When the European Union’s General Data Protection Regulation (GDPR) went into effect in May 2018, businesses across the globe were left scrambling to figure out the nuances of compliance, despite having almost two years of lead time to prep for the new rules.
Building on the EU’s previous Data Protection Directive, the GDPR was crafted by the European Commission to give more explicit data ownership to citizens of the 28 EU member states. While formally restricted to the EU, the new rules represent the first truly-global mandate on data protection, since almost all businesses with a digital footprint on the continent can be considered global entities. As a result, even if a company only engages with a handful of customers within the EU, the business still must adhere to GDPR best practices, lest they find themselves on the hook for the rule’s hefty penalties.
Failure to comply with GDPR can cost a company either 4 percent of annual revenues or 20 million Euro in fines -- whichever proves more costly to the offender.
Despite the fear that those figures may induce in the hearts of app marketers, GDPR should really be viewed as an opportunity for brands to clean up their data stores and better interact with their customers, regardless of geography. Rather than segregate European customers from those residing in other locales, brands should consider adapting data collection policies on the whole to both reap more meaningful interactions with their global user base and prepare for future regulations.
The GDPR was envisioned as a long-overdue overhaul of the EU’s Data Protection Directive, which was originally put into action back in 1995. With almost two decades of technological advancement to account for since the original directive was enacted, the European Commission set about updating the rules in 2014. After formally passing into law in 2016, the EU gave businesses roughly 2 years before the May 25, 2018, start date to get familiar with the rule and update their data policies accordingly.
Of course, many of the headlines leading up to the start date emphasized how little companies had actually accomplished in assuring compliance ahead of May 25. In particular, while brands were quick to cover the “low-hanging fruit” by ensuring consent notices were delivered to users when browsing on desktop or mobile, apps were, by-and-large, bypassed when compliance programs were put into effect.
Only a few months after the regulation went into full effect, almost 98 percent of leading apps weren’t compliant with the regulation, according to a study from the digital governance specialists at Crownpeak. The report, which looked at the 50 leading apps from Android and Apple, found that almost 80 percent of brands didn’t offer consent permissions before collecting user data.
Further to this, on almost every app that was evaluated in the report, background SDKs were running that performed some kind of data collection that might violate GDPR.
Much of this can be attributed to a larger trend in the world of mobile marketing: Apps continue to be something of a blind spot for many teams -- one that is especially glaring when considering 90 percent of Internet time users spend on smartphones is attributed to applications. As with almost all areas of app marketing, brands continue to be playing catch up with consumer tastes along with best practices generally. But when marketers view GDPR as the opportunity that it really is to better define and understand their users and target demo, they’re better positioned to adapt to market changes going forward.
Since more stringent global regulations around data protection are considered inevitable wherever brands do business, marketers are wise to evaluate their entire mobile marketing plan in the context of GDPR so that they’re primed for the future. It’s also the easiest way for marketers to manage data from all of their contacts rather than supporting different data-management models for different segments based on geography -- often going beyond what may be useful for personalization.
• Firm-up your opt-in process:
An opt-in process should already go part-and-parcel with any mobile marketer’s playbook. If an app leverages push or in-app messaging, for instance, permissions for opt-in are likely already a given. With GDPR, however, users need to actively and consistently give consent to the app if it is going to be collecting their data ongoing.
The “old-way” of simply having users “check” a box once to assure opt-in won’t cut it with GDPR because it’s an inadequate method for signalling the user’s voluntary, active consent. Further to that, it needs to be explicitly clear in the opt-in agreement what data will be collected by the app and how that info will be used. This means that opt-in agreements predating GDPR generally don’t suffice -- by a longshot -- in assuring an app is compliant. Every detail down to the method of delivery for data-driven marketing campaigns needs to be communicated in these agreements. This complete transparency needs to be thoroughly accounted for at every stage before an app can start collecting data.
• Avoid relying on “blanket consent” and old-school lead generation:
Building on the key point above, blanket consent can’t be assumed simply because a user offered up permissions to gain access to a specific asset or initiative. A master marketing list, for instance, can’t be blindly compiled of users who forked over their email address to attend a single webinar. Brands must first deliver a clear explanation of the intent of data collection and how that data will be used.
• Overhaul recordkeeping and expand data stores:
GDPR demands that companies are more exhaustive in the records they keep, ultimately needing to account for every instance of consent, which will cause record libraries to balloon. This is an area where marketers should view GDPR as an opportunity to do some meaningful housekeeping, even if it does mean they’ll have more work to do on the outset.
While it may sound tedious to collect and store every instance of who consented, what they consented for, when they consented and how, this data can clear up a lot of headaches for marketers when put into a system that provides fast access and quick accountability. Teams should iron out the specifics of who will be managing this wealth of new information with their IT teams as soon as they can. It may ultimately require more manpower, but the initial headaches will eventually give marketers more data to work with -- and a shield against epic noncompliance -- assuming they are open with users from start to finish.
• Create a system to erase customer data quickly:
“Data ownership” is at the crux of the GDPR, so brands need to be sure they have methods in place to erase or fork over data as efficiently as a customer demands. The same “data shephard” -- referred to in the regulation as a “data controller” -- who will be tasked with managing the records of consent described in the section above can help bring this to reality.
The GDPR explicitly empowers users with a “right to be forgotten,” which ultimately gives them power not just to have all data removed from servers, but also to suppress further data collection, or perhaps to simply pause further collection until they say otherwise -- depending on the user’s relationship with the company collecting it. To make this process efficient, an “opt-out” system needs to be refined alongside the opt-in strategy to assure that all of this can be done with minimal holdups. If users can’t exercise all of the new rights they’re afforded as part of the GDPR in a “timely manner,” they have greater leverage to report violations with the EU.
• Don’t delay, and ask for help
Not to bury the lead, but perhaps the most pivotal aspect of the GDPR is that it only gives companies a 72-hour window to report any instances of a data breach to customers, or face the highest penalties. As the “data-shephard,” it’s your responsibility to report any missing sheep within that 72-hour window. That means that major breaches like last summer’s Equifax data leak -- already among the costliest enterprise breaches to date -- would have left the company susceptible to fines that exceeded 4% of their total annual revenue because of the roughly six-month delay in reporting the incident.
Successful mobile marketing campaigns often hinge on companies keeping tidy and transparent data protection policies to make sure that teams don’t find themselves in legal snafus when all they are trying to do is better engage their customers. Brands should rely on the marketing platforms and analytics providers they already trust to help them succeed in mapping out their mobile compliance strategies.
The General Data Protection Regulation (GDPR) was, in large part, a catalyst for Localytics to re-assess the data we process to meet the more stringent regulatory requirements all businesses face today.
The spectrum of privacy approaches an organization can take ranges from doing so little that it’s basically negligent to doing what needs to be done to allow our customers to maintain compliance. But brands can do more by partnering with Localytics to provide valuable guidance and deliver more reasonable cross-checks that help customers ensure privacy rights are respected.
To learn about how Localytics can help your brand spin GDPR into a coup for your mobile marketing operation, schedule a call today.