Industry Insights

Syndicated News

One Month Into the GDPR – Who’s Misbehaving?

The asteroid called GDPR slammed into business operations around the globe on May 25 – dramatically transforming the environment for marketers, customer experience teams, and the broader organization. The question now is: Who will adapt more quickly and successfully to the new environment? Who will discover and master the strategies that allow them to not only survive but thrive in the new competitive landscape created by the GDPR? And who, on the other hand, will resist change, cling to old habits, and risk extinction?

As with living organisms, most of the adaptations and mutations demanded or encouraged by the GDPR remain invisible to the casual observer. Whether a company is properly conducting data protection impact assessments or practicing “data protection by design” will usually require genetic-level study of data processing practices by an EU member state regulator.

Other changes, however, are right on the surface. Indeed, they are intended to be noticed, like a prominent horn or colorful plumage. The most obvious of these are consent and privacy notifications. One month into the GDPR era, I’m going to kick off my series of guest posts for the Crownpeak blog by reviewing some of these notices for early signs of who seems to be on the right track to both comply with the GDPR and to build new trust-based relationships with consumers.

[First, the requisite disclaimer: I’m not a lawyer (not that you have to be one to understand the GDPR, in my view). Nothing in this post is intended as or to be taken as legal opinion, guidance, or advice. Also, the views expressed are strictly my own and do not represent those of Crownpeak.]

Consent is all about communication, choice, and control

The GDPR has been called “one of the most complex pieces of legislation” ever produced. Maybe, but most of the conditions for seeking consent to use someone’s personal data are firmly rooted in common sense.

The GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of the personal data relating to him or her” (Article 4(11)). Each term here is crucial, so let’s break it down.

  • “Freely given”: The data subject (henceforth, I’ll substitute “consumer”) must be in a position to refuse the request “without detriment.” It seems evident that this means that a site or service may not require consent for data processing – with the exception of that data which is strictly necessary for the service to operate. (See Article 7(4).) 
  • “Specific”: Consent must be requested for a specific purpose; it may not be general or “omnibus.” Separate consents are required for different processing purposes. (Or bundled requests must present granular choice – e.g., if you request consent for a, b, and c, I must be able to say yes to a and c, but not to b, etc.)
  • “Informed”: The consent request must be presented in a “concise, transparent, intelligible and easily accessible form, using plain and clear language.” Moreover, the request should be “clearly distinguishable from other matters” – i.e., not buried in a long privacy policy or terms and conditions document. (See Article 7(2).)
  • “Unambiguous”: The consumer’s consent must be indicated by a “clear affirmative action.” Recital 32 states that “Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”

With that primer on the requirements for consent, let’s look at examples of actually existing consent requests.

The Good – Disqus

From, accessed May 31, 2018

Disqus is admittedly a niche service with little need for broad data collection. Nevertheless, their concise consent request literally ticks all of the right boxes. The notification first states clearly how and why personal data is used in the provision of the service. The use of email and IP addresses is pre-checked, since these are strictly necessary for the service to operate. In contrast, the consumer has genuine and clear choice about whether to consent to data processing for personalization and advertising purposes. More detail about how data is shared for these purposes is available by drilling down on the Data Sharing Policy. (This is an example of a “layered” consent notification that provides all of the information required by the GDPR while remaining “intelligible and easily accessible.”)

The Well-meaning – Weather Underground

From, accessed June 24, 2018

Like Disqus, Weather Underground breaks out four distinct processing purposes and enables choice for the three that are not required. When I visited the site on May 31, “Opt-in” was selected by default. That constitutes “pre-ticked boxes,” in violation of the requirement for a “clear affirmative action” to indicate consent. I don’t know if it was the power of my tweeted complaint, but the Weather Underground has now switched the default to “Opt-out”.

