Fallout from Facebook’s recent data privacy debacle will soon combine with the effectiveness of a new European Union (EU) data privacy law to change how brands and marketing agencies manage their sports and entertainment sponsorship events. Both will restrict how sponsors and their marketing agencies collect and use “personally identifiable information” or “PII” provided by their event guests.
Before you write this off as some boring legal issue best left to the lawyers and the IT staff, it’s worth understanding how these two separate episodes will coalesce to have a combined impact much greater than either one would have alone.
The impact of Facebook’s misguided management of supposedly personal data is just beginning. Despite Mark Zuckerberg’s efforts to focus the Cambridge Analytica data disclosure issue on how Facebook-related apps use personal information, it won’t take long for the public (and even Congress) to appreciate that the real problem is that Facebook has the data in the first place—and has built a global business centered on charging advertising customers who want to exploit it.
Of course, Facebook is not the only big tech company doing this, which will increase the evolving (and many would say overdue) public concern about the potential consequences. As more and more people understand the extent of the personal data that Facebook and other leading tech companies have compiled, how they are collecting and combining that data to create personally-identifiable profiles and how they are using and monetizing the information, the outcries, Congressional hearings and demands for change will likely translate into legislation in the US and perhaps elsewhere.
Which brings us to GDPR, the EU’s new General Data Protection Regulation. GDPR becomes effective on May 25, 2018 and makes sweeping changes in the current EU data privacy rules. Among other changes, GDPR: 1) clarifies and extends when data will be considered “personally identifiable information” or “PII” (rather than pseudonymous data, which has little protection); 2) requires transparency about why PII is being collected and how it will be used; 3) mandates informed and freely-given consent to the collection and use of PII, with special requirements for certain sensitive data such as medical information; and 4) imposes accountability for loss or misuse of the data including standards for when and how PII can be transferred from the EU to other places such as the US.
Two aspects of GDPR are important here: First, the new GDPR rules are far more restrictive than the existing data privacy rules in the United States and the penalties for non-compliance are serious. (Passive or willful noncompliance can be fined up to €20,000,000 or 4% of global turnover, whichever is higher.) Second, GDPR protects EU citizens no matter where they are in the world, including when they are attending sports sponsorship events in the United States. This extra-territorial reach is a key concept that will surprise a lot of US sponsors. For example, if you are registering guests online for an event in Florida and you have attendees from Germany or another EU country, you have to comply with GDPR’s mandates with respect to the data you collect on these EU citizens.
Prior to the fallout from the Facebook Cambridge Analytica disclosures, GDPR would have been just another EU regulation that companies would need to manage. Thanks to Facebook, the GDPR requirements and related compliance concerns will add to the growing conversation in the US about potential changes in the rules applicable to the collection and use of PII. As we hear more about the PII being collected on each one of us and the protections that will be provided to EU citizens by GDPR after May 25, it will be an easy question to ask why those same protections should not also be available to US citizens. After all, the logic might go, if a US citizen and a French citizen both attend the US Open at the invitation of a major US sponsor, why should their PII be protected differently?
One of the many things that GDPR makes clear is that data privacy responsibilities are not just for social media, software and other tech companies. Many of these responsibilities also apply to the companies that determine the purposes for which, and the way in which, PII is collected and processed—for example, the brands who sponsor events, collect PII from their event guests and determine how and why that PII will be used (which may vary from email communications for the single event to integration within the sponsor’s CRM or even to the sale of a mailing list).
Here are five areas where public and legislative reaction to the Facebook data privacy fiasco and the new GDPR law are likely to affect sports and entertainment sponsorship marketing:
Sports sponsors or their agencies will pay much more attention to how they and their agencies and vendors handle the PII they collect from their event guests—and where that information goes after it is collected. If you are working anywhere near guest PII, you need to be ready.
Sponsors will need to understand the implications of aggregating PII from event guests with other information about those guests obtained from CRM records and data brokers. Whether exported manually or sent by API, the PII trail needs to be clear and the data needs to be protected.
The compliance risks associated with sponsorship event guests from the European Union will gain higher visibility and change the way that data is collected, how consents are obtained, how the data is used and how EU citizens who ask can exercise their right to update their data or their “right to be forgotten”. Ironically, the changes needed to protect EU citizens under GDPR may make compliance with any new US requirements easier.
Future US data privacy legislation will likely impose at least some new restrictions on how PII is handled in the US, potentially resulting in changes to invitation, ticket request, event-related communication and post-event marketing processes.
Public concern about highly-targeted social media advertising may cause some brands to re-evaluate their spending on social media that is potentially-tainted by data privacy issues. Properties and other rights holders that deliver social media assets will need to be prepared to demonstrate the purity of any PII used in the creation or activation of those assets.
It’s too early to tell whether data privacy changes might adversely affect the value brands gain from investing in sponsorship events. Our guess is not enough to alter sponsorship investment decisions, but the costs of data privacy compliance could be meaningful enough to reduce event ROI a bit in the short term, particularly if the US uses the EU’s GDPR standards as the model for new federal legislation.