GDPR Is Upon Us

As we all know from the flood of emails coming into our inboxes explaining that privacy policies have changed and more, the dawn of the GDPR era is upon us.

Technically companies have until tomorrow, May 25th, to get into compliance with GDPR.

USV portfolio companies have been working on getting compliant for more than a year and we have been active in helping them do so and advising them on best practices.

I blogged about GDPR here at AVC last September in hopes that all of you would also start working on getting compliant.

If you have customers or users in Europe, you must comply with GDPR. But many companies are taking the approach that they will be GDPR compliant with all of their customers, regardless of geography.

For this reason, GDPR is the biggest user data privacy regulation to hit the Internet, at least in the last decade, and possibly forever.

There are some good things in GDPR. The basic notions that users have the right to control how their data is used and to opt-out of that usage seems right to me.

But like all regulations, the implementation and compliance details are painful in parts and there certainly could have been a lighter weight way to get to the same place.

My hope is that the US and other countries copy some of the better parts of GDPR but go without the overwrought elements.

The other thing to note about GDPR is that we should expect revenue headwinds from it for the next few quarters. Less emails will be going out. Less engagement will be going on. And less revenue will be generated.

I am OK with that. It’s a price to be paid for a step forward for user’s rights. No pain, no gain.

#Web/Tech

Comments (Archived):

  1. JimHirshfield

    I haven’t gotten my new privacy policy notice from Disqus. If you’re in EU, I grant you permission to reply to this comment.

    1. jason wright

      ever uncertain, ever uncertain.

    2. DJL

      Per Fred’s comment, organizations who think they are “compliant” are probably not, but that might be good enough.

    3. scottythebody

      I got it. Ticked two of the three boxes and hit submit. Done.

  2. David C. Baker

    It’s been a total PITA on my end. There are 36,000 people who have opted in to my weekly emails. I have no clients in the EU and I have no office presence there, but the signals are mixed. Do I still have to comply? Some folks say yes; some say no. But when I see how US firms are handling this, some are just pulling out of the UK rather than comply, which seems to imply that this is an option. It’s still non-compliance, technically, but I don’t think an action can be brought against a company who doesn’t have clients or employees there.Some of the recommendations I’m hearing are draconian. For example, I can’t gate my content in the EU. That means that I have to have a fork in the road that allows someone to tell me whether they are in the UK or not. If they are, I can’t gate the content. But that would mean that anyone can claim to be in the UK and thus bypass the gating. Further, I supposedly can’t use an IP lookup to verify location…without their permission.My temptation at the moment is to put that fork there, but if someone says that they are in the UK, they just don’t get the content. I’ve built my entire business (since 1997) writing what I hope is insightful stuff, and that’s how the list has grown organically.

    1. Laurent Boncenne

      the first thing is to show that you’re trying to be compliant.the second is that in many case, even storing email addresses and user names is a perfectly valid reason in order for you to be able to continue doing business (so long as you respect principles of data privacy) so long as users understand that you need to have it and that they agree to it.a very good and simple example is what the belgian rail is doing to disclose what they do with a users’ data and for what purpose:https://www.belgiantrain.be…also another insightful and quick quiz from the bbc: http://www.bbc.co.uk/news/t

      1. David C. Baker

        Laurent, supposedly asking for an email address in order to give someone access to gated insight is not reason enough. You can, theoretically, give it to them w/o an email address but just making it indexable. On the other hand, if you decide to wrap it all in a PDF, you’d need an email address to send that to them. :)Kind of reminds me how in California the state gov would tax something handed to a client on a disk…but wouldn’t tax it if you let them download it w/o any physical product carrier.

