One Month Into the GDPR – Who’s Misbehaving?
The asteroid called GDPR slammed into business operations around the globe on May 25 – dramatically transforming the environment for marketers, customer experience teams, and the broader organization. The question now is: Who will adapt more quickly and successfully to the new environment? Who will discover and master the strategies that allow them to not only survive but thrive in the new competitive landscape created by the GDPR? And who, on the other hand, will resist change, cling to old habits, and risk extinction?
As with living organisms, most of the adaptations and mutations demanded or encouraged by the GDPR remain invisible to the casual observer. Whether a company is properly conducting data protection impact assessments or practicing “data protection by design” will usually require genetic-level study of data processing practices by an EU member state regulator.
Other changes, however, are right on the surface. Indeed, they are intended to be noticed, like a prominent horn or colorful plumage. The most obvious of these are consent and privacy notifications. One month into the GDPR era, I’m going to kick off my series of guest posts for the Crownpeak blog by reviewing some of these notices for early signs of who seems to be on the right track to both comply with the GDPR and to build new trust-based relationships with consumers.
[First, the requisite disclaimer: I’m not a lawyer (not that you have to be one to understand the GDPR, in my view). Nothing in this post is intended as or to be taken as legal opinion, guidance, or advice. Also, the views expressed are strictly my own and do not represent those of Crownpeak.]
Consent is all about communication, choice, and control
The GDPR has been called “one of the most complex pieces of legislation” ever produced. Maybe, but most of the conditions for seeking consent to use someone’s personal data are firmly rooted in common sense.
The GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of the personal data relating to him or her” (Article 4(11)). Each term here is crucial, so let’s break it down.
- “Freely given”: The data subject (henceforth, I’ll substitute “consumer”) must be in a position to refuse the request “without detriment.” It seems evident that this means that a site or service may not require consent for data processing – with the exception of that data which is strictly necessary for the service to operate. (See Article 7(4).)
- “Specific”: Consent must be requested for a specific purpose; it may not be general or “omnibus.” Separate consents are required for different processing purposes. (Or bundled requests must present granular choice – e.g., if you request consent for a, b, and c, I must be able to say yes to a and c, but not to b, etc.)
- “Unambiguous”: The consumer’s consent must be indicated by a “clear affirmative action.” Recital 32 states that “Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”
With that primer on the requirements for consent, let’s look at examples of actually existing consent requests.
The Good – Disqus
Disqus is admittedly a niche service with little need for broad data collection. Nevertheless, their concise consent request literally ticks all of the right boxes. The notification first states clearly how and why personal data is used in the provision of the service. The use of email and IP addresses is pre-checked, since these are strictly necessary for the service to operate. In contrast, the consumer has genuine and clear choice about whether to consent to data processing for personalization and advertising purposes. More detail about how data is shared for these purposes is available by drilling down on the Data Sharing Policy. (This is an example of a “layered” consent notification that provides all of the information required by the GDPR while remaining “intelligible and easily accessible.”)
The Well-meaning – Weather Underground
Like Disqus, Weather Underground breaks out four distinct processing purposes and enables choice for the three that are not required. When I visited the site on May 31, “Opt-in” was selected by default. That constitutes “pre-ticked boxes,” in violation of the requirement for a “clear affirmative action” to indicate consent. I don’t know if it was the power of my tweeted complaint, but the Weather Underground has now switched the default to “Opt-out”.
The Ugly – Slate
However, Article 7(3) states that “It shall be as easy to withdraw as to give consent.” Since Slate enables consent with a prominent “Agree” button on the initial pop-up, withdrawing consent cannot reasonably require a consumer to master the deletion of specific cookies from their browsers. (This is ignoring the last sentence, which implies that if you do find the right cookie to opt-out, you’re banned from accessing any Slate content. That’s a “consent wall,” which is more clearly present in the case of Facebook.)
The Obstinate – Facebook
Notice that tiny “see your options” link cowering next to the prominent “I Accept” button? (Yeah, I didn’t either at first.) Well it turns out your only “option” is to delete your Facebook account. So this isn’t a consent request, it is a consent demand. Facebook precisely does not distinguish the personal data processing that is necessary for the social platform to function from the processing that is desired for their targeted advertising business model to operate at highest efficiency. Unsurprisingly, the non-profit advocacy group None Of Your Business (NOYB) filed a complaint against Facebook on May 25, the day the GDPR came into effect. (Similar complaints, on similar grounds, were filed by NOYB against Google, Whatsapp, and Instagram.)
Clinging to user-hostility?
In my view, the notifications from the likes of Facebook and Slate (indeed, from nearly every online publisher I’ve encountered) obviously fall short of GDPR requirements. If so, we have to ask: What are they thinking? Why offer such a manifestly deficient response to the GDPR?
Three suggestions I’ve heard:
- They think they’re right and can win in court: This seems delusional. Erecting a consent wall, or offering only complex and unreliable ways to withhold consent, not only contravenes the GDPR but also flies in the face of repeated public statements by member state authorities such as the UK’s Information Commissioner’s Office (ICO), EU-level opinions (by, for example, the Article 29 Working Party, now known as the European Data Protection Board), and court decisions in France, Belgium, and Germany. (See, for example, Dr. Johnny Ryan’s masterful analysis of the Belgian case.)
- They’re just doing their job: At least in the US, executives at publicly held companies arguably have a fiduciary responsibility to maximize shareholder returns. From this perspective, Facebook et al. are doing the right thing by continuing to milk the surveillance-based cow until it’s finally confiscated by the EU regulators.
- They’re following the “letter of the law”: This view holds that clever lawyers can take advantage of loopholes in the text of the GDPR and devise ways for companies to escape from the obligations and responsibilities the regulation seeks to impose. The flaw in this view is that it fails to recognize that the GDPR is a principles-based regulation (PBR) – which effectively erases any distinction between the “letter” and the “spirit” of the law. Unlike a rules-based regulation, which spells out specifically what you may and may not do, a PBR specifies outcomes. Ultimately, in the case of the GDPR, the outcome is ensuring that people have control of their personal data (Recital 7) – and the regulation leaves it to the organization to determine how to get there. I think it’s safe to say that torturing the letter of the law to excuse uninterrupted collection and sharing of personal data is doing anything but delivering control of data processing to consumers.
And that’s the bottom line. At this early point in the GDPR era, the evidence from these and other consent notifications indicates that far too many companies think they are just playing a game of cat and mouse with the EU regulators.
But that means that they’re trying to maintain the status quo with consumers and their personal data, which is a game of voracious wolf versus helpless sheep. Surveys indicate that consumers are fed up with that game: 90% of US adults feel they’ve lost control over their data; in a 2017 global survey, 80% named “if they use my data without my knowledge” as a top reason they would abandon a provider.
Consumers worldwide are looking for and favoring data shepherds that help them understand and maintain control over how their data is collected, used, and shared. Trying to work around that expectation in your consent notification isn’t clever. It’s suicidal.
Tim Walters, Ph.D., Privacy Lead at The Content Advisory