Next May will mark four years since the European Union’s comprehensive data privacy law GDPR has been in effect. The EU's privacy laws and others like it have had a major impact on marketers in all industries and there is more we can expect in the coming year. Marketers in 2022 can expect to see upticks in enforcement, updates in consent first party IDs and hashed IDs and should be closely watching European AI and ePrivacy regulations, according to consumer data privacy pundits.
“I expect to see additions to the GDPR regulatory (arena), especially regarding consent on first-party IDs and hashed IDs,” said Shankar Venkataraman, vice president at Jivox, a cloud-based marketing personalization provider. “There is still some ambiguity around opt-in consent, the level of consent, and the degree of support transferable from publisher to the advertiser. Those are all aspects that we expect the regulations to address next year. In addition, I expect the regulation around ‘end-user data access and review’ to become more tightened.”
With more coming from new GDPR regulations and additional legislation across the U.S., its time to start looking ahead at how all of these new laws will impact your marketing strategies for the coming year.
Member States Will More Closely Align With GDPR
When GDPR first went into effect, we saw a lot of fragmentation between the EU-wide regulation and member state laws, according to digital policy and consumer data privacy expert Kristina Podnar.
In 2022, she anticipates we will see member states change local laws to more closely align with GDPR, which could include things like a common definition of a child's age under which parental consent is required, Data Protection Officer (DPO) appointments and the type of processing that require a Data Protection Impact Assessment (DPIA).
Consumer Consent Trends Are Here to Stay
More consumers are starting to understand that to be contacted, a company must be able to show that a consumer granted totally free consent when asked; the consumer could withdraw the consent at any time, according to Podnar.
Muge Fazlioglu, Ph.D., senior Westin Research Fellow for the International Association of Privacy Professionals (IAPP), noted that if you look at a couple of the biggest GDPR fines in recent memory — including Google’s and Amazon’s — there are huge lessons to learn for marketers in terms of consent. “They both involve consent, which is central to our privacy and data protection laws and policies,” Fazlioglu said. “I think the lesson is that consent cannot just be a box-ticking exercise. It needs to be freely given, a choice based on information. So, companies must find ways to inform users about how their data is being used so that they understand what agree to.”
If advertisers or marketers are using retargeting, they must ensure that the pixels are fired only when there is explicit consent and for the data’s intended purpose, according to Venkataraman.
Related Article: The GDPR Consequences We Haven't Talked About
EU’s New AI Regulation
Perhaps the biggest change to GDPR in 2022 will be coming via EU's AI regulation which is still in draft mode, Podnar said. The European Commission unveiled a proposal for a new Artificial Intelligence Act (AI Act) in April 2021. The Commission, according to the European Parliament, proposes to enshrine in EU law a technology-neutral definition of AI systems and adopt different set of rules tailored on a risk-based approach with four levels of risks:
- Unacceptable risk AI: Harmful uses of AI that contravene EU values.
- High-risk AI: AI systems that are creating adverse impact on people's safety or their fundamental rights.
- Limited risk AI: Some AI systems will be subject to a limited set of obligations.
- Minimal risk AI: AI systems that can be developed and used in the EU without additional legal obligations than existing legislation.
‘Think about the marketing stack which has AI embedded,” Podnar said, “or the large data lakes that organizations own and are using AI to do everything from garnering consumer insights to serving up highly tailored content that drives CX.”
EU’s New ePrivacy Regulation
- Create rules for electronic communications and protect the privacy of end users, the confidentiality of their communications and the integrity of their devices.
- Cover not only personal data but also metadata and confidentiality requirements, and will apply to instant messaging apps, Voice over Internet Protocol (VoIP) platforms, and machine-to-machine communication.
“The biggest advice I have for marketers is to rethink e-privacy and AI in context of GDPR as this is where we will see the most impactful changes,” Podnar said. “For example, we will get additional clarification and compliance insights around the relationship between territorial scope and data localization — or data transfers, if you will. This is a giant hornet's nest, and although new SCCs (Standard Contractual Causes) helped tremendously, they didn't make the data management and transfer — territorially or from/to specific processors — any easier for marketers.”
