Heather Fletcher

GDPR complaints at first blush seemed to have been brought by those with an axe to grind. But now that the data privacy law’s been in place for a bit, there’s a pattern emerging in the 1,838 GDPR complaints; the 1,106 additional data protection complaints since May 25 from the U.K. alone, which might also be filed under a pre-existing law; and the 547 data breach notifications filed in Ireland.

Shortly after the GDPR effective date of May 25 rolled around, email marketers were reporting losses on their lists of up to 80%. The law, to which the U.K. entered before exiting the E.U., even had proactive marketers who hadn’t seen losses keeping mum about their practices that were letting them remain in E.U. citizens’ good graces. The data privacy law protects E.U. citizens and gives them the right to erasure, the right to select preferences for how marketers can use their data and more.

One such proactive marketer — Bryta Schulz, VP of marketing at Janrain — told Robin Kurzer of MarTech Today for the article published July 16 that “we were pleasantly surprised to learn that our customers and prospects were very receptive to receiving our ads.

“In our consent-reconfirmation outreach, less than 8% of folks in our database declined permission to serve them full advertisements, and only 5% went as far as to deny the right to record data for analytics purposes.”

Related story: GDPR Lawsuits Target Facebook, Google, Apple, Amazon, LinkedIn

But Shulz said that while Janrain saw a 36% increase in email opt ins, only 22% of customers beginning the double-opt-in process completed it.

In a related matter regarding marketers opting for first-party data, MarTech Today reports E.U. websites load much faster without “unnecessary” third-party tracking tags, ad servers, Google services/analytics and social media plug-ins.

On July 16, Atlanta firm King and Spalding posts on JD Supra about the GDPR complaints:

“The next question to consider is when the first enforcement actions under GDPR are to be expected. As we know, the [data protection authorities] have a statutory duty to investigate complaints made under the previous E.U. legislation. Many DPAs are, therefore, necessarily working through the backlog of existing complaints. Whilst there are no official reports on when the first enforcement action under GDPR will take place, it is estimated, based on previous data on the DPAs’ response time to incidents, that it will take until the end of this year or the beginning of 2019 before GDPR enforcement action is being reported.”

Here’s a look at what GDPR complaints show about the trends:

Marketers Should Collect Only ‘Necessary’ Data

In a July 3 post on Medium, digital law researcher and consultant Mira Nova explained a GDPR ruling on how some sites are collecting unnecessary data:

“For a long time, WHOIS and ICANN were [criticized] for risk connected to exposure of personal data stored in the database to various malicious attacks. Identity theft is one frequent example of such risk. EPAG argued that based on ‘data [minimization]’ principle embodied in the GDPR, it can only collect the domain name registrant’s data.

“The court supported the view of EPAG, ruling that ICANN could not credibly show the necessity to collect admin and technical contact information. The domain registrant’s personal data is sufficient for ICANN’s purposes, especially in relation to criminal offences, security breaches or other infringements. ICANN filed an appeal to the higher court.”

‘Forced Consent’ Is a No-No

While some may believe the first GDPR complaints came from those with an axe to grind against U.S. tech companies, they did go after the most common E.U. citizen gripe post-GDPR. French activist group La Quadrature du Net and noyb.eu (the Max Schrems “None of Your Business” organization), European Center for Digital Rights, alleged entities like Google, Instagram, WhatsApp and Facebook were adopting a “take it or leave it” approach to E.U. citizens needing to opt in.

Schrems argued that telling E.U. citizens to opt in or the company would block their accounts amounted to “forced consent.” And those companies didn’t need to use E.U. citizens’ private data in order to allow them to use the products and services — they had enough data without the private information, he argued.

These complaints are still pending.

Don’t Expect Facebook to Be Your Fall Guy

Nova writes of a German court decision: “The Court of Justice of European Union concluded that an administrator of a Facebook page shares responsibility with Facebook to protect personal data of the Facebook page visitors. … Although Facebook eventually transmits only anonymous data to page admins, still, since the Facebook page operators set these filters, they must be [categorized] as data controllers ‘responsible for that processing within the European Union, jointly with Facebook Ireland.’ ”

Public Images Are Still Public, But Commercial Images Still Need to Be Litigated

Nova says journalists can still take pictures of individuals at public events without their consent if it’s for the news or public interest.

But, she says of commercial uses:

“It is still not clear, how GDPR would affect commercial image making, outside the sphere of public interest or journalism. After all, KUG regulates only publication of images, but not the collection of data (i.e. images themselves).”

E.U. Citizens Have the Right to Access Their Data

Nova writes:

“[The] most recent decision was issued by the Austrian data protection authority a few days ago. It ordered Austrian banks to provide historical account information to its users for free.”

What do you think, marketers?