It’s been a year since the General Data Protection Regulation (GDPR) went into effect, which promised to crack down on internet privacy issues facing EU consumers. The landmark legislation made headlines for not only broadening the definition of “personal information” to include a user’s cookies, but for the crippling fines that would hit non-compliers.
Failure to meet GDPR standards would result in a penalty of up to 4% of company global turnover or €20 million (whichever is greater), or the greater of 2% or €10 million for less significant infractions.
Predictably, businesses panicked. Modern advertising is built on harvesting personal information like cookies, so tight restrictions on a broad range of personal information could cost some companies greatly — maybe even end a few. But looking back, have they really?
The Apocalypse That Never Came with GDPR Compliance
As GDPR was set to launch, some marketers took to blogs to pronounce personalization, as we know it, dead. According to some, there was no longer a simple and scalable way to harvest consumer information. Therefore, effective one-to-one personalization was no longer possible.
A year later, though, and things haven’t seemed to change very much, despite warning of strict fines for violators. According to an April study from PossibleNow, only 27% of US companies are GDPR compliant.
Taking into account the enforcement of penalties for non-compliance, it’s easy to see why no one’s in a hurry to overhaul their privacy practices. According to an infographic from the EU commission, 95,180 privacy complaints were made in the eight months after GDPR went into effect:
Additionally, over 41,000 data breach notifications were issued to national DPAs:
However, the same infographic indicates that only 3 penalties were enforced in that time: one for €20,000 to a social network operator for failing to secure user data, another for €5,280 to a sports betting cafe for unlawful video surveillance, and the most publicized: one for €50,000,000 to Google for lacking consent in advertising:
In total, these fines amount to €50,025,280. But when you consider 90% of that went to Google, for whom 50,000,000 is pocket change, it’s hard to believe penalties will hit hard even when they are enforced. Mostly, they’ve been small and infrequent.
For now, it seems many are getting away with noncompliance. But, even if it’s small…
Is Non-compliance Worth the Risk?
Penalties are hardly enforced and when they are, they’re minimal. Knowing this, you might make the mistake of thinking GDPR isn’t worth complying with. Well, it is. Here’s why:
First, the fines are about to increase in number. In fact, they may already be higher than we think. Independent research from DLA Piper claims that in the last year, not three fines, but closer to 100 were enforced (91 to be exact). While that’s still low compared to the number of complaints and breaches, it’s much higher than the earlier infographic claims.
Part of the reason penalties haven’t been maximally enforced is because this has been what CNIL’s Athias Moulin calls “a transition year” for GDPR. Businesses aren’t the only ones having to adjust to the new privacy regulations; Governing bodies have kinks to work out when it comes to enforcing them, too.
“Regulators are stretched and have a large backlog of breaches in their inboxes,” say researchers from DLA Piper. “Inevitably the larger headline-grabbing breaches have taken priority when allocating resources, so many organizations are still waiting to hear from regulators whether any action will be taken against them in relation to the breaches they have notified.”
These self-reported breaches are increasing as well. Last year, nearly 18,000 to 20,000 were reported by businesses with compromised data. This year, that number is expected to double to around 36,000.
Second, what’s more concerning for non-compliers is that GDPR is only the first step to a more privacy-regulated internet. China, Japan, India, Brazil, New Zealand, and parts of the US are already pushing similar legislation.
Both India’s Personal Data Protection Bill of 2018, and Brazil’s General Data Protection Law (LGPD) are modeled after GDPR. In the US, the California Consumer Privacy Act became the first to create rules surrounding personal information, giving residents the right to determine what about themselves they want collected, sold, or offered to third parties.
Third, it’s not just government that’s putting privacy first. Recent news indicates the private sector is onboard, too. Google just updated its Chrome browser to give users better privacy controls, and Microsoft has done the same with Edge.
The web is trending toward a more private and regulated place for consumers. And businesses would be wise to respect that, since this is only the first year of the first legislation of GDPR’s scope. More penalties are to come, as are more laws and user controls. If one fine didn’t scare you, consider one each from the countries writing their own version of GDPR now.
Ultimately, for most businesses, preparing is in their best interest, and it’s really not so hard. We’ve all become painfully aware of cookie bars like this one in the last year:
With our own cookie opt-in, we’ve found that people are willing to give up just as much as before, so as long as we offer the choice to consent and make it easy to opt in. Around 90% of people who visit Instapage consent to retargeting.
What’s more, cookies aren’t the be-all end-all of advertising. Instapage, for example, doesn’t require cookies to run, but relies on the ad platform to pass information through to our post-click platform, thereby matching pre and post-click targeting perfectly.
For most, the chaotic blog posts about GDPR have been much ado about nothing. If you were acting in good faith toward consumers, the regulation has been hardly limiting. At the same time, it’s only the beginning. Prepare for privacy, because that’s where the web is headed, and there’s no dispute about that.