Introduction GDPR and its implications for businesses
The General Data Protection Regulation (GDPR) will be introduced in May 2018. The GDPR is a European law which will make provisions for more stringent criteria with regard to the way in which companies collect personal data and what they do with these data. The main objective is to protect the privacy and data of European citizen ("Art. 39 GDPR Tasks of the data protection officer", n.d.).
The GDPR will apply to all companies doing business in Europe, regardless of whether the company is located inside or outside Europe ("Frequently Asked Questions about the incoming GDPR", n.d.).
The introduction of the GDPR will have several implications for companies with regard to the way in which they are allowed to collect personal data ("An overview of the main changes under GPDR and how they differ from the previous directive", n.d.).
First of all, from the moment the GDPR will be introduced companies are no longer allowed to show long, unclear term and conditions to visitors of their website. These terms and conditions most of the time contained a list of laws that the company has to adhere to. Terms and conditions have to contain what kind of data and for what purposes the company collects data, this has to be written in clear and easily understandable language. When the company collects data for more than one purpose, permission must be requested separately for every individual purpose.
Second, companies will have, after introduction of the GDPR, no longer permission to sell personal data to third parties. Companies have to ask permission to the data subjects to use their personal data and may not just use the data other companies have collected and where they received permission for.
Third, after the GDPR has been introduced, citizen explicitly have to give permission for the use of their personal data. Until now companies were allowed to use a “opt-out” in which customers automatically gave permission and when they didn't want the company to use their data anymore, they had to unsubscribe. After the GDPR has been introduced it is only allowed for companies to use a “opt-in” in which customers give explicit permission for using their personal data.
Companies that whether make decisions about what happens with collected personal data (data controllers) or collect personal data themselves for a data controller (data processors) have to hire a Data Protection Officer (DPO) (Information Commissioner's Office (ICO), 2014). A DPO helps data controllers and data processors to meet the GDPR legislation to avoid the risks of failure to comply with this legislation. They do this by informing and advising the company about the GDPR and to control compliance with this legislation ("Art. 39 GDPR Tasks of the data protection officer", n.d.).
Companies that does not comply with the GDPR legislation can be fined up to 4% of their annual revenue or €20 million, this depends on which is the greatest. Besides this a company can be fined 2% of their annual revenue or €10 million for not having their administration in order or when the company didn't hire a DPO ("An overview of the main changes under GPDR and how they differ from the previous directive", n.d.).
The penalties will be considered on a case-by-case basis and will be charged every time a company doesn't comply with the GDPR conditions ("GDPR Fines", n.d.).
How does Facebook advertise
Because the Internet becomes more and more popular and Facebook is used on a daily basis by more than a billion people, an increasing number of companies use Facebook as their new marketing plan.
Facebook users give a lot of information about themselves to Facebook and by doing this they also give their information to companies that use Facebook. As Zarrella said in his book “The Facebook Marketing Book”:
“The most powerful feature of Facebook Ads is the incredible targeting it allows you to do. Because users provide mounds of data about themselves, you can identify very tight groups of people to advertise to”
Facebooks advertising revenue consists mainly of companies that pay Facebook for advertising space on Facebook (Appendix).
Companies have the opportunity to target audience based on location, demographics, likes and interests, workplaces and connections (Zarrella & Zarrella, 2010). Companies that want to advertise on Facebook may choose their own daily budget that consists of the maximum amount they want to spend on placing an advertisement on Facebook. The time the advertisement will be shown on Facebook depends on this amount (Zarrella & Zarrella, 2010).
By comparing the information a company has about his own customers with the information Facebook has about Facebook users it becomes possible for companies to aim their advertisements at their own customers (Zarrella & Zarrella, 2010).
Besides the clicking behaviour of Facebook users on Facebook and the personal data they share on their personal Facebook pages, Facebook has two alternative methods to collect information about their users.
First of all, Facebook launched the Facebook Audience Network (FAN) in October 2014 with which Facebook is able to monitor the behaviour of Facebook users on the Internet by using cookies. By doing this, Facebook collects data about your interests. In this way it is possible for companies to show personal advertisements on the timelines of Facebook users based on their interests (Bongers, 2016). When you don't want Facebook to monitor your behaviour on Internet, you can unsubscribe (opt-out) (Pratskevich, 2017). After the introduction of FAN, Facebook's revenue increased by 37% (Facebook for Developers, n.d.).
Second, in 2014 Facebook took over WhatsApp and since August 2016 WhatsApp shares information about users with Facebook with the purpose to improve targeted advertising on Facebook, this is called WhatsApp Advertising (Lomas, 2016). Here too, you have to unsubscribe when you don't want WhatsApp to share your data with Facebook (WhatsApp FAQ's, n.d.).
Because Facebook collects data for other companies (the companies that want to advertise on Facebook), is Facebook a data processor and must Facebook hire a DPO to control their compliance with the GDPR legislation. This DPO can also inform and advise Facebook about how to comply to the GDPR ("Art. 39 GDPR Tasks of the data protection officer", n.d.).
