How Do EU Data Privacy Laws Affect U.S. Marketers? (Hint:They Really Do!)


In December 2015, the EU had announced that businesses could be fined up to 4% of global revenue for failing to comply to their privacy laws. Recent developments clearly indicate that privacy is one area that’s about to have a serious debate in 2016, as individuals, companies, and governments clash over what can or can’t be accessed. Josh Manion, CEO of the tag management and omnichannel data firm Ensighten (pictured left), answers questions about the effect of EU privacy concerns and laws on U.S. marketers.

Q: U.S. marketers have traditionally stayed at arm’s length from data privacy issues. What is changing to force them to contend with this issue?

A: Although U.S. marketers have typically put data privacy issues on the back burner, recent court cases and changes in how the European Union (EU) treats digital privacy is being felt by companies outside EU borders. Consequently, the stakes for U.S. marketers doing business across the Atlantic have grown exponentially.

The first big news last fall to hit was action taken by the European Court of Justice to strike down the 15-year Safe Harbor Act under a legal challenge. The act had allowed more than 4,000 global businesses, including brands such as Facebook and Google, to transfer data from the EU to U.S. servers by self-certifying they met data-protection standards under European law. Now, multi-national companies transferring data from the EU must put other approved legal provisions in place to authorize data transfers.

Q: What are the implications for U.S. marketers under the newly negotiated replacement for the Safe Harbor Act?

A: Early in February EU and U.S. officials announced a replacement for the Safe Harbor Act to ensure data transfer between EU countries and the United States. That new, carefully negotiated agreement puts stringent rules in place when data about European citizens and residents is transferred across the Atlantic. But that new agreement must be approved by the 28 EU member states.

Q: What specific new privacy regulations should marketers be aware of, if any?

A: Marketers additionally need to keep the new General Data Protection Regulation and Data Protection Directive top-of-mind. The General Data Protection Regulation pertains to the use and privacy of EU citizen data, while the Data Protection Directive governs the use and privacy of EU citizens’ data by law enforcement. Both aim to provide more protection for EU citizens and residents in how personal information about them can be used.

The European Parliament is expected to vote on final approval of the new regulation in early 2016. Companies failing to comply with data protection rules under the regulation could pay penalties of as much as 4 percent of annual revenue. Infractions among large Internet companies could cost billions.

Q: What changes will marketers have to make as a result?

U.S. marketers need to understand that the rules governing data-driven marketing are changing, and they will need to learn to play by the rules. To comply with new data privacy rules, companies will first need to assess their marketing strategies and programs, and apply privacy protections across international borders. That means auditing how first party data is used in the marketing technology stack to ensure adherence to the privacy regulations.

Q: Where do tag management systems fit into this?

A: Given the volume and velocity of data generated in a company’s digital ecosystem, enterprise tag management systems can stand as a first line of defense in controlling and managing data, including instituting powerful safeguards for data privacy.

Tags are the primary way used to collect and distribute digital customer data. By extending the functionality of traditional tag management, an enterprise-class solution can enforce a company’s privacy policies, block unwanted website trackers from firing, and ensure full compliance with user preferences and privacy laws enacted by jurisdictions around the world.

Q: What should marketers look for in enterprise tag management systems to secure data and comply with privacy regulations?

A: When analyzing enterprise tag management systems for data security and privacy purposes, foundational capabilities marketers should look for include:

• Real-time Enforcement – Rules governing privacy requirements mean the enterprise marketer will need to manage consumer-friendly “consent” processes with users in real time. An enterprise tag management solution should enable marketers to customize the consent experience; disclose information about data tracking and its intended use; give them the choice to opt out of data tracking; and enforce visitor consent.

• Data Control – The marketing team needs full visibility into any and all third-party — and even fourth- and fifth-party — tags placed on websites. In addition, marketers must monitor tags for unusual behavior or policy non-compliance. Brands can additionally protect themselves by restricting the sale of their data to third, fourth and fifth parties.

• Data Security – The marketing team needs to ensure the security of data within tags based on internal privacy and data security policies. That means identifying and preventing leakage of sensitive data from the browser. Regular privacy audits and tag analysis will enable marketers to identify vulnerabilities and areas of potential data leakage, including consent interfaces when visitors opt in and out of data collection.

• Workflow Management
– Marketing teams can secure data by tightly managing and restricting access to use by designated teams and individuals only. A company, for example, can leverage the tag management system’s workflow governance to streamline workflows across teams, geographies and agencies, while ensuring data is governed according to policy. Rules can be established for access to and use of data among internal teams, agencies and trusted partners and other sources.

• Whitelist Control
– The marketing team needs full control in the browser to enforce visitor consent over all tags, not just ones added by the company itself. It’s important to minimize fourth- and fifth-party tags. Real-time enforcement at the tag level is key, rather than cookie-based opt-out enforcement only. This capability can also give the website owner control over which technologies are allowed by putting them on a “whitelist.”


Josh Manion, Founder and CEO, Ensighten, Inc.

Josh Manion brought the Ensighten tag management technology to market in 2009, and continues to lead the company’s technology vision and strategic operations. Prior to Ensighten, he served for seven years as the CEO of Stratigent, a web analytics and marketing optimization consultancy. Josh has played chess professionally and is currently ranked among the top 60 players in the United States. He holds a degree in Management Science with a focus on Information Technology from the Massachusetts Institute of Technology (MIT).



Please enter your comment!
Please enter your name here