With GDPR being the “shot heard ’round the world,” the digital industry, the regulators, and the courts have developed and readjusted the way in which we need to think about this revolutionary body of law. Through this experience, I’ve had a few flashback analogies to Y2K: Leading up to the event, it was a period of extreme stress and anxiety about how different ecosystem players set up their own architectural considerations and because of this, the system was going down. Like Y2K, the systems haven’t yet gone down, although the entire experience shed a lot of light and contextual awareness across the industry. Across a global utility, this provided significant visibility of some of the broader industry considerations and needs for standardization. 

Perhaps this is what the European regulators are thinking when regulations continue to roll in. Too, these standards continue to evolve in ongoing interpretation of “personal data” and the ways in which it can and cannot be used (such as the recent European Data Protection Supervisor decision relating to Schrems). It’s no wonder why so many companies are in a constant state of flux and confusion.  

To add one more thing to the list, the passage of time has slowly moved new ePrivacy regulations into the background. But because new regulations would likely have such a significant impact on the use of big data and data combination, it begs a need for greater awareness, particularly as legislators have increased their investment into updating it.

Just as GDPR replaced laws drafted in 1995 (the year that a flip phone – the Motorola StarTac – was introduced), the ePrivacy Regulation will replace the ePrivacy Directive, which dates back to 2002 (the first year RIM’s BlackBerry incorporated a mobile phone). It will go into effect across the entire EU simultaneously and will be applied in the same way in all EU member states. GDPR came in with a bang, but ePrivacy Regulation seems to have snuck up quietly, while the industry was focused on solving other pressing data-related problems.

Fundamentally, the current Directive (2002/58/EC (ePrivacy Directive)) focuses on electronic communication services – specifically, cookie technology. Given the evolution of other tracking identifiers like pixels, metadata, and other tracking technologies, we anticipate that the forthcoming law would apply to any electronic services relating to its use or processing, the use of terminal equipment information (i.e., cookies and other modern technologies) and direct marketing communications to end users. When circulated, such a vast application is likely to create another wave of evaluation of how to reframe, which is the last thing that any business coping with today’s climate of uncertainty needs in recruiting clients and building client trust. 

In developing a strategy to meet these new regulations, businesses must place data minimization at the forefront. Simply put, the more user data you store, the greater your risk of creating larger business expenses and increased operations for regulatory monitoring. To keep your data compliant, make it manageable. Every business needs to assess how they collect user data today, and their reasons for collecting it. Next, the business must identify the data that is most crucial for fulfilling those purposes. That’s the only data the business should continue to collect and store. 

One of the basic principles guiding GDPR and ePrivacy is that if a business owns user data, it should keep that data safely. Data security and data minimization are both goals toward upholding those principles. And the law itself does not specifically tell businesses how they comply, in that the laws create multiple balancing tests and processes where a company can qualify as intentional decision-making. But your business, and the legislation’s prioritization of data minimization as one of the top principles in the modus operandi, along with the already-emphasized data security principle, can ease an organization down the road to compliance – not to mention reducing worries about being penalized with hefty fines of up to 20 million pounds or 4% of global annual turnover. Minimizing and maintaining the integrity of user data isn’t just good for users, it’s practical for the bottom-line concerns of the business. 

These regulatory changes are coming at the same time the digital ad industry is being forced to reassess marketing, the adtech/martech industry, and the digital notion of identity. And to many stakeholders, the ends of these two goals might seem to have contradictory means. It might seem that to solve for identity, having as much data on your users or consumers reduces your risks of inaccurate targeting and measurement. The prospect of minimizing data might seem to undermine identity strategies. But it doesn’t need to – the key to data minimization is to identify data that you know will get the job done. 

Now, if you find yourself thinking, “I don’t collect user data myself, so this is all someone else’s problem,” don’t be so hasty. Intermediaries along the ad supply chain need to be on alert. Some intermediaries relaxed when they realized GDPR was directed largely at either end of the chain, and it had no teeth for enforcing the law in the long middle. We don’t know yet whether the ePrivacy Regulation will be a reckoning for vendors that need to process user data. But given the current draft’s position on cookie data – that dominant service providers must provide an equivalent option to access without cookies (i.e., cannot have cookie walls) – the European leanings suggest that future interpretations of usage and utility will continue to narrow. And with third-party cookie deprecation also coming quickly, increasing industry-wide reliance on first-party data – the data necessary for core business functions – is becoming far more personal and risky to process. 

Data minimization pays off down the line for a business, too, as it periodically reassesses compliance. It simplifies processes like DPIAs (data protection impact assessments) and governance, and the resources necessary for data security. Data minimization ultimately cuts costs, gives businesses more freedom in how they allocate resources, and helps preserve the business’s reputation and goodwill among users and business partners. 

As the ePrivacy Regulation moves closer to approval, the industry can’t have another 2018, with all of its uncertainty and anxiety. The last four years have shown us how seriously EU regulators take privacy. Industry leaders know we must take it at least as seriously. We start by focusing on the data we truly need. Businesses can’t have a “rainy day fund” for data – in the end, that increases business risk, rather than lessening it.