EU Privacy Regulations: A Greek Tragedy
September 14, 2017 – Scott Meyer
This post should help you wrap your head around the situation and communicate what really matters to your organization.
There are so many conflicting opinions and messages — or lack thereof — on EU privacy (specifically GDPR and the proposed ePrivacy Regulation) that I’m going to take another crack at boiling things down. Evidon’s leadership team is speaking at just about every event on this topic over the next several months, so there will be plenty of chances for us to dig deeper. If you aren’t on the privacy conference circuit, or you aren’t an Evidon client, this post should help you wrap your head around the situation and communicate what really matters to your organization.
First, let’s define the interested parties and the relevant regulations:
- Brands = Buyers of advertising.
- Publishers = Sellers of advertising.
- Tech providers = Advertising- and Marketing-Technology companies that collect data on behalf of Brands & Publishers. In GDPR/Cookie Law speak, these are Data Processors.
- GDPR = The EU’s General Data Protection Regulation. This goes into effect on May 25, 2018
- Cookie Law = The EU’s ePrivacy Directive, as most recently amended in 2011, which provides for notice and consent when tracking technologies like cookies are used
- ePrivacy Regulation = The proposed revisions to the Cookie Law that could significantly tighten the flexibility that Brands, Publishers and Tech providers have to collect user data.
So far so good? OK, now time to unpack the different issues, where they are connected and where they aren’t.
Point 1: Regardless of what happens with the proposed changes to the Cookie Law, the GDPR definition of Consent will become the standard as of May 25, 2018. That’s because EU directives adopt the underlying data protection regime that exists at the time which, as of May 2018, is the GDPR. This means that the Cookie Consent banners you see today have to change (Evidon delivered around 1 trillion of these last year on behalf of our clients).
Today there are two standard forms of consent: “Implied Consent,” where all the tracking occurs when the site loads and the user is given notice that it’s happening; and “Prior” or “Explicit” Consent, where the site doesn’t load until the user has clicked “I Accept” or edited their settings. Neither of these forms will be compliant in May 2018, but that has nothing to do with the proposed changes to the Cookie Law.
Informed Consent notices will become a thing of the past for just about every type of Tech provider. The Publisher or Brand site will need to separate essential cookies from non-essential ones and get Explicit Consent for non-essential tracking. Tech providers could be considered “non-essential.” This is not great news if you are a Tech provider and your data collection practices are opaque, but that’s the law.
Explicit Consent notices that hold the entire site back from loading will no longer be compliant either. The essential tracking will still happen, and the same requirement for Explicit Consent for non-essential tracking applies.
That’s life folks. But remember, this has nothing to do with the planned changes to the Cookie Law that is causing massive indigestion in the Tech space.
Point 2: While some key parts of the planned revisions to the Cookie Law are not yet set in stone, the definition of consent is. The time to lobby to keep them from getting worse is now. My friend Randall Rothenberg, CEO of the Interactive Advertising Bureau, wrote a call to arms just a few weeks ago: European regulators are about to kill the digital media industry (disclosure: we are partnered with the IAB for the Ad Choices program).
I think he has it mostly right, in that the proposed language of the ePrivacy Regulation aligns with the consent requirements of the GDPR:
“No user shall be denied access to any [online service] or functionality,” the proposed amendment says, “regardless of whether this service is remunerated or not, on grounds that he or she has not given his or her consent […] to the processing of personal information and/or the use of storage capabilities of his or her [device].”
However, as of now there is no indication there will be any changes made to the Cookie Law in the foreseeable future. Personally, I think there’s no chance these proposed revisions are enacted in time to align with the GDPR deadline next May.
But, it’s not doomsday if the Publisher can demonstrate that they have a legal basis that makes key data collection practices essential. The Cookie Law applies to accessing and/or storing information on a user’s device, e.g. via cookies. Tracking itself could – in theory – be justified using “legitimate interests” under the GDPR.
Point 3: Publishers and Brands who master control over their supply chains aren’t in nearly as much trouble as it seems. It comes down to the enforcement and how you make your case. The IAB EU has launched www.datadrivenadvertising.eu, which further explains this crucial nuance.
If you aren’t a policy wonk like we are here at Evidon, it’s easy to misunderstand how regulations get implemented. Regulations are often purposefully worded ambiguously so as to give the industry room to maneuver while figuring out how to balance business needs with compliance requirements. It’s annoying, and can be expensive, but it typically leads to good outcomes for businesses and consumers.
Again, regardless of what the regulation states, it’s all in the enforcement. While there certainly are factions inside of the European Commission that dislike the use of any data to target ads to users, this stance is hardly universal. Regulators will be given a lot of leeway at the EU member state level (e.g. country) for how strictly they enforce different aspects of the regulation.
That’s why any Publisher or Brand has to start with knowing which Tech providers are collecting data on their users, and what they are doing with it. Industry groups, like the IAB, working with Publishers and Brands can do a lot more to promote transparent data collection practices in the digital supply chain. Backing that up with comprehensive supply chain mapping and clear consent notices can make a significant impact in favor of the digital media industry.
This Is An Opportunity
I personally think that most EU regulators are trying to balance personal data privacy protections with the need to keep the digital economy growing. Public policy conflicts are always messy. Opinions naturally run hot when there are billions of Euro, Dollars and Sterling at stake.
But every party needs to go back to the user, recognize that users have a fundamental right to privacy, and start from there. If consumers have both clear explanations of how the sites they visit are using their data and the ability to adjust this collection at the site level, then their trust in the digital media ecosystem can only increase.
That’s where the GDPR becomes an opportunity. We’re already working with many leading brands who want to approach privacy like nutrition labeling on food. Those notices are layered. The basics about how many calories and grams of fat, are straightforward, while the deeper details are there if the user needs to understand what specific ingredients are in their tasty snack.
Digital media is no different.
Don’t panic. Take control of your digital supply chain. Work with Tech providers you trust. Be transparent with consumers and give them real choices. The regulators are going to focus on the Brands and Publishers who don’t take this seriously. They aren’t going to destroy the industry.