Filter by/
Region/  All
Type/  All
Sorted By/  Most Recent

Why US marketers must get up to speed to avoid a GDPR shock

By / / In Best practice /
If marketers in the US want to continue selling into the world’s largest digital single market, they need to figure out carefully how the new General Data Protection Regulation affects their database . . . or they are in for a nasty GDPR shock, says Ardi Kolah.
US GDPR shock

There’s an eerie lack of awareness about the impact of the GDPR on US businesses that target 500m consumers in the European Union. There are lots of reasons for this – complexity of laws, inadequate budget and too little time combined with the lack of qualified and trained staff have conspired to perpetuate this lack of readiness by US marketers.

I’ve been in conversations with senior US-executives who’ve boldly told me that the “GDPR doesn’t apply to them” and in any event they can rely on ‘legitimate interest’ to continue to market goods and services and monitor the behaviour of EU citizens as they’ve always done.

Well, they’re in for a nasty GDPR shock

US-based companies that have never set foot within the EU will face significant sanctions and fines – between 2%-4% of global annual turnover or €10-20m, whichever is greater, if they refuse to play by the new rules.

This may sound like a nightmare scenario but data protection, privacy and security laws across the world’s largest digital single market have got a lot tougher.

In fact, it’s less about ‘general’ and more about ‘global’ standards, so perhaps ‘GDPR’ should be an acronym for ‘Global Data Protection Regulation’. Other jurisdictions are following the European lead here.

There are several reasons for the evolutionary change in the global data protection landscape. And the big one, of course, is privacy.

The Facebook/Cambridge Analytica scandal that impacted 87m personal data records may be only the tip of the iceberg of what’s now known as ‘surveillance capitalism’.

Interestingly, the word ‘privacy’ doesn’t appear in the US Constitution, although the Constitutions of 10 US States – Alaska, Arizona, California, Florida, Hawaii, Illinois, Louisiana, Montana, South Carolina and Washington – do have explicit provisions relating to a right to privacy.

Like the right to carry arms that so many Americans feel defines their version of democracy, millions of Europeans consider their right to privacy of their personal information to be just as sacred and a fundamental human right.

But this isn’t just a European thing. It’s a global thing. In a landmark judgement in August 2017, the Indian Supreme Court highlighted the fundamental and universal value of the right to privacy as an “essential facet of the dignity of human being”.

The EU Directive 95/46/EC (now repealed and replaced by the GDPR) had established a broad set of principles with respect to the protection of privacy and personal data. However, each EU Member State was given wide discretion to implement these principles at a national level, with the result that US companies faced a patchwork of data protection, privacy and security laws that made it extraordinarily difficult to work out how to run marketing campaigns across the EU, without the fear of falling foul of data protection and privacy laws that varied between different European jurisdictions.

The legacy is that today the patchwork quilt of different EU Member State laws is now vastly reduced to a few operational areas and, although not perfect and not without its critics, the GDPR is a bold and ambitious attempt at achieving a degree of harmonisation and consistency not achieved in the past 20 years.

Cross-border transfer of personal data between US and EU is now going to change

A critical commercial impact of these assorted data protection and privacy laws is on cross-border personal data transfers between the EU and other jurisdictions.

Only a small number of other countries, such as Canada (part) and Israel, had been viewed in the EU has having ‘adequate security’, so transfers of personal data from the EU to these countries isn’t generally restricted under the GDPR. The US struck its own style adequacy mechanism with the EU-US Privacy Shield. But how long this continues to be in place remains to be seen.

EU Standard Contractual Causes (SCCs) are an alternative to Privacy Shield. The Model Contracts are forms negotiated between the Commerce Department and the European Commission that are to be used when personal information is transferred from the EU to the US. These documents typically can’t be modified to suit the business transaction and this inflexibility can sometimes be a barrier to their use.

A very few US organisations have implemented ‘binding corporate rules’ (BCRs) that allow multinational corporations, international organisations and groups of companies to make intra-organisational transfers of personal data across borders in compliance with the GDPR. The rules must conform to strict protocols and be approved by multiple data protection agencies in Europe.

The time, cost and expense of enacting BCRs has slowed adoption by even very large companies, which is why the GDPR will become de facto the way in which personal data transfers will now be regulated with the objective of harmonisation across Europe and sweeping away the wide variety of rules and regulations among EU Member States; replacing them with a uniform set of data protection principles.