        1. Laurent Boncenne

          It is, you would have to explain what is the purpose of storing those email addresses, and provide a method for requesting and deleting those personal information.i really don’t see the problem from a compliance standpoint….you ask for those emails to send out your newsletter, which is a promotional way for you to market your personal brand to find clients. that seems 100% simple to me.you do need to disclose which systems have “access” to that data and in what capacity. that’s pretty much it, at least as a starting point

    2. Richard Barker

      David, from a legal perspective, if you are located outside the EU and have no EU user data (and never will) you do not need to comply with the GDPR.From a commercial perspective, you may find you have clients that insist you are compliant irrespective of the above.

      1. LE

        From a commercial perspective, you may find you have clients that insist you are compliant irrespective of the above.Insist? What do you mean that they send you nasty emails? So what? Who cares? Has anyone forgot the golden rule? There is zero they can do (to someone like David). Nothing. Period. It’s a non issue (for what David does).

    3. LE

      but the signals are mixed. Do I still have to comply?I am sure that some legal propeller head (or tech guy) will come up with an angle that says you have to comply or that you should company or that ‘it’s best if you comply’.What are you going to spend your time on? Running your business or covering a base that doesn’t need to be covered? Do you not drive a car or fly in an airplane because there is a minor risk of loss of life? Do you not go slightly over the speed limit because there is a chance of getting a ticket?but I don’t think an action can be brought against a company who doesn’t have clients or employees there.You and what you do? Nothing is going to happen to you no matter what you do. Nothing. Zero. Not going to happen. I hope I am strong enough in what I am saying.My temptation at the moment is to put that fork there, but if someone says that they are in the UK, they just don’t get the content. I’ve built my entire business (since 1997) writing what I hope is insightful stuff, and that’s how the list has grown organically.What you are saying is exactly the total freakout that people are doing with this FUD going around because of what (sorry) the fucking Europeans did. Honestly and it’s really sad the way online tech has gotten all corner case about what can happen. Meanwhile same people (this is a wild exaggeration of course) will ski out of bounds, rock climb, ride a bicycle in a major city, do drugs, binge drink which is a way greater risk of something actually happening that is bad. I hope I have made my point. Noting also that my points relate to small operators (in your situation) and not to everyone. [1][1] I also think the risk to even larger operations is pretty much zero.

      1. sigmaalgebra

        Wisdom. I glanced at the Wikipedia link Fred gave: IIRC, if the sh*t stuff starts to hit the fan, then the, e,g,. Web site operator gets a warning. So, write a little code some afternoon, give them what they want, and then get back to business.My startup is a Web site. The code is all written and ready for at least first production, beta test, alpha test except for some little tweaks I have in mind and some more testing. It’s 100,000 lines of typing — another 1000 should cover the tweaks.I have no user IDs, passwords, or logins. I make no use of cookies and essentially no use of JavaScript. But, sure, my site’s Web log file has the IP addresses and “user agent string” for each user and what the user did at the site. I will analyze this for better information on site performance, what users do and do not like, how users navigate and use the site, various distributions, e.g., geographic, connections per month per user, cases of attempts to flood the site with requests enough to bring down the site, attempts to have robots use the site, what responses the ads get compared with what users are doing on the site. So, I have a log file, for the usual reasons. So do nearly all Web sites.So, I was going to post a question “What to do with Web site log files?”. Now, I’ll just f’get about that. Uh, there is a thingy in the GDPR about how long records are kept. Well, I don’t much need or intend to keep the log files very long!

        1. LE

          Pretty much true. But newly hatched and or investors don’t have the type of seat of pants feel (long term) for these things. Noting also that I would guarantee that most companies (and individuals) are violating multiple US laws to the letter. And will deal with it when and if something actually happens.

      2. Brook Shepard

        you have to comply, and are personally liable for not complying. At least, that’s the way I read it.

    4. Erin

      The law applies not just to UK citizens, but to anyone whose information runs through servers situated in the UK, or if a UK citizen accesses your content while not on their soil.The spirit of this law is to go after companies who are negligent with data and expose peoples’ info to leaks by not updating or patching their protection software, or who collect info that isn’t necessary to run their business. You have to ask yourself why you’re collecting what you collect- do you need it to operate, or is it nice to have?

