The General Data Protection Regulation or GDPR (Regulation (EU) 2016/679) was created by lawmakers in the European Union (EU) as a means of strengthening privacy protection and upholding the rights to personal information of consumers in the European continent.
There’s a lot of speculation – and a fair amount of scrambling to get things put in place – as the May 25th, 2018 deadline approaches for the new EU privacy regime to come into effect.
Much of that speculation concerns the hefty penalties prescribed for serious failures to meet compliance demands – up to 4% of annual business revenues globally, or €20 million (about $25 million), whichever is greater – for the worst offenders.
Some argue that the enforcement arm of GDPR won’t be quite so strict, while others fear that a high-profile compliance breach (with its attendant bad publicity and hefty fines) could kill off smaller businesses.
And there’s another school of thought which argues that, far from improving the fortunes of internet-based enterprises in the European market, the changes that GDPR will force on website protocols and visitor browsing practices will create an environment in which the only winners will be large American tech companies, having the resources and financial clout to allow for all of the new privacy regime’s conditions.
Web of Consent
On the internet, the General Data Protection Regulation will require tech companies, website operators, and anyone involved in gathering or processing online information from citizens or residents of EU nations to get “affirmative consent” from any user before information may be collected.
This consent has to be explicitly asked for – in clear, plain language terms setting out what is being collected, what it will be used for, and why. Existing options such as assuming that a website visitor consents to having their information gathered unless they specifically opt out (e.g. by unchecking a box buried deep in a pile of impossible to understand Terms and Conditions) will no longer cut it, with the EU authorities.
EU internet users may also withdraw their consent to have their information used, at any time – and website owners must be prepared to take the necessary steps laid out by the GDPR for deleting customer data when such a request is received.
Writing new code for web pages, apps, and portals to bring online resources into line with these condition has been just one of the tasks set for small and large tech companies, alike.
The Way the Cookie Crumbles?
In addition to the GDPR, a new ePrivacy law comes into effect governing the use of tracking cookies. This too concerns all users based in Europe and applies to businesses in any location that operates in Europe in any capacity. This law requires tech companies to get affirmative consent from consumers for every cookie that they use, every time they use them.
So any business operating a website must be prepared to generate a separate consent form for each cookie they place in a visitor’s browser or internet cache. Visitors will have to click to give their permission on each form, before being allowed the prescribed access to whatever resource the cookie is being placed for.
The law also stipulates that websites cannot deny visitors access to at least some resources, even if they refuse to accept cookies. So each site will have to have a separate “freebie” stream of resources and content, designed to cater for users who withhold their consent.
On large sites such as magazines or news pages, cookies are routinely used to record visitor activity for targeted advertising, and the like. And there may easily be ten or more such cookies deposited by different agencies, for every visit. That’s a lot of consent forms, and a lot of time potentially involved in working through them.
The Nightmare Web of Europe
With the new culture of consent enforced by GDPR and its related laws, some analysts are predicting that the internet/web experience in Europe will become a total nightmare, transforming the web into an endless series of “click to consent” forms.
Again, simply designing and putting all these elements in place will put a strain on the resources of smaller enterprises, giving the advantage to the bigger players in the technology sector.
In addition, the increase in time and effort required on the part of the consumer in supplying all of that consent works in favor of larger companies, which already have a customer base that’s familiar with the type of content or resources they have to offer, and will therefore be more willing to invest the consent time required to stick with what they know.
The Big Tech Advantage
GDPR already contains some concessions to (mostly large) companies that have an established relationship with their users. Firms like Amazon, Apple, Facebook, and Google which require their consumers to log into their services already have the infrastructure in place to streamline the consent-giving process – perhaps as an integral part of signing in. They can thus steal a jump on other (smaller) organizations that would have to design and implement these mechanisms from scratch.
And having an existing and loyal user base gives these large American tech companies the edge over smaller competition, in that their offerings are already familiar to huge numbers of users. Companies with limited exposure or those having to rely on third-party agencies for targeting data may have trouble in both attracting new users, and gaining their required consent.
The Downside for Big Tech
But GDPR will by no means be a free ride, for the American tech giants. There will inevitably be some negative impact on them, as all their European users will have to negotiate the consent minefield to gain access. This could result in falling subscriber populations, reduced numbers of visits, or dramatic shifts in the permissions allowed by their existing customers.
And companies like Facebook which allow advertisers to target their users even when they’re outside the platform may see some falls in revenue and engagement, as their partner companies struggle to re-register users with consent and data permissions in line with the new rules.
But overall, the superior finances, IT resources, legal clout, market experience, and customer bases of the large American tech companies will place them in a better position than their smaller rivals – and even the locally-based European players – under the new privacy regime of GDPR.
Share this Post