Europe is enacting strong safeguards to protect the personal data of EU citizen. It is prepared to levy big penalties for offenders. Think this is just a European thing? Think again. If you have users in the EU and break the rules it could cost you 4% of your global revenue!
While the U.S. is going backwards with personal data security, Europe is pressing ahead with new legislation called the General Data Protection Regulation (GDPR.) This comprehensive set of rules governing how personal data is gathered, stored, and exploited will become the law in every EU country in 2018.
I chaired an event last week in London sponsored by Verimatrix called Becoming a data champion – what media companies need to know. One of the panels I moderated, entitled Exploiting data-driven TV in a changing regulatory environment, looked at the impact of GDPR on video businesses. This eye-opening discussion was under Chatham House Rules. However, I talked with one of the panel members afterwards for some on-the-record comments that are of particular interest to non-EU companies.
Only collect what the consumer will agree to
John Enser, Partner, Commercial Practice, Olswang, said that a key guiding principal is that companies should collect the minimum of data required. This struck me as fundamentally different to the approach currently being taken by many online video companies. Most think more is better, and collect everything even though they aren’t sure what they will do with it. That prompted me to ask how to set a minimum. His advice is:
“What can you sell to the consumer as being justifiable. In order to get the consumer consent to collect that data you’ll need to tell a story of why it is going to be of value to them.”
Keep the minimum for as short as possible
There is not just an obligation to collect only what you need, but also to hold the data for short as possible. As Mr. Enser says:
“There is an obligation to hold data for only as long as you need to. Therefore anything that you are not going to use on a relatively short-term basis, you might as well throw it away. And might as well not collect it as you’ll have to throw it away before you’ve worked out what you can do with it.”
Simply put, the law says if you don’t have an immediate, authorized need for the data, there is no point in collecting.
Global U.S. video services must obey GDPR
Most important for U.S. companies is that if they collect any data on EU citizens they will have to conform to GDPR, according to Mr. Enser.
“Non EU organizations targeting EU citizens with goods or services will be expressly caught by the rules. In-scope organizations need to designate a representative in the EU to act as a point of contact with regulators and data subjects on compliance matters.”
That means companies like Netflix, Amazon, and YouTube are all likely going to have to conform to GDPR. Even much smaller SVOD services like Crunchyroll and Curiosity Stream will have to obey the law if they have European customers.
And failing to comply with the legislation can lead to a fine of between 2-4% of worldwide revenue. For a company like Netflix that would be a maximum fine of $350M!
If your video business has even one customer in the EU and you are collecting user data, you should look at the full impact of GDPR. You will need to change how you gather, store, and use that data. But don’t delay, failing to act could cost your business a lot of money.
Why it matters
GDPR is new EU legislation protecting the personal data of EU citizens.
Non-European video services that collect user data on EU customers must comply with the legislation.
Failing to do so can incur a fine of up to 4% of global revenue.