      1. David C. Baker

        Yes, for sure. My data isn’t housed on any EU servers, but it’s widely accessed by people within the EU. I have spent thousands of hours giving away incredibly useful information/insight for these folks and never charged for it. As a responsible marketer, I think I have the right to use “progressive profiling” to tailor the data to what they want to see. Most of my insight (the weekly emails) is filling up the bank account of goodwill. Every once in awhile I’ll send out a crassly commercial message saying, “Hey, you might want to hire me.” It’s done through a marketing automation system that pays very careful attention to user behavior, predicting their interest, etc. Take a look at these stats from the most active workflow. You can see that the results are stellar. Look at open, click, and spam complaints. But now the EU is telling me that I can’t do this without an insane amount of re-programming, legal fees, and other bullshit. Gov’t overreach. 🙂 https://uploads.disquscdn.c

        1. Erin

          The spirit of the law is to catch corporations being negligent with the data, not to scaremonger sincere companies making sincere efforts at protecting it.

        2. Vasudev Ram

          >It’s done through a marketing automation system that pays very careful attention to user behavior, predicting their interest, etc.What marketing automation system do you use, if it’s not confidential?

          1. David C. Baker

            I use Act-On. It’s a mid-level program, like HubSpot, Pardot, etc. Then the lower level stuff like InfusionSoft. And the high level ones like Marketo, Adobe’s Campaign stuff (just bought Marketo), etc.

          2. Vasudev Ram

            Thanks. Yes, I saw that news on HN few days ago about Adobe.>Adobe bought Marketo.IIRC it was Magento.Just searched:https://hn.algolia.com/?que

    5. jason wright

      “draconian” – some say the EU is an attempt to forge a modern Roman Empire, and that requires blunt force trauma tactics. GDPR is not subtle.

    6. PhilipSugar

      BTW: You define exchanging value. Same with Fred. Anybody that doesn’t think it is a fair exchange needs to go because it’s not fair. You provide magnitudes of order more value than you get.

  3. Sebastian Wain

    Are there any concise resources or checklists to rapidly understand the implications? I haven’t checked but I suppose because USV works with many companies they will have a shorter and correct explanation. It would be a good resource to share.

    1. DJL

      That is the main challenge with this “Law”. Like most laws created by bureaucrats, this one is very vague in parts and open to much interpretation. Some parts are technically unfeasible. Unfortunately, there is no “checklist”.

    2. Brook Shepard

      There are. Hubspot made a good one.

      1. Vasudev Ram

        Got a link?

  4. PhilipSugar

    I think this while a pain will be good. It kind of imposes a cost for just wild spamming. Cave Painting correctly pointed out direct mail (snail mail) does have really good response rates.It is because there is a throttle on the system.Email really hasn’t had that.And while it is painful to get throttled, I believe that this will help the entire ecosystem.It’s a Tragedy of the Commons issue.People just completely disengage because the Commons (their email box and info) has been so abused.Clean it up and it helps the good actors.

    1. Lawrence Brass

      GDPR is a reaction to businesses’ abuse or negligence regarding personal information. Deserved by the perpetrators or negligent in my opinion and a burden for the rest.For existing systems it is a real problem and very hard and expensive to solve because it implies a full redesign of the data model. The worst case is if you chose to use an identifying property as the social security number as the unique id for your customers in the database. In this case you are out of luck because many tables will have identifiable records and probably logs as well. Most commonly you may have a system that uses an unique internal customer ID which may be easier to anonymize, decoupling the identifying attributes from the ID, at the logical level.But for a new system I think it is all about proper design. I’ve been working on this at the design level for my new systems. It is not a full solution for GPDR compliance but it provides a solid foundation and greatly reduces the surface of the problem.There are two key points: – Anonymize early in the data flow – Isolate identifying personal information at the logical and physical level.An artifact I like to call the “personal data firewall”, because managers love that type of nomenclature 😉 .. divides the data domain in two, so you have two data stores. One holds identifying information such as names, addresses, localization, IPs, etc. and the other holds GDPR free information. Both are linked by a session scoped, random and unique identifier only known by the system. The data stores could be implemented as isolated databases and even isolated servers or domains. The firewall/router assigns a session personal data identifier much in the same way NAT routing works, to make personal data available to processes that need it, such as billing.The “forget” function deletes every trace of identifying information in the identifiable domain if required.I think that such a system is easier to manage and audit from an GPDR auditor or manager point of view.