Although 2021 was not a highly eventful year for the ePrivacy legislation, work continues to go on behind the scenes hopefully leading to a positive result, according to Fazlioglu. “But,” she added, “this legislation will particularize and complement GDPR, so we will see the landscape getting more complex, not less.”
Related Article: Making Sense of the Growing Legislation to Protect Customer Data
Standard Contractual Clauses Deadline Comes Late 2022
One of the most important GDPR-related developments we have seen revolves around data transfers and SCCs, according to Fazlioglu. GDPR says contractual clauses ensuring appropriate data protection safeguards can be used as a ground for data transfers from the EU to third countries. This includes model contract clauses — so-called Standard Contractual Clauses (SCCs) — that have been “pre-approved” by the European Commission.
An important 2022 deadline for companies will be Dec. 27. That is the final deadline the EC has given for when all old contracts must be transitioned to the new SCCs, two sets of which were released earlier this year. “So, companies who have data transfers relying on old contracts should have a plan in place to fully transition to the new ones in 2022, if they haven’t done so already,” Fazlioglu said. “And they will have to look very carefully at the module(s) required that is specific to the types of data transfers they engage in.”
Looking Back at Major GDPR Fines
It's worth noting that EU lawmakers and enforcers of GDPR haven’t sat idle. There have a been a number of fines levied and more to come. Here’s a look at some of the top fines to date:
Amazon: $886.6 Million: Amazon holds the current top spot for its July 2021 fine of $886.6 million for processing personal data in violation of the bloc's GDPR rules. The Luxembourg National Commission for Data Protection (CNPD) imposed the fine on Amazon in a July 16 decision.
Google: $56.6 Million: Google in January 2019 saw a heavy fine from French GDPR regulators. Google violated its obligations under GDPR in the areas of (1) obligations of transparency and information, and (2) having a legal basis for ads personalization processing.
H&M: $41 Million: Clothing retailer H&M in October 2020 paid more than $41 million for illegally surveilling employees at its Nuremberg office in Germany. In many cases not only the employees' concrete vacation experiences were recorded, but also symptoms of illness and diagnoses, according to regulators. In addition, some supervisors acquired a broad knowledge of their employees' private lives through personal and floor talks, ranging from rather harmless details to family issues and religious beliefs. Some of this knowledge was recorded, digitally stored and partly readable by up to 50 other managers throughout the company.
TIM: $31.5 million: The Italian SA in January 2020 fined TIM on account of several instances of unlawful processing for marketing purposes. The infringements concerned millions of individuals. From January 2017 to the beginning of 2019, the SA received hundreds of complaints regarding, in particular, unsolicited marketing calls that had been performed without any consent or in spite of the called parties’ inclusion in the public opt-out register.
British Airways: $26 million: In October 2020, The Information Commissioner’s Office (ICO) fined British Airways (BA) for failing to protect the personal and financial details of more than 400,000 of its customers. An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place.
“Given how active national data protection authorities have been over the past 12 to 18 months, we will see an increase — and more sophisticated and mature — in GDPR enforcement decisions come 2022,” said Podnar. “That also means that we will continue to gain clarity around what good GDPR adoption looks like, especially for marketers.”
Watch Facebook’s Potential Fine With Ireland
Last month, Reuters reported Ireland's Data Protection Commission (DPC) had proposed fining Facebook up to $42 million in one of more than a dozen probes. Under GDPR, the DPC shares the preliminary ruling with all concerned EU supervisory authorities before reaching a final verdict.
The complaint by Austrian privacy activist Max Schrems concerns the lawfulness of Facebook's processing of personal data, specifically around its terms of service, according to Reuters.
“I think a lot of eyes are on the Irish DPC’s draft decision against Facebook, which has been circulated to other EU DPAs before it makes it final decision,” Fazlioglu said. “I think there will be more to come from that discussion, and whether or not the other DPAs agree that Facebook may bypass consent because it enters into a contract with users to serve them targeted advertisements will be telling.”