Grappling with GDPR: What Brands Need to Know About Data Privacy

Ratings Webinar700x264-rev-sb copyAs Europe’s General Data Protection Regulation forces companies worldwide to conform to stricter privacy standards, firms are struggling to determine how they can safely implement GDPR, protect user data from hackers, and be transparent in online advertising and communications to avoid a public backlash and/or regulatory penalty. Allie Bohm, Policy Counsel at Public Knowledge and a speaker at the August 2 Cynopsis Measurement & Data Conference, says brands need to think about their data policies “from the bottom up.”

But first, find a good lawyer. “Much of what it means to ‘implement GDPR’ is still being worked out both through regulation and through litigation in Europe, so how to safely implement GDPR is actually a challenging question,” says Bohm. “Where brands are collecting Europeans’ personal data, the best course of action would be to consult with a European lawyer who is an expert on this topic. The International Association of Privacy Professionals has a certification for ‘Information Privacy Professionals’ focused on Europe, and an attorney with this certification would be a good bet.”

As for protecting user data from hackers, “Brands should think about their data collection and retention policies practices from the bottom up, starting by asking what user data they collect,” advises Bohm. “Do they really need that user data?  And, if so, for what purposes?  How long do they need to retain the data to achieve those purposes?  What would be the costs of losing user data – both in terms of financial cost and reputational cost, as well as any other costs? In light of the answers to those questions, brands should think about what they need to do to protect user data. At a minimum, brands should adhere to the latest, state of the art data security practices.  But, in many instances, the best security policy is what’s known as ‘data minimization’ – not collecting or storing extraneous data in the first place. If brands do not have the data, they cannot lose the data and data thieves and other malicious actors seeking the data will have less of a reason to target the brands.”

Transparency in online advertising and communications is super-important to avoid a public backlash, and brands should voluntarily implement the notice and consent practices they adopt to comply with the GDPR in the United States and in the non-European countries where they operate, says Bohm. “They should find user-friendly ways to inform users of the data they collect and store, why those data are collected and stored, how long those data are retained, and with whom those data are shared.  For data points that are not necessary to complete the user-requested transaction, brands should allow users the option to not have the data collected, stored, or shared at all. To the greatest extent possible, these notice and consent points should not be buried in the depths of a privacy policy, but rather should be displayed to users in formats in which they are likely to actually observe and absorb the information and make an affirmative election. These actions will build good will among users. Also worth noting, says Bohm, is that “many users will opt-in to targeted advertising, because they find it to be time-saving and prefer to see advertisements that are relevant to their interests.”

As for avoiding regulatory penalty, it is important that brands are honest about what they do and do not do with user data. “The Federal Trade Commission has the authority to take enforcement action against companies that engage in unfair or deceptive practices,” points out Bohm. “A deceptive practice occurs when a company says that it is doing one thing, but actually does another. So, if a brand claims that it will delete user information upon a user’s request or that it does not collect certain data, it must, in fact, delete the data upon request or decline to collect the particular data, respectively. The FTC uses its unfairness authority much more sparingly, but to ensure compliance, companies should make sure to avoid actions that (a) cause (or are likely to cause) ‘substantial injury’ to users, (b) where there is no way the user could reasonably avoid the harm, and (c) there are no countervailing benefits of the action to the user.”  

The Cynsiders column is a platform for industry leaders to reach out to colleagues, followers, and the public at large. In their own words and in targeted Q&As, columnists address breaking news, issues of the day, and the larger changes going on in the ever-evolving world of television, video and digital. Cynsiders columns live on Cynopsis’ main page and are promoted across all daily newsletters. We welcome readers’ comments, queries, and column ideas at

Related Stories

09/21/18: HBO’s The Deuce to end with season three

CYNOPSIS Good morning. It’s Friday September 21, 2018 and this is your first early morning briefing.   Tonight’s Premieres: Food: Diners, Drive-ins & Dives at 9p HGTV: My Lottery Dream Home at 9p PBS: Art in the Twenty-First Century at 9p Showtime: Cradle of Champions at 8p   Today’s Finales: CBS: TKO: […]

09/20/18: Kelly Clarkson’s ready to talk

CYNOPSIS Good morning. It’s Thursday September 20, 2018 and this is your first early morning briefing.   Tonight’s Finales: CNBNC: Jay Leno’s Garage at 10p FX: Snowfall at 10p     IN THE NEWS   American Idol champ and The Voice coach Kelly Clarkson is ready to talk –The Kelly Clarkson Show has been […]

09/20/18: The NBA announced its findings from an investigations into the Dallas Mavericks’ workplace culture

CynopsisSports Good morning. It’s Thursday September 20, 2018 and this is your first early morning Sports briefing. The NBA released a state about the independent investigation re: the Dallas Mavericks workplace, which substantiated numerous instances of sexual harassment and other improper workplace conduct within the Mavericks organization over a period spanning more […]