Yesterday, in Brussels, the European Parliament and the Council finally reached an agreement with the European Commission to implement new rules. They include the introduction of the General Data Protection Regulation and changes to the Data Protection Directive.
The verdict was that 90% of Europeans want the same data protection rights across the board, regardless of where their data is processed, which will result in an end to the existing patchwork of data protection laws.
First and foremost: marketers shouldn’t panic. There are two more votes on the wording between now and early January, and assuming it passes both votes, the member states will have two years to implement the changes. So it looks like the changes will come into effect in late 2017 or early 2018. Secondly, these changes are really quite a good compromise. They meet the needs of European Citizens, 70% of whom are concerned about how businesses use their data and the business community, which relies on marketing to generate sales.
The first result for the industry is that direct marketing has been defined as a legitimate interest. This means that it will continue to operate under an opt-out regime, but of course this can be changed for specific channels like email which will remain opt-in. Similarly, the text refers to “unambiguous” consent rather than the stricter “explicit” consent – another positive move. Again, we will have to see how this plays out for specific channels, but this shows a willingness to work with the marketing industry. All consumers will have the right to “object” or “opt-out” of having their data processed for marketing purposes, and this will have to be brought to the fore from the first communication and not hidden away.
The definition of personal data is also not as strict as we once feared it would be. While online identifiers such as cookies have been included as personal data, this is not universal. It will depend if the online identifier can be used to identify the individual as to whether it is covered. For example, a cookie tied to an email address or login will be covered but a cookie placed by an advertiser would not.
The new language also classifies profiling under the term “automated decision-making”, but is only an issue where the profiling either produces a legal effect on the recipient or “significantly affects” them. Based on previous information released, this should only impact using marketing data to make offers which have a legal effect (pre-approved credits cards, etc.). But it will be interesting to see if “significantly affects” extends into marketing automation.
The final language was only agreed and released last night so we are all still digesting it. But it’s safe to say that we can all stop holding our breath and relax; Christmas has come just a little early.