Is GDPR Consent A Website Killer? It Doesn’t Have To Be!
July 10, 2017 – Scott Meyer
Your current Cookie Notice isn’t going to work as of May 25th, 2018. Changing it doesn’t have to be a crisis.
I can see it coming. Sometime in the next 6 months, if you are on the team that makes your site work (Web Operations, Content Management or eCommerce), you are called into a meeting with the CIO, the CISO and the Chief Privacy Officer (or your head lawyer who deals with privacy). There will be a lot of ashen-faced people. The meeting with start with one of them saying:
“So listen, we have to change how our sites and apps work. We now have to change how tracking scripts fire and when cookies are dropped on our users. We will have to get consent before we start tracking users and/or building profiles. And it has to be done right away. Otherwise we will be exposed to fines of at least €20 million and up to 4% of global revenue.”
With none of this on your product roadmap, the first reaction is going to have you feeling like Mel Brooks in the 1970’s classic film “High Anxiety”
You will start reaching out to friends in the industry, asking them if they are dealing with this too. Lawyers will be everywhere. What do you do?
Here’s my suggestion for the simplest quick-start guide:
Your current Cookie Notice isn’t going to work as of May 25th, 2018. There are two common implementations: “Informed Consent” and “Prior/Explicit Consent”.
- “Prior/Explicit Consent” is common mostly in The Netherlands. This is where you see a barrier page and the user has to agree to tracking before they can use the site.
The GDPR is crystal clear – neither of these approaches will work. There is a solution, but it’s going to a bit more involved than just changing what your Cookie Consent banner says.
Figure Out What Data Collection (or Profiling) is Essential, Where You Have a Legitimate Business Interest to Profile vs. Where You Have To Get Prior, Explicit Consent
I will guarantee two things. First that one of the first EUR 20 million fines from a EU Data Protection Authority will be over lack of proper consent. Second, the company that gets nailed won’t have done a proper privacy impact assessment of their profiling operations because they got distracted on other GDPR projects they mistakenly thought were more pressing.
Your site has to understand how you are profiling, and ensure that your site consent options appropriately handle Essential data collection differently than data collection where you have a Legitimate Business Interest vs. where you have to get prior explicit consent. Like I wrote about recently, this is where the GDPR and ePrivacy game will be won or lost.
It’s a Change To Your Site, Not Something Your Tag Management System Can Do Alone
Getting this to work right means changes to your site CSS. You need to understand where data collection tags fire from and adjust how they fire appropriately. Your Tag Management System can help here, but it’s not going to solve the problem. Tag managers are great, but they can only cover the tags they write out directly. Tag managers miss redirects (also called a daisy chain or piggy back). Similarly, if the tag you need to get consent for isn’t in the Tag Manager, it can’t help. That’s typically 50-70% of the tags we see on any site.
Sorry IT and Marketing, you’re going to have to work together to get a comprehensive view of what’s there, segment out what profiling technology requires prior consent, ensure none of those tags fire until the user has consented and ensure that the user can change their mind and withdraw their consent at any time.
This isn’t impossible by any means. But it is impossible if you think your site doesn’t have to change and if your digital supply chain is still a mystery. And it’s going to be really painful if you wait until the last minute.