      1. PhilipSugar

        If you chose to use ssid. You know what?? Not only do you deserve to redesign. There should be a retroactive fineOur systems store data on more than 100mm customers, 1B financial transactions, 5B interactionsI am tired of watching bad actors.Can I get your zip code? Why. Security! No I’ll just leave. Ok we don’t need it. Why did you ask? You reverse append my name and zip and store my credit card infoCan I get your phone number? Why? They just tell me ask, you’ll never get a call. I have a whole block. Hmmmm how do I get calls to that custom number. I’ll leave out a crude jokeGive me your email. We will never spam you. I also keep a block with your info Another crude jokeWe will never sell or rent your data. Ultimate crude joke.LE is right. Most consumers are too stupid to care or know

    2. JamesHRH

      Specific regulation targeting specific situations = good.Good regulation = ~4% of all regulation on the planet.How about the EU fine social media platforms for unauthorized data distribution and failure to delete automated accounts?How about the EU pay hackers 15% of the fines to police social media platforms?

      1. PhilipSugar

        You piss in the well long enough or stand and watch others do this. You get this

        1. JamesHRH

          I am not sure if you agree with this idea or hate it.

          1. PhilipSugar

            Idea? Like it. Implementation hate it. Same as SOX.

          2. PhilipSugar

            Ahh, your idea. Like it.Too practical for the government.

  5. bogorad

    One would think they learned from the cookie fiasco. What did we get from that regulation? Nothing good, only the annoying and useless message (we use cookies, screw you if you don’t agree) every time you visit a website from a European IP address. Why would this one be any different??

  6. Frank W. Miller

    The real question is, what are the implications of GDPR for blockchains? The requirements seem to be diametrically opposed to the goals of anonymity and ungoverned full distribution that current blockchain designs focus on.

    1. DJL

      Actually, there is a tremendous opportunity to use blockchain as the underlying technology to manage GDPR compliance. We have been looking hard at this. Happy to discuss!

  7. DJL

    GDPR may go down in history as one of the most expensive and least useful regulations ever (right next to Sarbanes-Oxley). Some elements are either technically unfeasible or simply too costly (like the ‘right to be forgotten’).Like most regulations, the idea is sound – protect our privacy – but they went overboard. I am in the weeds on this every day helping our clients, but there is still a lot of interpretation that needs to happen. People want “simple” but it just isn’t that way.That being said, we have incorporated GDPR controls in our ComplianceShield product to help simplify. Certainly a love-hate relationship.

  8. kenberger

    Blockstack (USV PortCo) may find GDPR as a killer app.

    1. jason wright

      how so?

      1. kenberger

        My dev company is discussing with the founders now, so we’ll see.But as another commenter posted, blockchain-based solutions can be a great way to handle GDPR. Sorry to be vague for now, but not not tough to imagine.

  9. JamesHRH

    Simple test – usage of FB has not changed at all post CA scandal.Ergo, people do not care about this issue.Bureaucrats making work.

    1. Erin

      I think people care.

    2. jason wright

      CA scandal?edit: Ah, Cambridge. The penny dropped. duh.

  10. DJL

    BTW, Fred/William. Have you been seeing GDPR/blockchain pitches? This seems like a logical fit to me. But there is so much noise in the ICO market it is impossible to keep up.