Why a single EU Regulation is a game-changer for US marketers

At first glance, the concept of uniformity is extremely attractive. Regulation 2016/679 has been regularly promoted as a means to simplify conducting business in the European Union and the European Economic Area (EEA).

However, the ‘devil is in the detail’ and especially with respect to how GDPR will be implemented. Here, we need to watch very closely how the European Data Protection Board (EDPR) responds to challenges it will face in the courts.

A central driver behind introduction of the GDPR is to affirmatively enhance protections for individuals and their personal data — which will entail an inevitable and, in some cases, potentially dramatic increase in the regulation of companies, not to mention very substantial increases in the potential financial penalties.

Big US companies will be the data controllers of personal data that belongs to data subjects and will also be responsible for directing the use of that data by data processors and sub-data processors anywhere on the planet. There may be situations where US companies will be working jointly with data processors for different purposes.

Legal liability for ensuring protection of personal data typically rests with the data controller (although data controllers may have claims against data processors for data misuse, breach of contract, etc). However, US data controllers will be jointly and severally liable for data protection, privacy and security at any point of the value chain. So for any breach or any unauthorised use and/or disclosure of personal data, the data controller’s neck is on the line including compensation claims made by affected data subjects.

From a commercial perspective, this new approach has the potential to immensely complicate routine transactions.

A vivid example of the impact on commercial operations can be seen in the Google Spain v AEPD and Mario Costeja González case in the EU Court of Justice that effectively established the concept of ‘the right to be forgotten’, now a data protection right under the GDPR.

US companies must carry out a data protection impact assessment and may well be advised to appoint a Data Protection Officer

US companies that are doing business with EU citizens right now need to get on and carry out a data protection impact assessment (DPIA) across their entire operations, not simply on a project-by-project basis, as well as appoint a data protection officer (DPO) or chief privacy officer who will effectively be the eyes and ears of the company in how it complies with the GDPR.

Under the GDPR, the DPO enjoys a very different status of senior manager, given that their primary responsibility is to protect data privacy rather than advancing the commercial interests of the company at any cost.

Under the GDPR, the data controller must report a personal data breach that could cause harm or damage to data subjects within 72 hours of knowing about it. This will pose a significant burden as many organisations are simply not geared up to respond to such contingencies in such a short time frame.

Impact of GDPR on internet marketing for US companies

Internet marketing, the very model that’s inextricably embedded in countless commercial practices and increasingly sustains commercial activity on the web, is at risk under the GDPR.

Specifically, ‘profiling’, the practice of developing a snapshot of an individual’s preferences, browsing history, purchases, etc, would be prohibited unless necessary to perform under an agreement, authorised by law or has been explicitly consented to by the individual.

US GDPR shockBehavioural advertising, targeted marketing or re-marketing, email solicitations and other direct marketing practices will be less effective if they can’t be targeted using individual profiles, and therefore less valuable.

The collection of information on individuals as a basis for displaying personalised ads, one of the largest tools in the current toolbox of e-commerce, could suddenly disappear. The disquiet created by Facebook/Cambridge Analytica will effectively tighten the controls over such practices in the new e-Privacy Regulation (E-PR) to be adopted by the European Commission, possibly not until autumn 2019.

The GDPR Handbook by Ardi Kolah was published on June 3rd, by Kogan Page, priced £49.99. For more information visit:

Have an opinion on this article? Please join in the discussion: the GMA is a community of data driven marketers and YOUR opinion counts.

Ardi Kolah
Author: Ardi Kolah
Author at Kogan Page |

Executive fellow and director of the GDPR Transition Programme at Henley Business School and founder of GO DPO – the strategic partner for many multi-national clients in GDPR compliance, Ardi Kolah is editor-in-chief of the Journal of Data Protection and Privacy and a keynote speaker on GDPR for organisations including the British Bankers' Association, the International Association of Privacy Professionals and the HR Directors Forum. A former BBC broadcaster, he has written a new book, The GDPR Handbook – to help data protection officers and businesses interpret the new regulation – which has been published by Kogan Page.

Leave your thoughts

Related reading

  • Keep up to date with global best practice in data driven marketing