Back in December 2021, a hook-up app Grindr was fined around $7.1 million by Norway’s data protection authority for passing user data to advertisers without consent. This is one of the most recent cases to warn advertisers to take all the necessary measures while planning and executing their advertising campaigns to make them fully GDPR-compliant, in order to protect company budgets.
We spoke to Teodor Stanciu, a EU privacy legal consultant and a top rated GDPR consultant on upwork.com for more than three years, to understand how businesses operating and launching digital advertising and ABM campaigns in Europe can avoid multimillion-dollar fines.
Why you need to review your advertising (ABM) vendor’s GDPR compliance
Let’s start with a simple question: why do I, as an advertiser, need to review a vendor’s GDPR compliance? The answer is, it is actually the duty of controllers to ensure that other companies or suppliers, with which they regularly work with, are also GDPR-compliant. Under the regulation, both data processors and controllers will be directly liable to data subjects for breaches, damage or non-compliance which led to the breach.
What happens if an organization doesn’t comply? The risk of non-compliance can be quite costly. The fine can go up to 4% of the annual global revenue of a company or 20 million EUR, whichever will be higher. But of course, if no fine applies, organizations can still be punished via warnings, reprimands, and corrective orders. While these reduce the immediate effects of the financial burden, the resulting reputational damage can be equally problematic. So, a thorough GDPR compliance policy incorporating everything you have learned, organizations have learned in fact from audits or analysis will be a key part for staying fine-free.
In fact, in the last months, the overall sum of GDPR-related fines started increasing dramatically, which means that more and more businesses conducting marketing and advertising campaigns in Europe are put under risk:
Grindr’s case: what exactly went wrong
In 2020, the Norwegian Consumer Council filed a complaint against Grindr, a mobile social networking app for gay, bi, trans, and queer people, claiming unlawful sharing of personal data with third parties for marketing purposes. The data shared included:
– GPS location
– IP address
– Advertising ID
– The fact that the user in question was on Grindr
So, users on Grindr could be identified through the data that they were sharing, and the recipients could potentially further share that data.
The authority concluded Grindr was sharing user data to a number of third parties without having the legal basis. Users were not able to exercise real and effective control over the sharing of their personal data. Business models where users are in fact pressured into giving consent, and they are not properly informed about what they are consenting to, are not compliant with the GDPR rules.
In terms of the financial consequences for the company, the authority imposed an administrative fine of approximately $7 million EUR for not complying with the GDPR rules of consent. In fact, the fine was even higher than that, but Grindr started cooperating, so the authority was a bit more lenient, and they reduced the fine.
How advertising and ABM platforms put marketers under risk
The implications of GDPR extend to any and all business-to-business activities that attempt to reach out to data subjects in the European Union based on personal data. This includes but is not limited to:
- Phone numbers
- Work or personal email addresses
- IP addresses, etc.
So, in case of ABM campaigns, targeting data subjects involves use of personal data that generally goes against or beyond individual’s reasonable expectations. And of course, there is the risk to infringe the applicable data protection principles and rules. This means that organizations need to ensure that the selected lawful basis matches the objective and context of the processing operation in question.
In general, organizations can be in breach if they do not have a legal basis for the data processing, appropriate technical and organizational measures to ensure the information security to not process in accordance with the general data processing principles, with no appropriate fulfillment of data subjects’ rights:
- Insufficient fulfillment of the information obligations of the organization
- Insufficient cooperation with the supervisory authorities
- Lack of appointment of a Data Protection Officer but when that is the case (because it’s not always the case), it is mandatory to nominate one.
- Insufficient data processing agreement in place.
Questions to check your digital advertising / ABM vendor for GDPR compliance
It’s important to highlight that privacy protection will continue to expand and develop over time in Europe as we see more and more guidelines from national authorities, the European Data Protection Board, or from the Court of Justice of the European Union. So, organizations cannot say at the end of the day, “Well, we did our compliance back in 2018 when it came applicable, but now everything is in order.” So, there’s no “one size fits all” approach to be applied in terms of GDPR compliance. What may be acceptable for one organization doesn’t necessarily mean that this can also be acceptable for others.
However, asking these questions to your legal team and the potential vendor before you start working will help decrease risks dramatically:
1. How do your suppliers respond to crises such as data breaches?
2. Are all the necessary contracts put in place with your vendors?
3. Does the contract set out what personal data is used for what purpose?
4. Are the roles clarified? Who is the controller, processor, or joint controller?
5. Is there a confidentiality clause?
6. Does the contract provide for audits and inspections?
7. Is it clear who will be accountable and liable for different activities?
8. Is there any provision to cover third-party processing of personal data?
9. What will happen with the processing of the personal data once the contract ends?
10. Are there any records of processing activities put in place? Does the supplier hold any form of certification for the processing activities?
11. Are there any incident response plans if a data breach occurs?
Make sure that all the privacy-related documents are publicly available on the vendor’s website. As a reference, you can use N.Rich’s Privacy notice for users, Privacy notice for suppliers, and Privacy notice for potential customers.
How to mitigate the risks
So, you realized that one or more of your campaigns are not entirely privacy-compliant. It’s important to start acting immediately and take the following steps:
Run a gap analysis. Map and manage the use of the personal data for which you are responsible, abide by the “privacy by design” principle.
Run a privacy assessment. Understand what are the global legal obligations in general, inform about which third parties had access to the personal data and how this information may have been shared onward to other companies.
Delete all personal data that has been illegally collected. Ensure that the third parties that have received the information will do the same. Organizations also have to ensure that users are no longer exposed to sharing and spreading the personal data to other companies.
Enhance the technical and organizational measures to secure the data. And, of course, invest in compliance solutions training and legal expertise. This will cost you less than a possible fine that also goes along with reputational damage.