  11. LE

    If you have customers or users in EuropeImportant to note that GDPR applies to individuals and not companies re: ‘customers’. Also with respect to enforcement and action the chance of a small size company based and operating solely in the US being pursued by european regulators in US courts is ZERO. The chance of any action in european courts is nominally higher than zero. [1][1] Could there be some kind of ‘patent troll’ angle whereby an enterprising law firm decides to take advantage of this ‘opportunity’ on behalf of european authorities? Sure that is possible. Not very likely. But could happen.

  12. LE

    But many companies are taking the approach that they will be GDPR compliant with all of their customers, regardless of geography.That sucks and there is nothing good about that happening. We don’t need to be subject to laws and rules that were developed under a different context and reason by people that don’t even represent us especially when those rules are so obviously complex that they can’t even be close to easily interpreted. We have enough of our own stupid laws to deal with.It’s a shame that companies are reacting the way they are honestly. And spending all of this money complying with something that wasn’t even a ridiculous law passed by our own government. This is a tax on all of us. The money and time that your companies spent to comply could have been put in other more beneficial areas. Nice job Europe.Meanwhile I can easily find what you paid for any of your houses in the US, who you are related to, and a host of other public data that is freely and easily accessible. Endless list that is all out there that even ordinary people would think should not be public.

    1. DJL

      “a tax on all of us” passed by the World Government prototype – the EU. Absolutely true. Welcome to global taxation at the hands of foreign bureaucrats.

      1. LE

        By the way I don’t hold any ill against you or your company for taking advantage of the ‘opportunity’ business wise. It’s exactly what I would be doing (and I will do as soon as I can spot an opportunity to do so).

        1. DJL

          Its the great irony of my business. I am for less regulation (personally) but it drives 70% of my business. But helping the smaller companies “comply” without breaking the bank is gratifying.

    2. Twain Twain

      The Europeans and RoW didn’t sign up to be tested like rats-in-boxes by FB et al. Some Americans likely aren’t happy about that too:* https://www.theatlantic.com…Marketing, psychometric profiling and business models are mostly US-origin so it could be argued that these are rules of the game imposed on non-US users.To me, collecting data is fine IF THAT DATA IMPROVES language understanding, people’s relationships and fosters diverse cultures and democracy.Unfortunately for FB & others they have huge amounts of data but it hasn’t resulted in those improvements in the way people want.

      1. LE

        If people aren’t happy they need to grow up. They are getting something for free. In return for that you will pay in a way to make it profitable for the free service. That is the way I see it. It’s always nice to hear people getting things at no cost then thinking they can decide what someone should do in their business. Whatever they are doing is not a problem to the vast majority of people. Merely whining fringes, tech people, jealous competitors and those that don’t understand how business works. Nobody needs to use facebook period. It’s not a utility. If you don’t like what they do then don’t use it.By the way anytime you read stories in the press (or the nightly news) they are masters of making something appear to be a big issue by highlighting the few people that seem to have a problem with it and making it appear to be a broad issue. Or asking others in a way that infers a problem and if they don’t agree they are stupid. That is the way the media works.It’s particularly ironic given all the person things people put on facebook to begin with.

        1. Twain Twain

          The media’s relationship with Google, FB seems to be co-dependency that verges on unhealthy.

    3. Jim Ritchie

      Just received this GDPR notification email from a SaaS app we use for some engineering. It is a 1-2 man shop. Pretty funny!”We don’t know do we comply or not – that’s because we don’t care about GDPR. We love you, but we don’t love paranoid idiots. If you think we are using your personal data to make profit, then you really need to switch to another site (or simply die). You can always delete your user account (and nobody will cry).”

  13. LE

    The other thing to note about GDPR is that we should expect revenue headwinds from it for the next few quarters. Less emails will be going out. Less engagement will be going on. And less revenue will be generated.Are your companies really doing this? That makes no sense at all. I would love to see the companies that are planning to have less engagement and the business logic behind it other than ‘what if’. This seems like a total CYA by management and boards along with bad and non-practical advice from attorneys.

