GDPR: Impunity vs Accountability

In the battle to protect consumer privacy, we have not yet begun to fight

?In May of 2018, the European Union implemented the General Data Protection Regulation (GDPR), a set of regulations designed to protect consumer privacy from exploitation by Big Data tech firms. Six years later, has GDPR lived up to its promise of a privacy utopia? Or has it merely forced web surfers to continually click “Accept all cookies” buttons when visiting their favorite online haunts? According to the expert panel at the 2023 Loyalty Summit CXM in Zurich, the war for consumer privacy is still in its opening campaign.

By Rick Ferguson

?Few experts have spent more time studying the ramifications of GDPR than Richard Dutton, Managing Director at ELIAS Partnership, a UK based data advisory business. Dutton and his co-founder, data law expert Dean Armstrong, have spent the years since the law’s implementation advising European firms on everything from data transfers to facial recognition technology. Today, Dutton sees the state of data privacy in stark terms.

?“On the one hand, you have the big tech companies who see [GDPR] fines as a parking ticket, the cost of doing business,” Dutton told the audience at Loyalty Summit CXM. “On the other hand, you have the regulators looking to hold organizations to the GDPR. It’s a battle between impunity and accountability.”?

Current State: Real teeth but elusive control

?On its face, the GDPR appears to have lived up to its promise of holding tech firms accountable. Since the law’s introduction, the EU has levied over €4 billion in fines against companies found guilty of privacy violations and abusing their monopoly power. In 2023 alone, regulators levied over €2.3 billion in fines; Meta alone paid a €1.2 billion fine. These fines have sent a strong signal to Big Data that the EU is serious about GDPR enforcement.

?The law has also been wildly influential; as of 2024, 28 EU countries have enacted GDPR, while an additional 17 non-EU countries have passed similar legislation. Even the United States, historically the wild west of consumer privacy, has gotten into the act, with California enacting the California Consumer Privacy Act (CCPA) in 2020.

?These regulations and their associated fines have seen consumer-facing firms focused almost exclusively on compliance. But what about that promised privacy utopia, in which consumers become empowered with full control over their personal data, even to the point of monetizing it for their own benefit? And what about those big tech firms who view even billion-euro fines as “parking tickets?” In the war between impunity and accountability, which side will win?

?Based on the discussion of the Loyalty CXM privacy roundtable, here are three predictions for the future of GDPR and data privacy.

?Prediction One: The regulators are coming

?The COVID outbreak of early 2020 sent GDRP compliance into a deep freeze. But the fines issued by regulators in 2023 should serve as a wake-up call to Big Data; that €2.3 billion levied last year was more than the three previous years combined.

?In addition to this increased scrutiny, more regulations are on the horizon. Last August, the EU enacted a slate of laws known as the Digital Services Act (DSA), designed to reign in the spread of harmful content and misinformation via algorithms. Like GDPR, costs for violators are steep—companies can be fined up to 6 percent of global revenue. In addition, seven EU countries have banned Google Analytics on the grounds that the data gathered violates GDPR.

?If the DSA isn’t enough of a headache for Big Data, then more trouble is coming. The Interactive Advertising Bureau Europe (IAB Europe) is the trade association charged with self-governing GDPR compliance via the Transparency Consent Framework (TCF)—that’s the backbone behind the “Do you accept all cookies?” pop-ups now ubiquitous on the internet. The problem: The TCF has itself been ruled in violation of GDPR by at least one EU country.

?That’s a lot of uncertainty for what is supposed to be settled law. In the next few years, the battles will be fought mainly over EU consumer data sent back to US-based tech companies. Thanks to the Clarifying Lawful Overseas Use of Data Act or CLOUD Act, a US federal law enacted in 2018, federal law enforcement can compel U.S.-based tech companies to provide data access regardless of whether the data are stored in the US or on foreign soil. That law puts Big Data in a tight spot—either defy GDPR by complying with a federal warrant or comply with GDPR and defy the Federal government.

?Not scary enough for you yet? We won’t even mention the coming deluge of class-action lawsuits against tech firms for failing to comply with GDPR and regulators for failing to adequately enforce it. In short: When it comes to the privacy wars, you ain’t seen nothing yet.

?Prediction Two: Consumer control will remain elusive

?One of the promises of GDPR was a future based on data portability. In this privacy utopia, consumers could easily request their personal data from the companies to which they’ve given permission to store it and then trade or even sell that data to other companies. Think an American Airlines AAdvantage elite-status flyer downloading their data and uploading it to Delta to enjoy instant SkyMiles Platinum status. Or a Tesco Clubcard member in the UK delivering their shopping data to Sainsbury’s to build up an instant points balance in Nectar. Because GDPR requires companies to grant customers access to their own data, the thought went, ownership of data would shift from brands to consumers. They might even become free agents who shop their data to the highest bidder.

?To date, neither consumers nor brands have been incentivized to transform this vision into reality. Sure, you can get your data from Tesco in four or five clicks and offer it to Sainsbury’s. But what is Sainsbury’s offering in exchange? Thus far, nothing—not even double Nectar points on purchases. In part, this is because companies like Sainsbury’s have been so concerned with GDPR compliance that they haven’t spent a second thinking about the opportunity.

?Evolving tech may yet unlock this opportunity. Tim Berners-Lee, the literal inventor of the internet, has founded a startup built around the concept of peer-to-peer data transfer and secure consumer “data pods.” Brands could ask permission to access these pods for marketing purposes. But this tech is currently more dream than reality; for now, there’s still no incentive for brands to make data portability and consumer control a priority.

?Prediction Three: Tech will move faster than regulations

?The GDPR became law because existing consumer privacy regulations were both antiquated and inadequate. Regulators were playing catchup with Big Data firms and their ability to capture and monetize consumer data without express permission—or with said permission buried deep within laughably dense terms-and-conditions agreements.

?Today, regulators are still playing catch-up. The global market for facial recognition technology, for example, is expected to grow by 12.9 percent to reach US $25 billion by 2030. What happens when marketers start leveraging that tech Minority Report-style to deliver offers in-store? What happens when AI chatbots start spitting out personal information scraped from the web? Blockchain tech promises to upend the very notion of consumer privacy—what happens if your every transaction is recorded and visible on the chain?

?These rapid tech advances mean that regulators will continue to play whack-a-mole with Big Data companies intent on exploiting your personal information for shareholder returns. We face two potential futures: In one future, consumers finally gain control of their personal data and partner with brands to extract mutual benefit from it; in the other future, we face a dystopian hellscape of competing interests and an endless war between regulators and Big Data. Which future will win?

?Trust, commitment, and reciprocity

?In the long arc of human history, the notion of a right to individual privacy is a recent invention. Prior to the industrial revolution, the mostly agrarian working class saw no distinction between their public and private lives; everyone in the village knew everyone else’s business. Only in the shift to urban life and the advent of the nuclear family did the notion of privacy come to the fore. Now, that notion is under continual assault.

Fortunately, loyalty marketers have a workable solution already at hand, because we’ve been practicing it for over forty years. That solution: Permission-based marketing based on a transparent value exchange. That’s the classic definition of loyalty marketing—you agree to let me track your behavior and market to you based on your interests, and I’ll reward and recognize you. Customer relationships based on trust, commitment, and reciprocity don’t require onerous regulations and eye-watering fines to implement. In the battle between impunity and accountability, only the virtuous will survive.

Rick Ferguson is VP of Marketing for Loyalty Summit.