The Ugly – Slate

From, accessed June 1, 2018

Slate’s approach is popular among publishers – who, granted, are so wrapped up in the complex, surveillance-based adtech ecosystem that full compliance with the GDPR seems like a Sisyphean task. Nevertheless, this initial pop-up notification falls far short in several respects. First, it communicates nothing about what data will be collected, for what specific purposes it will be processed, or with whom it will be shared. All of that information might be available if you click down into the privacy policy – but in that case it is neither “clearly distinguishable from other matters” nor presented in a “concise” and “easily accessible” manner. Moreover, if you do bother to dig into the privacy policy, you find this advice about withdrawing consent:

From, accessed June 1, 2018

However, Article 7(3) states that “It shall be as easy to withdraw as to give consent.” Since Slate enables consent with a prominent “Agree” button on the initial pop-up, withdrawing consent cannot reasonably require a consumer to master the deletion of specific cookies from their browsers. (This is ignoring the last sentence, which implies that if you do find the right cookie to opt-out, you’re banned from accessing any Slate content. That’s a “consent wall,” which is more clearly present in the case of Facebook.)

The Obstinate – Facebook

From, accessed May 2, 2018

Notice that tiny “see your options” link cowering next to the prominent “I Accept” button? (Yeah, I didn’t either at first.) Well it turns out your only “option” is to delete your Facebook account. So this isn’t a consent request, it is a consent demand. Facebook precisely does not distinguish the personal data processing that is necessary for the social platform to function from the processing that is desired for their targeted advertising business model to operate at highest efficiency. Unsurprisingly, the non-profit advocacy group None Of Your Business (NOYB) filed a complaint against Facebook on May 25, the day the GDPR came into effect. (Similar complaints, on similar grounds, were filed by NOYB against Google, Whatsapp, and Instagram.)

Clinging to user-hostility?

In my view, the notifications from the likes of Facebook and Slate (indeed, from nearly every online publisher I’ve encountered) obviously fall short of GDPR requirements. If so, we have to ask: What are they thinking? Why offer such a manifestly deficient response to the GDPR?

Three suggestions I’ve heard:

  • They think they’re right and can win in court: This seems delusional. Erecting a consent wall, or offering only complex and unreliable ways to withhold consent, not only contravenes the GDPR but also flies in the face of repeated public statements by member state authorities such as the UK’s Information Commissioner’s Office (ICO), EU-level opinions (by, for example, the Article 29 Working Party, now known as the European Data Protection Board), and court decisions in France, Belgium, and Germany. (See, for example, Dr. Johnny Ryan’s masterful analysis of the Belgian case.)
  • They’re just doing their job: At least in the US, executives at publicly held companies arguably have a fiduciary responsibility to maximize shareholder returns. From this perspective, Facebook et al. are doing the right thing by continuing to milk the surveillance-based cow until it’s finally confiscated by the EU regulators.
  • They’re following the “letter of the law”: This view holds that clever lawyers can take advantage of loopholes in the text of the GDPR and devise ways for companies to escape from the obligations and responsibilities the regulation seeks to impose. The flaw in this view is that it fails to recognize that the GDPR is a principles-based regulation (PBR) – which effectively erases any distinction between the “letter” and the “spirit” of the law. Unlike a rules-based regulation, which spells out specifically what you may and may not do, a PBR specifies outcomes.  Ultimately, in the case of the GDPR, the outcome is ensuring that people have control of their personal data (Recital 7) – and the regulation leaves it to the organization to determine how to get there. I think it’s safe to say that torturing the letter of the law to excuse uninterrupted collection and sharing of personal data is doing anything but delivering control of data processing to consumers.

And that’s the bottom line. At this early point in the GDPR era, the evidence from these and other consent notifications indicates that far too many companies think they are just playing a game of cat and mouse with the EU regulators.

But that means that they’re trying to maintain the status quo with consumers and their personal data, which is a game of voracious wolf versus helpless sheep. Surveys indicate that consumers are fed up with that game: 90% of US adults feel they’ve lost control over their data; in a 2017 global survey, 80% named “if they use my data without my knowledge” as a top reason they would abandon a provider.

Consumers worldwide are looking for and favoring data shepherds that help them understand and maintain control over how their data is collected, used, and shared. Trying to work around that expectation in your consent notification isn’t clever. It’s suicidal.


View original content: Here

Related Crownpeak News:

Are Governments Providing Improved Digital Experiences During a Global Pandemic?