  14. LE

    See attached screen grab from a typical email.Honestly this is all so knee jerk and shows an entire lack of ability to evaluate risks in business and act in a prudent and appropriate manner. I would get rid of anyone working for a company that I invested in or owned that did this because it was the easy thing to do when honestly it serves no business purpose to overreact like this. (Attached screen grab). And if I was a stockholder in a company that did similar and revenue was impacted there would be grounds for a lawsuit for acting so recklessly and in a way that impacted revenue and business prospects. (Because they are not showing good business judgement in any way by taking this broad and unnecessary approach). Business is about risk. If you can’t properly assess risks (and even know when the lawyers are CYA) you should be in another job…. https://uploads.disquscdn.c

  15. jason wright

    friction generates heat.

  16. sigmaalgebra

    Uh, if all my Web site log file has as “personal data” is their IPv4 IP address when they connected to the site, in what sense is this IP address really “personal data”? That is, the address may have been assigned by their ISP from a pool via DHCP and day by day be from different people.Maybe IPv6 will have essentially all IP addresses “static”, that is, tied to one person forever, and change the situation. Maybe.Anyone think through this log file IP address stuffy?

    1. Lawrence Brass

      The IPs that my ISP assign to the routers via DHCP are quite stable. Have had the same IP for weeks or even months.I think that we can store the IPs as long as we can’t map them to a person or group of persons without their (revocable) authorization. The ISPs obviously can do that.

      1. sigmaalgebra

        On Windows 10 I just ranipconfig /alland got in partLease Obtained. . . . . . . . . . : Wednesday, May 23, 2018 4:37:39 AM Lease Expires . . . . . . . . . . : Thursday, May 24, 2018 11:19:30 PMSo maybe my ISP knows something I don’t know, maybe an asteroid is headed for my house!I suspect and hope that you are correct about our being able to keep IP addresses in log files without getting into trouble with the EU Poo Bahs.But I suspect that LE is also correct: Both the Poo Bahs and I have better things to do with time than argue about “dotted decimal” IP address data!

    1. JamesHRH

      But the core thread there is that bots are being weeded out & user counts are climbing.If people were panicked about FB data usage, you would see net user counts drop, wouldn’t you?

      1. Erin

        I can’t see in the article where it mentions bots. There are lots of consumer surveys that say that people are worried about their data being leaked to hackers, or used for reasons other than what it was originally intended. My opinion is the GDPR is the best thing to happen to consumers with respect to digital privacy. I’m excited about it. The EU seems to care a lot more about our rights than US or Canada does. (BTW, the woman heading the GDPR is the former privacy commissioner of Canada. She seems pretty with it. She has also had success taking FB to court).

        1. JamesHRH

          Bank of England run by former Bank of Canada head too – top flight CDN mandarins (that is what they call senior government types up north) love the move to the EU. Bigger countries, more clout, more $.More respect too – NA government types not at all as lauded.Toronto & Montreal (big time) looking east far more than south these days (Toronto used to have big time complex about NYC). Free market losing ground to security of socialized things in those big metropolitan cities.Most of Eastern Canada wants desperately to be like / part of western Europe. Most of Western Canada would be OK with being like / part of America. British Columbia would like to be part of California, especially when it separates (no customs, weed sales up and down the coast, trains from Vancouver to Santiago and every good snowboarding / surfing spot on the west coast, if they had their way).jkYou are correct that the article does not address bots. But, the quote from The Zuck on the changes to the News Feed are all about bots – that’s what they changed. They weeded out bots. They knew the hours would drop because bots can run 24/7 – they could basically ID the bots by the # of hours they are on FB.I know you are super sharp Erin, but I do not know if your background has a lot of consumer marketing research….so if I am about to mansplain, I think its an honest error ( I need a FT legal boilerplate advisor for online commenting ;-)My experience in consumer marketing convinced me to ‘watch what people do; do not listen to what they say.’So, IMHO:FB user count climbing = Doing (what they want to do).Surveys = Saying (what they think they should say).You can disagree but you’ll be wrong ;-)BTW, did you know that the least socially mobile western country in the world is……..the UK? Learned that from https://twitter.com/alanbea… a few years back. Yet another drawback to government over-oversight.I didn’t give in on it until he crammed a ton of statistics down my Twitter gullet and I had to concede he was right. Could not believe it.

