The European Union’s General Data Protection Regulation took effect May 25. Online retailers must protect data from misuse, and only collect data they need to serve the customer.

Ryan Eney, director, legal, OpenX

Ryan Eney, director, legal, OpenX

GDPR went into effect on May 25, meaning it could be any day your business is negatively impacted for not complying with the one of the biggest regulations to hit businesses in recent years. The implementation of GDPR affects any global business that reaches EU-based customersespecially online retailers. If you haven’t begun working toward becoming compliant with GDPR or are still in the process of doing so, as is the case for many more companies than just yours, we recommend you kick your efforts into overdrive. 

For quick background on the newly enforced law, GDPR was created to harmonize data compliance requirements across the EU and will replace current EU privacy laws. This new data protection regime creates a fixed data privacy regulation across EU-based companies, as well as global companies that provide goods and services to EU users or monitor the behavior of EU users. Additionally, online retailers in the U.S. are required to use approved mechanisms, designed to protect the security and privacy of EU data, to transfer any personal data that comes from an EU user outside of the EU.

Starting Your Journey to Compliance

For many companies, complying with these new standards requires significant changes on how they collect and store user information, how they identify users and how they disclose user data practices.

To be compliant under GDPR, brands must minimize data collection to fulfill a specific purpose, delete obsolete data, and protect end user rights.

To meet these requirements and become certified, U.S. and EU-based businesses and retailers must do the following:

The Bottom Line: Respect the Data

Under GDPR, it’s imperative to keep careful track of all data, often referred to as building a “data map.” To ensure companies are doing this properly, they must maintain documents that describe the personal data they process, recipients of personal data, where personal data is transferred and applicable time limits of personal data, among other things. Further, in an effort to be more transparent, companies must give users notice about who may access their data, the purpose of collection and the kind of data collected.  Under GDPR, online retailers must protect customer data from misuse, unauthorized disclosure and destructions. To ensure that this occurs, companies should analyze whether they are obligated to appoint a Data Protection Officer (DPO). The DPO can then determine what specific actions are necessary and reasonable for different types of data.

Give Consumers a Choice

A fundamental principle under GDPR is giving consumers the right to control the distribution of their personal data. Consumers must give companies consent, which is “freely given, specific, informed and unambiguous” by a statement or by a clear affirmative action to use their data. Likewise, companies must design opt-out mechanisms that erase or give back an individual’s data as requested. These standards give consumers more control over their data while forcing companies to be more transparent with how it’s handled.


Less Is More

Gone are the days of collecting unnecessary amounts of consumer data. Under GDPR, companies are only allowed to collect data for stated purposes. To be compliant under GDPR, brands must minimize data collection to fulfill a specific purpose, delete obsolete data, and protect end user rights.

Data Across Borders

For U.S. online retailers, arguably the most convenient way to meet GDPR data transfer standards is to obtain self-certification under the EU-U.S. Privacy Shield framework. Under this framework, those that become certified will have the ability to comply with the new data transfer protection requirements under GDPR.

Violations for being non-compliant with GDPR are steep (as much as 20 million euros or 4% of worldwide annual revenue), and any digital retailer that’s involved with any internet-based advertising to EU users must adequately prepare or face significant financial consequences. To avoid these costly fines, Fortune 500 companies have spent upwards of $7.8 billion combined to make sure they’re aligned with the new standards.


While the efforts required to become compliant are intense, the time and effort it takes to fulfill these requirements are greatly outweighed by the financial consequences. In hindsight, dedicating time and money to this shift will be beneficial for any company handling personal data from EU users.

OpenX operates an online ad exchange.