Banks, tech giants and adtech firms are amongst those hit by the new data privacy law
Companies are seeing a sharp spike in requests for information on how their data is collected and processed following the introduction of the General Data Protection Regulation (GDPR) across Europe a month ago, with many requesting extensions to the legal deadline for their replies.
The regulation has also shaken up the online advertising business, with some adtech firms withdrawing from the European market and advertising spend sharply lower.
Technology companies, media firms, retailers and banks are amongst those most targeted by information reqeuests, with financial groups, some of which are required to collect detailed data for money-laundering, tax or other reasons, saying they’ve found the new data rules burdensome to implement.
The GDPR gives individuals the right to know how their data is used and to decide whether it is shared with other firms or deleted.
Moreover, it exposes companies to fines of 4 percent of global turnover or 20m euros (£18m), whichever is greater, in the case of serious breaches.
Facebook has seen a three or fourfold increase in user requests for information following the GDPR’s entry into effect late last month, but has seen it halve on a weekly basis since then, the Financial Times reported.
Hotel chain Marriott said it has asked for extensions to the one-month response period due to the “large volume of requests”. Such extensions are permitted under the new law.
City stockbroker WH Ireland told the FT several staff have been working full-time to review customer data going back more than 15 years, much of which is stored in 5,000 boxes containing paper files.
Netflix has yet to respond to information requests submitted via a Switzerland-based smartphone app called One Thing Less that automates the process. The firm said it didn’t plan to work with the app, instead asking users to send their request directly.
The UK Information Commissioner’s Office said it received 1,106 data protection complaints in the three weeks following the GDPR’s introduction and said data breach reports, which the law makes mandatory, had also increased. Dixons Carphone and Ticketmaster are amongst the UK companies to have disclosed hacks in the past month.
Ireland’s Data Protection Commission said it had received 547 breach notifications and 386 complaints in the GDPR’s first month, according to the International Association of Privacy Professionals.
The Czech Republic and France also had high numbers of complaints, at more than 400 each.
Campaign group Privacy International said it has written to four data brokers and adtech companies asking for details on why they collect personal information and share it with third parties, while Austrian privacy lawyer Max Schrems has filed four GDPR complaints against Facebook and Google.
Ad spend drop
The new rules pose a problem for advertising tech companies, who are required to obtain explicit consent for gathering and processing personal data, but often have no direct relationship with those whose data they’re obtaining, and at times don’t even know which sites their ads are appearing on.
As a result some adtech firms, including Kargo, Verve and Drawbridge, have shifted away from the EU altogether.
Factual, an adtech firm that works with location data, said it had withdrawn from Europe because it felt developers weren’t compliant and didn’t know how to grapple with the new law, The Drum reported.
Some industry observers have forecast that Google’s interpretation of the new rules will result in vastly decreased amounts of data passed on to European marketers, especially via the Doubleclick ID feature, which allows marketers to use data from DoubleClick for comparison with ads on other platforms.
The feature works by creating a unique user ID for particular cookies – in effect, for particular individuals viewing ads, or at least for those individuals’ web browsers. Google sharply limited DoubleClick ID use in April, ahead of the legal changes.
European adtech companies have seen automated ad requests diminish by up to 25 percent since GDPR’s introduction, with ad spending down by 40 percent, The Drum found.
One of the industry’s major data management platforms is understood to have seen about 30 percent of its audience profile disappear almost overnight, the industry journal said.
Several publishers with audiences on both sides of the Atlantic reportedly decided to cease programmatic ad spending in Europe in order to avoid risking exposure to GDPR fines.
Immediately after the GDPR’s introduction, several major publishers even made their websites temporarily unavailable to European residents, including the Los Angeles Times, the Chicago Tribune, The New York Times and apps such as Unroll.me, which targets email spam.