DUBLIN: Tech and media companies are already preparing for tough data protection laws that the European Union will introduce next year, but new analysis suggests Google and Facebook still risk seeing their current business models disrupted.

The EU’s General Data Protection Regulation (GDPR) will come into effect in May 2018 and will impose tight restrictions on how companies use the personal data of EU citizens.

Although companies will have the right to process data to provide their services when consumers ask them to, the GDPR will not allow companies to use personal data for any further purpose unless permitted by users.

According to Dr Johnny Ryan, Head of Ecosystem at analytics firm PageFair, this means that companies will have to ask for consent, or present an opt-out choice, at different times and for different services.

That in turn creates varying levels of risk for companies, which PageFair has mapped on a scale of zero to five – the highest level of risk that describes the scenario where firms, for example adtech companies, will need “opt-in” consent but have no channel of communication to seek it from users.

Level four, the second highest on PageFair’s scale, refers to companies that do have direct relationships with users, but these same users may have little incentive to give their “opt-in” consent for, say, ad tracking across the internet.

Unfortunately for Google, the PageFair analysis rates many of its products at level four of its risk register, including all personalised advertising on Google sites, such as Search, YouTube and Maps.

Level four would also apply even to Gmail, the world’s most popular email service, and Google’s DoubleClick programmatic advertising service.

“If, however, users have already ‘signed in’ to Google Search or Chrome, Google may argue that the purpose of these technologies is ‘compatible’ with purposes users agreed to, and hope to use an opt-out rather than an opt-in,” Ryan added. “Whether this would be successful, however, remains to be seen.”

As for Facebook, its Audience Network is scored four because it requires the processing of personal data from Facebook users to target them on other websites.

“It is unlikely that this will be regarded as a compatible use. Facebook will have to convince users not to opt-out,” said Ryan.

WhatsApp advertising is also scored four, although Newsfeed and Instagram ads are ranked two, which defines products that can show an “opt-out” before using data.

“Both Google and Facebook have direct relationships with their users, and have a well thought out design for their current privacy requests. However, they are not immune to disruption when the new regulations apply. Indeed, some parts of their businesses may be particularly susceptible to them,” Ryan concluded.

“While they can process personal data necessary to provide services that their users request, using these data for any other purpose requires user-permission, or inaction, in the case of out-outs. The critical question for both businesses is whether users will click ‘yes’ when asked to consent.”

Data sourced from PageFair; additional content by WARC staff