Really? In a lot of cases, we give our consent for our data to be processed, and the terms of which - do you really think, even with a more up front disclosure statement and post-process record keeping, that for most people it'll have a large impact on data from opted-in networks? And the subsequent (consented) use of it in all manner of ways?
It's not a combative question - I'm genuinely interested as to whether I've misinterpreted GDPR requirements or not? From what I've seen, as a lot of personal data is willingly traded by people, and the greyness around "legitimate interests" of the controller, the landscape wont look massively different (just perhaps a more invasive privacy notice on first visit?)
I think I have a slightly different perspective, from various business dealings I have.
Firstly, I am elbow deep in the recruitment sector, and GDPR is a Major Fucking Deal for everyone. Software companies in the recruitment space are spending a huge amount of time and treasure making sure they are on top of the game for GDPR. Recruitment consultancies are too. The industry is taking it super seriously. Recruitment is (amazingly, and contrary to what people tend to believe) generally pretty good about this sort of stuff (with almost all shady shit coming from individual recruiters with too little oversight), so maybe the industry is over-reacting, but I don't think so.
Secondly, I am pretty aware of a lot of shady internet marketing and retargetting type shit. I don't know how that industry is reacting because I'm not close enough, but I'm pretty sure they should be in a panic if they're not.
The law as I understand it will make it difficult for companies to use catch-all privacy policies without being specific, and companies will have to make an explicit case for -- for example -- reselling your data to advertising companies if that's not explicitly what you signed up for.
Funnily enough, I work in recruitment marketing and do quite a lot with programmatic targeting and retargeting so am close to it too.
One of the benefits of recruitment is we tend to have a lot of touchpoints to gather informed consent, whether through the points in an ATS, expressions of interest, candidate contact and follow ups.
It's serious, don't get me wrong, but I think given the grey areas in definitions that there are (and the rationales developed for collecting information in the first place), if you're a responsible data controller in the first place, the impact will only be felt in a few ways.
For the purposes of advertising, it's always been sketchy to "sell" data to an ad company. Most of the time it's owned data passed along and processed by them on behalf of the original acquirer (something comparatively easy to get consent for, because it also ties into personalisation) for retargeting. Initial targeting is going to be the hard part, as the right to be forgotten is going to be hard to manage across multiple DSPs.
Analytics is going to be a *, as we'll need to delay any analytics firing until someone's opted in, but this will become blind after a while once someone's opted in or out. Persisting this option will, perversely, mean having to store more personal data around choices, but hey ho.
It's not a combative question - I'm genuinely interested as to whether I've misinterpreted GDPR requirements or not? From what I've seen, as a lot of personal data is willingly traded by people, and the greyness around "legitimate interests" of the controller, the landscape wont look massively different (just perhaps a more invasive privacy notice on first visit?)