In 2018, we’ve spent a lot of time talking about the EU General Data Protection Regulation (GDPR), a wide-ranging legislation designed to protect personal data. Though it is a piece of European Union legislation, we mentioned at the time that the GDPR’s effects would affect marketers around the world, and that many firms both inside and outside the EU showed signs of being ill-equipped for the new regulations.
It’s now been three months since the GDPR went into effect in late May, time enough to take stock of how the GDPR has changed marketing in the digital age.
Who is compliant, and where?
A survey by a leading data privacy management company found some alarming figures as far as GDPR compliance: even in the EU (excluding the UK), only 20% of firms surveyed claimed to be GDPR compliant, with 27% still waiting to begin implementation. In the UK, compliance figures were lower, and only 12% of American firms surveyed were ready for the GDPR. Still, the good news is that rates for British and North American firms have been climbing steadily since the deadline.
According to figures reported by CNBC, only 25-30% of internet users worldwide were even opening GDPR opt-in emails, with the figure dropping to 15-20% for US users. One firm quoted by CNBC claimed that an online marketing firm lost the ability to reach 80% of its email list.
Still, since MailChimp estimates that the average open rate for emails is around 21%, this means that a 25-30% open rate is relatively good. Enough EU-based firms were doing something right with their opt-in email campaigns to have an above-average open rate, and that’s good news for them. We have 4 examples of good opt-in email templates here.
Has anyone been fined?
Possibly the primary reason that GDPR compliance required such urgent attention was the fines imposed on non-compliant companies. Firms engaging in prohibited practices after May 25th could be hit with fines of €20 million or 4% of global earnings, whichever is higher. According to a survey we highlighted in a previous post, 17% of firms polled would go out of business if hit with the maximum fine. One legal firm also found that GDPR fines have only been found to be insurable in two jurisdictions (Finland and Norway), so violators are on their own.
The first complaints for non-compliance with the GDPR have been lodged against Google, Facebook, Instagram and WhatsApp (the latter two are owned by Facebook) by a privacy-rights advocacy group based in Austria. If regulatory agencies follow through on the complaint and levy fines against Google and Facebook, it could total US$9.3 billion.
However, Google can easily afford a fine of $5 billion, whereas a fine even a fraction of this size could bankrupt many small online firms. For this reason, many have complained that the GDPR provides unfair disadvantages to small- and medium-sized businesses. For their part, EU figures like data protection supervisor Giovanni Buttarelli insist that the scalable nature of fines makes them fair, indicating that the structure of the EU’s fines will not be changing in future. However, at the moment, no fines have been levied yet—good news for all those non-compliant firms.
Who's had to pay?
In the lead-up to the GDPR’s May 2018 deadline, many unpleasant scenarios were predicted and at least a few have unfortunately come true. The steep costs of non-compliance and the generally low level of preparedness going into the May 2018 deadline meant that many companies ‘are getting killed by GDPR’, in the words of a CNN headline.
What may be surprising is that many firms are not ‘getting killed’ based on their newly shortened email lists. With penalties as stiff as these, many firms on both sides of the Atlantic have simply thrown up their hands and decided that they should block users from entire continents, or stop operating altogether.
CNN points out that many sites based in North America are now blocking IP addresses based in the EU. Numerous gaming, media, and news sites now greet European visitors with pop-up ads informing them that, due to the GDPR’s stringent regulations, visitors from the EU will have to look elsewhere. Here, for instance, is what many EU visitors to the Los Angeles Times newspaper (one of America’s largest) see when they visit the website now:
WhatsApp, too, now bans users under the age of 16 due to the GDPR (the age limit was 13 before May 25th). And it’s not just firms outside of the EU who have had to change things. Certain sites have stopped offering functions that would be too onerous to make GDPR-compliant: one tech journalist highlights a Czech social media network that was shut down since it ‘would have to change completely in order to comply with the regulations’.
Some good news in all of this is that the EU is demonstrating patience in enforcing the GDPR, meaning that if you’re not yet 100% ready, you still have time. And we’re happy to help! Contact us if you’re interested in ensuring that you’re as ready as possible for the post-GDPR landscape.