, “We intend to sell your information to data brokers, allowing other companies to send you unsolicited offers and track your online movements.” How many will accept, given they have no obligation to do so? My prediction is zero.

What’s more, GDPR has no “grandfather” provision allowing the use of third-party data collected without GDPR-level consent before May 2018. The result: Existing third-party data in the EU is gone, and no new data will flow to data brokers as a replacement.

It’s important to understand GDPR doesn’t just apply to organisations in Europe. Any organisation, anywhere in the world, collecting personal information from EU residents must comply. Deadbeats beware – EU regulators have set fines that can reach 4% of global revenue or 20 million Euros (about US$22 million), whichever is greater, and have made it clear they intend to go after high-profile targets as way of scaring everyone into line.

Other countries are also considering GDPR-like regulations, so the pressure will only increase over time.

The big data brokers such as Acxiom, Experian and Epsilon Abacus are aware of the threat. In its most recent annual report, issued in May 2016, Acxiom said: “Between now and the time that the GDPR becomes effective, we may need to modify our platform or our business to comply with new requirements contained in the GDPR or to address client concerns relating to the GDPR, and any such measures may result in costs and expenses, and any failure to achieve required data protection standards may result in lawsuits, regulatory fines, or other actions or liability, all of which may harm our operating results.” Translated from lawyer-speak: GDPR could put a big dent in Acxiom’s business.

Yet all hope is not lost. Digital marketers have a year to wean themselves from third-party data and refocus on engaging directly with their audience to obtain first-party data. GDPR, rather than a disaster, could ultimately be the turning point that pushes brands to do the right thing by offering privacy policies that are easily understood and are accompanied by easily accessible controls that put customers in charge of how their data is used. This might not be the easiest path, but it’s the best way to build committed and long-lasting customer relationships.


Also read:
What we know, and don’t know, about GDPR
GDPR may leave some burned
From insular US firms to spammy marketers: Who will GDPR hit the hardest?