A GDPR Readiness Snapshot, Two Months Later

The European Union’s General Data Protection

Regulation (GDPR) is almost two months old, and it seems that many companies are still not prepared to handle the challenges and questions raised by the new legislation. The situation is most challenging for adtech companies. Their business is often built on sharing user information on a wide scale through a complex network of partners, making it harder to meet GDPR requirements. The most difficult rule to adapt to is perhaps the need to receive users’ consent before using their information.

The GDPR exposes companies to fines of up to 4% of their global turnover—or 20 million euros, whichever is greater—in the case of serious breaches of its provisions. It, therefore, comes as no surprise that most businesses have adopted at least one strategic compliance plan. However, in many cases, such a plan does not necessarily involve being in full compliance with the GDPR. Below are the four types of companies I have identified, which have chosen a different path than adopting full GDPR compliance.

The Hands off Solution

One solution (at least for the short term) chosen by adtech companies is to simply stop collecting and handling personally identifiable information from users located in the European Union. This is an extremely painful solution for adtech companies because it means they are losing money. Publishers can charge much more for targeted advertisements. Not collecting user information seriously hurts these companies’ business model and puts them in an inferior position to that of their GDPR-ready competitors.

The White Knight Solution

A growing number of adtech companies are taking a different, and, in my opinion, much riskier approach, arguing that the collection of user information is justified under the “legitimate business purpose” principle set forth by the GDPR. According to this principle, it is OK to collect information even without securing consent assuming that in doing so a company is fulfilling a “legitimate business purpose.”

Fraud prevention is one such “legitimate purpose” cited by adtech companies. In some cases, marketing itself could be deemed a legitimate reason. Subject to additional limitations imposed by the GDPR, such an approach could work, for a while. It is important to remember that the GDPR is still new and that regulations might become more astringent moving forward.

The Collective Approach

Another solution that has become increasingly common is turning to “consent management tools.” These are technological solutions developed by various players in the adtech industry that invite companies to join forces with other vendors and together collect consents from users, sharing them with all parties involved. These technological solutions have yet to be tested or recognized by the regulators.

An additional concern regarding collective solutions is the potential conflict of interest of the parties who developed these solutions. They could potentially get access to sensitive information owned by the companies that are using their solutions. The bottom line is that although most collective solutions are free and easy to join, many companies are still apprehensive about joining one.

The Passive Approach

While researching this article, I have identified another group of adtech companies that seem to have decided to “deal” with the GDPR regulations by doing nothing at all. Among the reasons for taking no action at all are the hope that GDPR will simply not be enforced due to the unreasonable burden it places on the industry, that the regulators will only go after the big players, and that as time passes, concessions will be made with respect to some of the more stringent requirement of the GDPR.