The new costs of doing business in the EU post-GDPR
It’s a crazy old time for doing business in the EU right now. Following deliberated speculation over a controversial overhaul of European copyright law, last week the EU Parliament voted against the Copyright Directive – a proposed law that would’ve had a huge global impact on the internet.
The reported aim of the directive, which was praised by the creative industry but lambasted by social media companies and advocates of free speech, was to force major online companies (like Google and Facebook) to share revenues with copyright holders and to regulate their sites more heavily than they already are in the post-GDPR era.
The link tax
“Two of its key components are Article 11, dubbed the ‘link tax’, which forces news aggregation and search sites to pay publishers for showing news snippets or linking to news stories on other sites,” noted The Hollywood Reporter, “and Article 13, which mandates upload filters for online platforms to prevent copyright-protected material from being illegally posted.”
Had the law have been passed, the outcome would’ve been similar to how YouTube attempts to find and block copyrighted material from being posted on its site, except it would be carried out across all types of content – text, images, and software. Meanwhile, the so-called link tax would mean online services would have to pay news publications for using their content. “The rules are widely seen as a way to force services like Facebook and Twitter that show short snippets or other previews of news stories to pay a fee to publishers,” outlined Wired.
This was praised by creatives, including organizations representing directors and screenwriters, who lobbied hard for the law’s passing. As such, many have expressed disappointment over the EU deciding against the directive earlier this month, including The Society of Audiovisual Authors, which said it undermines months of work and negotiations and sends “a strange signal about Europe’s ability to define a favorable legal framework for authors’ rights in the digital era.”
The GDPR and the race to comply
However, many companies across the EU and the globe breathed a sigh of relief at the news, as they’re already racing to comply with a new set of privacy rules sweeping the industry. This new set of rules of course refers to the recently introduced General Data Protection Regulation (GDPR) that took effect on May 25. You know that cookies consent box that pops up every time you hit up your fave website? That’s a result of the GDPR, which means consent to marketing is no longer just preferable; it’s an imperative.
The compliance to these rules changes everything, not just for email marketing companies, but for any channel that makes use of personal customer data: retargeted advertising; telemarketing, paid search campaigns, and personalized web experiences. But, as Digiday pointed out, for ad tech companies that aren’t known consumer brands, it’s proving to be a tough cookie.
“They must get consent to use data sourced from publishers and advertisers in order to keep running their ad services — a tough thing to do without a direct relationship with users. That’s why, in many cases, publishers are being looked to as the vehicle to help obtain consumer consent on behalf of those in their digital ad supply chains, whether they like it or not.”
The real cost of doing business in the EU
The penalties for non-compliance are so significant, it’s imperative companies understand the terms of the new rules and are prepared to meet the requirements. The EU enforces two levels of fines based on the GDPR: The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year; the second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year.
As a result of the tricky terms of the GDPR and the devastating consequences they might face if they are unable to meet the requirements, numerous US-based ad tech firms, including cross-device targeter Drawbridge and location data firm Verve, retracted their European operations in the runup to the GDPR enforcement.
Of course, the GDPR isn’t the only reason companies are choosing to wind down their EU-based business arms and there are long-term benefits to its implementation, particularly with regards to branding and customer trust. As Digiday put it, with the case of companies such as Drawbridge and Verve, growing a US ad tech business in Europe is tough and riddled with uncertainty, and it’s the same story with many business looking to carry out their dealings in the continent.
“There are all sorts of reasons why a business may want to retrench and refocus on their core business: Sometimes, it is a case of just having overstretched, missing numbers, making poor decisions, or it could simply be a matter of bad timing,” said an ad tech executive. “But it would be lazy to just pin everything on the GDPR, and use it as a scapegoat.”
Maybe all US businesses should stay put?
As companies scramble to comply with the GDPR terms and conditions and the EU continues to ponder further copyright laws and privacy models, it’s needless to say doing business in Europe is looking very unattractive right now. However, the Facebook–Cambridge Analytica data scandal, involving the collection of personally identifiable information of 87 million Facebook users, shone the spotlight on the topic of consumer privacy on a global scale. This has had such an effect that the US – after lambasting the European bureaucratic law processes – is now considering implementing a GDPR of its very own.
So while the EU version is considered a costly and burdensome privacy regulation for American firms carrying out business in Europe, and many have sought ways to get around the law to avoid having to deal with compliance, California introduced a GDPR-style law just two weeks ago.
According to Network World, California Governor Jerry Brown signed into law AB375 – the California Consumer Privacy Act of 2018 – which is basically the Californian equivalent of GDPR that echoes the EU law in many ways. “The law will give the state’s 40 million residents the right to view the data that companies hold on them, make corrections to it, and request that it be deleted and not sold to third parties,” and this will apply to companies that do business in California and that hold data on 50,000 people or more.
As this example shows, by exiting Europe, businesses will not escape the effect of the GDPR. Data protection is an issue that is being highlighted globally and, as outlined by senior product manager of digital governance for Crownpeak, Gabe Morazan, “The GDPR will therefore become a de facto global privacy standard; Canada and California have both introduced similar regulations, and Apple has already announced plans to roll out its GDPR compliance solution worldwide.”
The reasons companies are exiting Europe are far more wide-reaching than the GDPR, but that’s not to say it’s not putting off many US-based businesses. An anonymous tech executive told Digiday: “US investors are nervous, and they may be seeing these choppy waters and thinking this is too hard, but it will likely be based on more than the GDPR.” So while the GDPR has proved a struggle for some businesses to comply with, it will take more than implementing new privacy rules to push a company out of the EU. And as we’ve already explored, North America is on its way to its own compliance solutions. Now it’s up to businesses to catch up or fall by the wayside.