A GDPR primer for Canadian publishers and brands

If your web or mobile site tracks European consumers, the EU's new regulations – and its steep fines – apply to you.

Canadian publishers, ecommerce providers and online brands have likely been hearing about GDPR a lot in recent months. The European Union’s General Data Protection Regulation is set to come into effect in May, drastically changing the degree to which European consumers can control their personal information and altering how businesses in the region work online.

But even though an ocean divides the Canadian industry from European lawmakers, businesses in this country need to pay attention to the EU’s new rules or potentially face steep fines.

The new regulations come into effect on May 25. IAB Canada has been holding information sessions since late last year to help ready businesses for that deadline, because while its members may not be based in the EU, the GDPR applies to any consumer who is located there – even when they browse abroad.

GDPR has extra-national reach, and those who do not conform to its standards when dealing with European consumers could face fines of up to €20 million or 4% of a company’s annual worldwide revenue, whichever is higher.

“Digital media or advertising businesses in Canada will be directly impacted by the GDPR if the company processes personal data of EU residents,” Sonia Carreno, IAB Canada president, told MiC. That applies to companies that offer goods or services to EU citizens or monitor their online activity for behavioural advertising purposes.

The new regulations mainly concern how personal data is processed, and expands what counts as “personal” information. While most North American businesses generally agree that personally identifiable information includes things such as names, email addresses, passport numbers and the like, GDPR looks to expand that to include advertising identifiers and, potentially, cookie data.

Changes to existing cookie data regulation, established in the EU’s ePrivacy Directive from 2002, currently remain in effect. However, the EU is now looking at changing how cookie information relates to personal, identifiable information. In effect, proposals now being discussed would allow users to opt-out “at the browser level,” according to Carreno, which she says would leave publishers “with few options to monetize their content. The proposal goes on to recommend that publishers shall not be given the right to withhold content from consumers based on their opt-out status.”

GDPR also expands the rights of EU citizens to access and control how their data is collected. Not only must opt-in consent be given explicitly, but a consumer will be able to request access to a company’s data records as they pertain to the individual. They can also request corrections, or object to some or all of its collection.

“The highest risk is around misinterpretation of the law,” said Carreno. While Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) is similar in many respects to GDPR, “it is extremely important for organizations to understand the differences and build frameworks to support them. Working with both Canadian and EU counsellors is recommended to ensure there are no gaps in compliance between both jurisdictions.”

IAB Europe has developed a tool that allows online companies to view the opt-in status of individual European consumers at various points in their data collection and IAB Canada is helping integrate that approach with businesses here.

While large-scale and multinational organizations are likely already validating their GDPR approaches with their European divisions and legal counsels, IAB Canada is making five key recommendations to all online businesses to help them get up to speed.

1. Designate a responsibility lead in your organization
2. Establish a GDPR task force and create a compliance roadmap
3. Review and map data processing activities
4. Review and manage all data partners (both those hired directly by your firm and those hired by your agency partners)
5. Consult guidance from EU regulators, such as the U.K. Information Commissioner’s Office