Plans & Pricing
Does My Company Subscribe?
Scott MeyerCEO and Co-FounderEvidon
The European Union’s General Data Protection Regulation (GDPR) was put in place to standardize existing laws that call for transparency in how companies collect and store personal data about EU citizens. eMarketer’s Sean Creamer spoke with Scott Meyer, CEO and co-founder of Evidon, and Todd Ruback, the compliance services company’s chief privacy officer and vice president of legal, about what the GDPR will mean for marketers from outside the EU when it goes into effect on May 25, 2018.
eMarketer: What type of regulation is the GDPR?
Scott Meyer: It’s not a specific privacy or data protection law—it’s a data governance law. It embeds guidance on what regulators expect right into the legislation. GDPR requires companies to do the right thing, which means being transparent in what data they collect, taking responsibility for what they do with that data and knowing what their partners do with it.
Todd Ruback: Companies will have to comply with one law, instead of 28 laws across different EU countries. They will have to know how to budget their resources. The law itself requires companies to be fully accountable for what they do—that means looking inward and knowing everything [that is going on], and being transparent.
eMarketer: In this new data governance, what role do first- and third-party data play?
Meyer: The GDPR is accelerating the reality that brands, marketers and advertisers have to own a first-party data set—or align themselves with the owner of a first-party data set—to empower any third-party data. Third-party data has become commoditized: Everybody has the same data.
In addition, your technology needs to shift from facilitating third-party data to facilitating first-party data. That’s why huge exits have happened in this space. Salesforce bought Krux [a data management platform] for $700 million [in October 2016]. Krux’s core business is enabling first-party data. Oracle bought BlueKai [in February 2014] for the same reason.
eMarketer: Why do non-EU companies need to pay attention to the GDPR?
Ruback: The GDPR is a de facto national privacy law. Companies have to comply with and standardize to this law [if they do business in the EU], because it applies to any company that offers its services to consumers in the EU.
eMarketer: What sectors does the regulation pertain to?
Ruback: All advertisers and marketers must comply. What ties them together is big data. It’s the companies that use big data and any intermediary in the digital ecosystem supply chain. Regulators will most likely enforce the provisions in the GDPR against the website operators, the brands, the advertisers and the marketers for any violations from these intermediaries. The penalty for noncompliance is up to 4% of your gross global revenues.
eMarketer: How have companies worked toward GDPR compliance to date?
Meyer: The GDPR compliance market alone is $9 billion. PricewaterhouseCoopers [PwC] did a survey of 200 US-based companies, with more than 500 employees, that touch European consumers. Sixty-eight percent of companies said they would invest between $1 million and $10 million in GDPR compliance. Nine percent said they’d spend over $10 million, and 24% plan to spend under $1 million. If you calcuate the weighted average, it’s $4.5 million per company.
eMarketer: What were the motivating factors for the EU to craft the GDPR?
Ruback: This is one step in the larger pan-European strategy called the Digital Single Market [DSM]. When you strip out all the white noise, they’re trying to create conditions within the EU to spawn the next Facebook or Google—essentially an EU tech company. The first step in implementing a DSM is to unify all the data protection laws. The second step is to unify all the tax laws, and that’s starting to happen. The third step is creating incubators for companies to take root and grow.
eMarketer: What happened in the marketing space that inspired the EU to unify data governance laws?
Ruback: Regulators noticed that companies weren’t being accountable for their own actions. These companies also weren’t being transparent about their practices. Regulators wanted to solve that, because the EU’s approach to privacy is that the individual should be empowered. He or she should have control over their own personal data. The purpose is to give power back to the people.
eMarketer: How does Evidon’s technology help marketers remain GDPR-compliant?
Meyer: We’re focusing the business on the need for a script library. You need to have technology to connect the dots for the user. We’re building a front-end consent API. Every company’s stack is very diverse and spread out, but they need to get them in place to have a good user experience. No consumer wants to respond to 30 different consent notifications hitting them every time they do something as simple as get a new cellphone.
This is the latest installment in an ongoing series of quarterly video ecosystem overviews focusing on monetization, audience, platforms and content. Our goal is to provide a summary of key developments each quarter on a need-to-know basis.
Not a PRO subscriber? Find out how to become one.
You've never experienced research like this.
Nearly all Fortune 500 companies rely on us.
Inquire about corporate subscriptions today.