Just as in the United States, digital marketing and advertising spending in Europe has reached new highs. According to the Interactive Advertising Bureau, digital and app-based advertising spending reached €48 billion euros in 2017—an increase of more than €5.5 billion from 2016. Cybercriminals, however, are increasingly targeting organizations that collect data from users as they interact with their own and their clients’ campaigns. The Federation of European Direct and Interactive Marketing (FEDMA)—Europe’s leading self-regulatory body for advertisers and marketers—has addressed these concerns and more through its European Code of Practice for the Use of Personal Data in Direct Marketing. This code governs how the roughly 10,000 direct marketers that currently participate in FEDMA and its affiliated national-level associations are required to handle all data they collect from users online.
FEDMA’s code protects two categories of data: personal and sensitive data. FEDMA’s definition of “personal data” fairly broad, and covers any information relating to an identified or identifiable natural person collected online or offline. This not only includes an individual’s personal name and address, but also his or her job titles; telephone and fax numbers; and psychological, physical, mental, economic, or cultural identity information. Sensitive data, on the other hand, specifically addresses users’ sexual orientation, criminal history, physical and mental health history, religious and philosophical beliefs, political opinions, race or ethnicity, and trade union membership information.
While the current edition of FEDMA’s code is being reworked to account for the EU’s new General Data Protection Regulation (GDPR), FEDMA currently requires member companies to implement appropriate security measures to protect all user data at rest and in transit from being either lost and stolen or accessed and shared without the user’s consent. While FEDMA does not provide specific data security recommendations, it does advise companies to consider the cost and state of the technology safeguards they’re using, along with the sensitivity of the information being protected, when determining how to protect user data. It does, however, advise companies to consider implementing physical access controls, user access controls, data access controls, password and multifactor authentication, and data transfer encryption. It also suggests using seeding lists and privacy enhancing technologies (PETs) to enhance these safeguards. The EU Agency for Network and Information Security has published a PET matrix that helps companies analyze what types of PETs they’re using, which emphasizes VPNs, anonymity protection, client-server encryption, and end-to-end encryption. FEDMA’s code doesn’t just apply to its Europe-based members. Outside contractors, vendors, and recipients of personal and sensitive data based within or outside the EU and Europe may need to contractually consent to using reasonable security measures and EU-approved protections when working with member-provided user information.
While national-level marketing associations are responsible for disputes between parties within their countries’ borders, FEDMA’s Data Protection Committee oversees and resolves controversies resulting from cross-border FEDMA Code violations. The committee has wide discretion to issue sanctions, which can vary from expulsion of membership to coordinating legal actions against member companies with government data protection agencies. Working with a managed virtual cloud provider capable of offering 256-bit AES encryption, multifactor authentication, dedicated IP addresses, SSL-A-rated international data centers, and other GDPR-compliant security features to protect your consumer data can help you avoid these situations.