          1. Erin

            I understand watching what people do, not listening to what they say. (To an extent– eventually smoking became unpopular, right?)Not convinced user time hadn’t gone down despite bots being weeded out.

          2. JamesHRH

            The trend is our friend.We’ll know in 6 months.

  17. Erin

    FB usage seems to be declining.

  18. jason wright

    with due deference to the bartender, here’s something that some might find a tad more interesting;https://www.youtube.com/wat…William, good talk. Thumbs up.The SEC does appear to behave with acute contradiction. It absolutely fears fraud and its potential impact on both its own standing and the financial health of Josephine Public, and yet it is not demonstrating by investigation and prosecution that there is that level of fraud taking place. How many offerings are under active investigation for fraud? How many are being prosecuted for fraud? How many convictions have there been for fraud?The SEC seems to be first and foremost protecting itself. I guess that’s its institutional behaviour and political ‘reflex’.

  19. LE

    It’s really gotten this nutty:Even restaurants in the U.S. are worried about complying with the law, because they gather and keep information about EU residents who make reservations when traveling, said Kinesh Patel, co-founder of SevenRooms, a reservation and guest-information service. Bigger chains have been working on complying for some time, but it has surprised some smaller restaurants, he said.Seriously. Restaurants because they have customers who make reservations that are EU citizens and serve them in our country. Located in the US. Would love to know how any European authority would even go about finding out what they need to know in a way that would allow them to bring an action over your favorite 40 seat restaurant. Just send a questionnaire. And the restaurant will simply supply the answers! It’s that simple.https://www.wsj.com/article…This is stoked and flamed by the media in part (as well as bloggers) who are taking the opportunity to click bait people into an frenzy of anxiety over this…. https://uploads.disquscdn.c

    1. PhilipSugar

      No doubt, no doubt people have gotten nutty over this. It gives people something to do and sell.Also you bring up a good point, people are willing to answer questions they in no way should answer. Of course that is the basis of social engineering hacks.

  20. Brook Shepard

    I’ll bet that Google (as a platform) will suffer the most, revenue-wise. Doubleclick will be impinged.FB & emailing should be fine. That’s my guess.

  21. Bob Warfield

    I don’t expect big revenue headwinds for modern firms that are doing inbound marketing with high quality content.Old School Firms, especially those where Sales runs roughshod over Marketing, are still hopelessly dependent on advertising and cold calling. Those are the firms that are going to be hating life under GDPR.But don’t charge those headwinds against GDPR. Charge them against the shortsightedness of the firms for not embracing modern marketing sooner.Engagement? Start by asking of every email you send, “Am I giving the recipient something of value that they will want enough to read the email?” Everything else is spam.You should be delivering so much value in the emails that they beg for more and open as many as they get. It’s an ideal for sure, but it’s the mindset you need to survive.And not just because of GDPR, but because of shorter and shorter attention spans.

  22. Ending of the Wild Wild West

    The Wild Wild West days of the Internet are quickly coming to an end. The MySpace Cowboys rose to fame over a decade ago. Mark Zuckerberg even occassionally wears a suit these days.See:http://archive.fortune.com/

  23. scottythebody

    GDPR is perhaps heavy, but at least it is *something*. Regulation is definitely needed in this area because the companies sure as shit weren’t doing anything to help their customers. Another one the market didn’t solve, I guess. Go figure.