Voluum Glossary

What is GDPR

The General Data Protection Regulation (GDPR) is a comprehensive and far-reaching data protection law that came into effect in the European Union (EU) on May 25, 2018. It was designed to provide individuals with greater control over their personal data and to establish a more unified regulatory framework for data protection across EU member states.

The GDPR’s impact extended beyond the borders of the EU, affecting businesses and organizations that process personal data of EU residents, regardless of their geographical location.

History

The origins of the GDPR can be traced back to the Data Protection Directive of 1995, which laid the groundwork for data protection principles within the EU. However, as technological advancements and the digital economy evolved, concerns about data privacy escalated. GDPR was introduced to replace the outdated directive and to address the challenges posed by rapidly changing data practices, increased digitalization, and the growing risk of data breaches.

The idea of GDPR

The main purpose of this legislation is to make data collection processes manageable by limiting the amount of data that is recorded and stored, introducing security measures and policies, like having a dedicated Data Protection Officer that deals with any mishandlings of employees or user data and by giving users the right to both opt in or opt out from any data collection measures.

User data, especially sensitive data like medical records, cannot be collected freely – it can only be collected in the scope that is necessary to provide a service. This is a huge paradigm shift from the usual approach to data, which tried to get as many data points on users as possible.

Main provisions

Consent and Control: The GDPR places a strong emphasis on obtaining clear and informed consent from individuals before collecting and processing their personal data. Individuals have the right to withdraw consent at any time. They also have the right to access their data and request its erasure (the “right to be forgotten”).

Consent-Driven Advertising: Advertisers must obtain explicit and informed consent from users before utilizing their personal data for targeted advertising. This led to the rise of more transparent and user-friendly consent mechanisms, impacting the way ads are displayed and targeting strategies are formulated.

Data Minimization: Advertisers are now required to limit the data collected to only what is necessary for the intended purpose. This shift has resulted in a more focused approach to data collection and utilization in advertising campaigns.

Cookie Consent: The GDPR’s requirements for cookie consent led to the widespread implementation of cookie banners and pop-ups on websites, informing users about the cookies used and giving them the choice to opt in or out.

Profiling and Automated Decisions: The regulation established rules surrounding automated decision-making and profiling, including the right to object to such processes. This has implications for programmatic advertising and algorithms used in ad targeting.

Third-Party Data: Advertisers using third-party data sources for audience targeting faced challenges as they needed to ensure that data providers were compliant with GDPR regulations, and that proper consent was obtained for data sharing.

Territorial Scope: The GDPR applies not only to businesses based in the EU but also to those outside the EU that process the personal data of EU residents, irrespective of the data processor’s location.

Effect on Digital Advertisers

The GDPR has had a profound impact on the landscape of digital advertising, inspiring similar law in othe countries

  • California Consumer Privacy Act (CCPA): Enacted in 2020, the CCPA grants California residents similar rights to those outlined in the GDPR. It gives consumers control over their personal information and requires businesses to disclose data collection practices.
  • Brazilian General Data Protection Law (LGPD): Effective in 2020, the LGPD draws parallels with the GDPR by establishing principles for the processing of personal data, consent requirements, and rights for data subjects.
  • Personal Information Protection and Electronic Documents Act (PIPEDA) – Canada: While predating the GDPR, PIPEDA was amended in 2018 to align more closely with its principles, enhancing user control over their personal information.
  • Data Protection Act 2017 – Mauritius: Taking cues from the GDPR, this legislation introduces data protection principles and empowers individuals with rights over their personal data.
  • Kenya Data Protection Act 2019: Inspired by the GDPR, this law governs the processing of personal data and emphasizes user rights and data protection measures.
  • Japan’s Act on the Protection of Personal Information (APPI): Japan revised its data protection law in 2017 to enhance individual rights, establish breach notification requirements, and strengthen cross-border data transfers, partly aligning it with GDPR principles.

Final thoughts

Ad analytics platforms such as Voluum offer their users full GDPR compliance, something that is not an industry standard. There is a handful selection of other GDPR-compliant analytics software but the biggest one – Google Analytics – is not on this list.