There are a number of misconceptions about the EU’s General Data Protection Regulation (GDPR), which comes into effect on May 25.
In a wide-ranging presentation at Connected TV World Summit, Sacha Wilson, senior associate, Bristows, said that GDPR effectively built on the 1995 Data Protection Directive. Articles 13 and 14 of the GDPR, which Broadband TV News notes refer to information to be provided where personal data are collected from the data subject (13) and have not been obtained from the data subject (14), include several additional elements.
Among them are intention to transfer data outside the EU; right to withdraw consent at any time; and right to complain to a supervisory body. Significantly, Wilson also gave the example of The Guardian’s Privacy Policy video as something people can expect to see in the future.
Furthermore, he said that the GDPR doesn’t say you have to get consent. This is something that the upcoming ePrivacy Regulation does, while the GDPR says when you need to get consent and how to get it.
The GDPR also adds some hurdles, with consent having to be distinguishable and not hidden away. This can be challenging in a connected TV environment.
Wilson also outlined a number of differences between the GDPR and ePrivacy Regulation. While the former will automatically apply from May 25, it is at this stage unknown when the latter will.
Also, the GDPR applies to all legacy data, including any unique identifiers, and ePrivacy Regulation to direct marketing comms and setting/accessing any device-side data.
Wilson in addition said that regulators are talking about cookies, which consumers generally do not like, and in the case of ePrivacy Regulation there is a possibility that cookie consents could be moved to the browser level.