Facebook advertising clashing with GDPR
Before the GDPR will be introduced in May 2018, Facebook needs to make some changes in the way they collect personal data. Pagefair has drawn up a scale which shows the level of risk Facebook faces with regard to the GDPR (Ryan, 2017).
In light of the GDPR, Facebook is obligated to ask permission to WhatsApp and Facebook users for monitoring and sharing their data with FAN and WhatsApp Advertising. As you can see on the scale Pagefair created, for both FAN and WhatsApp Advertising there will be a big chance users won't give this permission, since they have little incentive for giving permission.
Facebook may keep using both FAN and WhatsApp Advertising, but they explicitly have to ask permission to the users of WhatsApp and Facebook. Until now, users had to unsubscribe when they didn't want to cooperate, but after the introduction of the GDPR, this “opt-out” is no longer allowed and Facebook is obligated to use a “opt-in” to ask permission for these services.
Consequences for Facebook
Based on Facebooks revenue in Europe and the monthly active Facebook users as illustrated in Facebook's annual reports I created a graph in which the revenue in shown from 2012 until 2016 (Facebook annual report, 2012-2016). By doing this I looked at the Average Revenue Per User (ARPU) from Q1 2012 until Q2 2017. Since the GDPR only applies to Facebook users in Europe, I made this calculations by looking at the monthly active Facebook users in Europe.
In this graph I distinguished the periods in which Facebook gained revenue from advertising without the use of FAN and WhatsApp Advertising, the period in which they only used FAN and the period in which they used both FAN and WhatsApp Advertising.
By adding trendlines it becomes possible to estimate what the average ARPU would have been in Q2 of 2018 (when GDPR will be introduced), in case Facebook had never introduced WhatsApp Advertising or both FAN and WhatsApp Advertising. By doing this we can estimate the possible loss of revenue, per monthly active Facebook user in Europe, Facebook will face as result of the introduction of the GDPR.
To estimate the amount of Facebook and WhatsApp users that won't give permission to Facebook or WhatsApp for FAN and WhatsApp Advertising when they would explicitly ask for this, I conducted a small survey from Facebook and WhatsApp users. In this survey I asked a couple of questions which included:
1. When you had the chance to let Facebook use your personal data for the services they deliver only and for nothing else (personal advertisements for example), would you do this?
2. When you had the chance to make WhatsApp stop sharing your personal data with Facebook, would you do this?
Looking at the answers giving, we can see that 77,5% of the people that filled in the survey, answered question 1 with “Yes” and that 95% of the people answered question 2 with “Yes”.
So, this will be the estimated percentage of the advertisement revenue FAN and WhatsApp Advertising adds to the overall advertising revenue in Europe.
In case of FAN this amounts to a decrease in monthly ARPU of 77,5% of $0,70 ($5.78 – $5,08) which is a decrease of $0,5425 per user.
In case of WhatsApp advertising this amounts to a decrease in monthly ARPU of 95% of $0,61 ($6,39 – $5,78) which is a decrease of $0,5795 per user.
So, the estimates decrease in monthly ARPU in Europe will be $1,122 ($0,5425 + $0,5795).
Looking at the average quarterly increase in the monthly ARPU from Q1 of 2012 until Q2 in 2017, the estimates ARPU will be $6,39 in Q2 of 2018 in which the GDPR will be introduced. As a result of the introduction of the GDPR, the ARPU in this quarter of 2018 will decrease by $1,122 to $5.268.
Between Q1 of 2012 and Q2 of 2017 the amount of monthly active users increased by 1.9723% on a quarterly basis. When we follow this trend, the estimated monthly active Facebook users in Europe will be 389.252.300 in Q2 of 2018.
As a result of the introduction of the GDPR, the ARPU in Q2 of 2018 will be approximately $5.268 instead of $6,39 as explained before. This will cause a decline in Facebooks advertising revenue from $2.487.322.197,- (389.252.300 * $6,39) to $2.050.581.116,- (389.252.300 * $5,268). This is a total decline of $436.741.081,- per quarter.
Since the GDPR will only affect Facebooks revenue in Europe, will this be the total decline in revenue as result of the introduction of the GDPR. Other continents don't have to be included in this calculation.
On the other hand, the fine for not complying with the legislation of the GDPR affects the global annual revenue. This fine will be 4% of the global annual revenue.
Looking at the average increase in revenue on a quarterly basis from 2010, we see an average growth of 12,859% per quarter.
The fine Facebook would face when they breach the GDPR legislation in 2018 will be based upon the global annual revenue in 2017. Until now, the global revenue for Q4 in 2017 is not known jet, so we have to estimate this by multiplying the global revenue for Q3 in 2017 by 1.12859. This gives an estimated global annual revenue in 2017 of more than $39,337 billion.
The fine for breaching the GDPR legislation will be 4% of the global annual revenue for Facebook because in case of Facebook this is more than $20 million. This will make the total amount of the fine for breaching the GDPR legislation approximately $1.573.480.000,-.
Since this fine will be charged for every time Facebook breaches the GDPR legislation and this won't be a one-time fine, Facebook has to make sure they comply with the GDPR and they should hire a DPO which could inform and advise Facebook on how to comply with the GDPR.
...(download the rest of the essay above)