Written by Marc Gagné
It’s a laughable understatement to say that the past twenty years have brought dramatic changes in online technology. The internet has grown and we’ve grown with it. Jobs have changed. Industries disrupted. Online marketers, in particular, have evolved with the internet and it’s made them highly proficient in achieving their goals — thanks in no small part to being able to leverage one crucial tool: the ever-growing body of consumer data that’s amassed and made available to them.
Now, with the General Data Protection Regulation (GDPR), that may all be about to change. For digital marketers, whose lifeblood is consumer data, the EU’s new privacy standard is presenting challenges. For many, these challenges are serious enough to make them consider skirting the law. Meet the rebels who simply won’t — or can’t — comply.
Facebook and Zuckerberg’s GDPR-Fueled Digital ‘Dilemma’
Most companies are trying to comply with GDPR. It’s an important issue that needs to be treated carefully.
Then, there’s Facebook.
Instead of altering their privacy policies, contracting GDPR support services, or hiring data privacy specialists to manage the transition to compliant levels of privacy standards, they’re choosing the double standard. That is, they will apply tough privacy standards to just their EU users, leaving everyone else to suffer (with less protection).
It certainly solves the compliance question but leaves us with a bad taste insofar as ethics are concerned. They’re quite literally proving that they don’t truly care about data protection (or their users). It’s been hard to love Facebook and Mark Zuckerberg these days, but now it’s even tougher. Ethics vs. the law… it would be nice to say it’s a dilemma for Zuckerberg but it’s not exactly clear he sees it that way.
It’s easy to vilify Mark Zuckerberg and his flaunting of the spirit of GDPR but it’s also easy to see his motivation. Facebook, perhaps more than any other company on Earth, is intertwined with user data on a cellular level. Facebook feeds on it, just as it gathers and amasses more of it than any other entity.
Until now, nothing has ever challenged this symbiotic relationship to such a degree as GDPR has.
It’s hard to believe, but GDPR is the first major overhaul of privacy protection rules since the 1990’s. What’s new? Many things but chiefly, GDPR trends toward accountability. Under the new regulations, companies are held accountable for the protection of user data. In essence, they are to meant to cede control, handing the reigns over to the user.
Under these new regulations, users are the ones who decide, through clear language and easy interfaces, whether to allow their data to be shared. They also get to revoke any permissions they’ve given about sharing their personal information and, along with a few other measures of control, have generally more control of who sees their info.
No skirting the issue here: Facebook is telling us they’re accountable but only because they have to be. We already know this brand has no soul… now we can say there’s really no shred of dignity left for them either.
Google and Their Convenient Relationship With Publishers
Google hasn’t outright refused to comply but they do seem to be using some heavy-handed manipulation to essentially duck out of GDPR-level protection. Unlike Facebook, which is adopting two standards of privacy protection, Google is simply passing the buck.
In March of this year, Google announced that they would be complying with GDPR. However, behind the scenes, what they’re doing is requiring their publishers to comply* without themselves doing very much to assist or otherwise ease the burden of compliance.
Since Google is the entity that’s technically responsible for obtaining and managing user consent for collecting data, shouldn’t those processes be managed by Google itself? Couldn’t compliant functionality be built into their ads, thereby creating a uniform experience for users who click on those ads?
Those seem like obvious solutions but Google is marching forward in a different direction. As mentioned above, Google is requiring Ad publishers to deal with compliance: to obtain consent on Google’s behalf. Is that even enforceable? About three-quarters of U.S.-based publishers use Google to make money selling ads. Google Ads is also prevalent on EU-based websites. It’s as if Google is a manager doling out important tasks to a team of greenhorn hires on day one and then leaving them to flail on their own with no guidance, feedback, or oversight. What do they expect?
It’s Clear Who’s Accountable: Google, the Data Controller
As a ‘data controller’, Google is the decision-maker when it comes to how data is collected, stored, and used. GDPR regulations hold data controllers responsible for all the new privacy protections everyone’s talking about:
- obtaining consent for collecting personal data
- giving users the power to revoke their consent
- giving users access to the data that’s collected on them
Google, as a data controller, needs to pay attention to these responsibilities, under GDPR.
By applying a solution we all know can’t possibly work, Google decision makers are, in essence, not complying. They’re certainly not stepping up to assume any role of responsibility for user data.
The Courageous Non-Compliers
While Facebook and Google try to save face with smoke and mirrors, pretending to comply but not really doing so, others are waging an outright war with GDPR.
Chief among them is the L.A. Times, a newspaper publishing giant in the United States. Rather than bear the technical and legal costs of complying, they have chosen to simply block EU readers from reading their online newspaper. Obviously, this comes with a cost and this is no great time for old-school newspapers to give up readership.
The Chicago Tribune and the New York Daily News have also chosen to make their papers unavailable to EU readers. They’re taking a stand, making their opinions and their intentions known. One way to look at this is to say that these are actions which align with general journalistic principles.
You cannot say the same for Facebook, a company purportedly founded on facilitating social connections and which has won brand love for the positive impact it’s made on its users’ lives. By implementing a double standard for privacy, Facebook is not returning that love.
A few more who have boldly stated their non-compliance(1)(2):
- A&E Television Networks
- Verve (marketing)
- Ragnarok Online (gaming)
- Drawbridge (app)
- Unroll (email subscription service)
- Brent Ozar Unlimited (software)
- Steel Root (cybersecurity firm)
GDPR aims to clamp down on the wild abandon with which companies have obtained, used, and stored user data in the past. No longer is the personal data of EU citizens to be treated like so many tuna at the market: bought and sold with no regard to the impact on the source.
Facebook and Google lead the way in many areas. Now, they also have the dubious distinction of becoming leaders in the careful avoidance of strict privacy measures.
Leaders in the U.S. are asking Facebook and Google to extend GDPR standards of protection to U.S. citizens. But they do so without having bothered to create their own legislation. This is simply asking for trouble. Facebook, for one, has proven that, unless there’s a law, they won’t put privacy first.
Maybe, in the long run, they and other non-compliant companies will have done us all a great favor. With their glib avoidance of GDPR, they may actually be forcing the issue, leaving the U.S. and others no choice but to enact similar legislation sooner rather than later.
Marc Gagné CCIE, CCII, CCTA, CIPP/G/C, MAPP