Here’s Who’s Talking About Europe’s GDPR Digital Privacy Law — And Who’s Staying Silent

Following high-profile incidents like the Cambridge Analytica breach, internet data privacy concerns are at a tipping point. As more consumers find their data being misused by firms, global regulators are stepping up to protect them.

Leading the charge is the European Union’s General Data Protection Regulation (GDPR), the most progressive digital privacy regulation to date. GDPR is slated to go into effect on May 25, 2018, and aims to give power over personal data back to consumers.

Compared to other recent major regulations, GDPR is the most talked about regulation on earnings calls, as the chart below shows.

This is in part because GDPR potentially threatens revenues for big tech companies (like Facebook and Google) that monetize personal data, and also because of the hefty noncompliance fines that apply to companies that hold personally identifiable information (PII), like IP addresses — essentially any company with a website.

Because of the broad implications of the law, mentions of GDPR intensified on earnings calls in Q1’18.

Below, we dig into who’s talking about GDPR the most, how giants like Facebook and Google are positioning their messaging, and why banks are staying quiet.

What is the GDPR and why does it matter?

Put simply, GDPR’s core tenants are:

• Request to consent: Firms with any PII must have consumers’ consent to collect and hold that information, and can only collect what is adequate, necessary, and not excessive.
• Right to access: Firms must be transparent with citizens about what PII is being processed and for what purpose.
• Right to be forgotten: The right to erase personal data, cease dissemination, and halt processing of a citizens’ data.
• Privacy by design: Privacy by design has existed for years, but GDPR makes it a legal requirement. It calls for designing systems at the outset that protect user identity.

Any firm found in violation of GDPR is subject to fines as high as 4% of the firm’s total revenue, or a fee of €20M ($23.6M USD), whichever is higher.

Who is talking about GDPR, and what are they saying?

Varonis Systems has mentioned GDPR in earnings calls more than any other company. Varonis is a data security software provider that expects to see an uptick in revenue as clients use its data classification and protection software to comply with GDPR regulations.

Mimecast, a cloud services provider for email security, is also talking a lot about GDPR on earnings calls, anticipating an uptick in demand as a result of the new regulation.

Unsurprisingly, technology platforms that have made a business out of leveraging personal data, like Facebook and Google, are also talking about the regulation. Executives proactively discussing GDPR could be trying to signal to investors that they are prepared to comply as the deadline nears.

On Facebook’s Q4’17 earnings call, COO Sheryl Sandberg notably stated that the company was prepared for GDPR, suggesting that it would be compliant because users would consent to give Facebook their data:

However, that tune changed following the Cambridge Analytica scandal, which affected the personal data of an estimated 87M users.

Facebook’s GDPR mentions surged during its Q1’18 earnings call, when executives were hammered with questions from analysts about GDPR and how the company plans to improve data privacy.

Since the Cambridge Analytica incident, Facebook has tightened its messaging.

The company announced that it has stopped its practice of buying personal data from data brokers, a big component of being able to “tailor” its services. It also suggested it would apply the new GDPR consent enhancements to all of Facebook’s users, and has already rolled out the new policy in Europe.

Sheryl Sandberg responded to the question of compliance again on Facebook’s Q1’18 earnings call, noting:

Google also discussed GDPR this past quarter, mentioning it for the first time in Q1’18. In contrast to Facebook, Google CEO Sundar Pichai suggested the search giant still had more work to do before the deadline:

Along these lines, Google began rolling out an updated privacy policy for YouTube, as shown below.

In addition to added compliance spend, GDPR threatens platform businesses’ advertisement revenues, because these companies have traditionally leveraged PII to target consumers. If consumers do not consent to have their information shared, it hurts businesses’ ability to present “tailored” ads.

And ad revenue is vital for these companies. For Facebook, 98.5% of Q1’18 revenue was driven by ads. In the same quarter, Google parent Alphabet reported $31.1B, of which $26.6B (or 86%) was from ads.

Given the significance of ad revenue, mentioning compliance plans on earnings calls could be a strategy to mitigate concerns over future revenue projections.

On Facebook’s Q1’18 call, CFO David Wehner deflected a question on ad revenue, saying:

In future earnings calls, we can expect analysts to keep a close watch on businesses’ ad revenue to see if there is any dip as these companies are forced to shift away from targeted advertisements.

At the same time, it’s possible that these businesses will see their market share increase, due to the consolidation of smaller ad-targeting companies that cannot shoulder the cost of the new regulations.

Why banks aren’t talking about GDPR

In contrast to tech firms, bulge bracket banks in the US and the EU — like HSBC, Santander, JP Morgan, and Goldman Sachs — have not mentioned GDPR once on earnings calls.

One rationale is that banks are already complying with multiple data protection regulations that extend to more sensitive sets of data, including nonpublic information (NPI) like bank account information as well as personally identifiable information (PII) like a home address.

Subsequently, GDPR is just one of a number of pressing regulations on banks’ plates — and has less radical implications than many other regulations.

For example, the revised payments services directive (PSD2) requires banks to provide third-party access to customer data via an application programming interface (API), thus threatening to break up bank’s monopoly on customer data. Mastercard has mentioned PSD2 on earnings calls 29 times since Q2’13.

What has not been as widely discussed is what the implications of GDPR in combination with PSD2 could be — and what they will mean for fintech startups that are leveraging APIs to access EU citizens’ data.

These companies could be liable for the full brunt of GDPR compliance regardless of their location. For example, as a result of GDPR, a personal finance management (PFM) aggregator of PII in the US could be liable for not having the same robust control framework as a bank. This could be a challenge, as the solution requires costly infrastructure investments; noncompliance, however, is not an option.

Closing thoughts

The compliance deadline is approaching quickly and any company that stores EU citizens’ PII data is affected. This is a broad and robust regulation that likely requires complex compliance monitoring — and which many firms might not be as prepared for as they are suggesting.

It will be interesting to watch which firms the regulators make the first examples of. Will it be the tech giants, the big banks, or possibly a startup on the private side? And how will regulators monitor ongoing GDPR compliance? More importantly, if the GDPR is successful, we could see other regulators enact similar rules, further complicating the regulatory landscape.