Viewers of Netflix documentary The Social Dilemma would be familiar with the phrase “if you’re not paying for the product, you are the product”.

For new Pureprofile (ASX:PPL) CEO Martin Filz, it’s a particularly relevant concept as governments globally enact sweeping legislative changes to data protection laws.

Among major global economies, Europe has so far established the strictest regulatory framework with the establishment of its General Data Protection Regulations (GDPR).

Internet giant Google was one of the first high-profile GDPR casualties when it copped a $US57m fine for providing a lack of information on how its Android platform collects data (a penalty which was upheld on appeal in June).

The US framework is more complex, with a consensus view that streamlined federal laws addressing the subject are still years away.

Meanwhile, the Australian government has this week launched a review of the country’s Privacy Act, which among other things is seeking feedback on whether GDPR-level privacy measures are necessary or desirable.

Data security = big business

Speaking with Stockhead recently, Filz said the flurry of activity is reflective of efforts to play “regulatory catchup” for how data is used online.

“If you take it back to the rise of the internet, what’s happened is that the legislation which governments around the world had in place wasn’t fit for the online purpose,” he said.

“The internet has formed around social media and ecommerce channels which are based on being able to harvest user data.”

“And in the main, that’s not a negative. The correct harvesting of user data can be an important factor in delivering a better customer experience.”

“So the premise is positive. But where it’s gone awry is when data is harvested with the aim of providing specific content around fake or biased news to change opinions or behaviour,” Filz said.

One of the most obvious examples of that was data analytics company Cambridge Analytica, which became embroiled in a scandal when it was revealed the company harvested data from millions of Facebook users without their consent.

In that context, Filz said the primary goal of privacy laws such as the GDPR is “aimed at how companies store data, not at how data is used for online and search”.

“So for any company that holds personally identifiable client data, it covers how they share that data and whether or not they have explicit permission to do so,” he said.

Filz said the use of “persistent cookies” – where, say, you search an online bicycle shop and then bicycle ads start appearing across different sites – is also being phased out in order for companies such as Google to adhere to new regulatory standards.

And looking ahead, an interesting thing for investors to consider is how those legislative changes will create new challenges and opportunities in the market for online advertising, Filz said.

“Today, around 80 per cent of online advertising is programmatic which means it’s automated through computers. And that process is only accurate if it has some sort of data information behind it,” he said.

“So as an advertiser I’ve got a problem. And as a publisher I have a problem because a large amount of my revenue comes from advertising.”

The shift will see increased priority placed on the establishment of first party databases, “so I can deliver them a relevant ad to get a return on click through rates or product sales,” Filz said.

And as a result, he cited Goldman Sachs research which indicates that by 2022 the global data industry will be worth more than $250 billion.

In that environment, “any company that works with first party of permissioned base data has an inherent value”, Filz said.

“And any company that’s providing advertising from data sets that are not its own permission-based, will struggle in future as the legislation moves against it.”