“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Guillaume Marcerou, global privacy director at Criteo.
When General Data Protection Regulation (GDPR) goes into effect on May 25, it will unify the various data privacy laws that exist across all 28 member states of the EU, including the UK.
This is a nuanced but critical point. Major global corporations with EU offices are already accustomed to complying with country-level data privacy and security requirements and are thus already complying with key elements of GDPR.
As the clock winds down to the regulation, it is imperative that marketers understand the intricacies of the policies, beginning with the areas for interpretation most commonly misconstrued.
The True Purpose Of GDPR
The GDPR aligns data protection policies across EU member states while providing consistent application and enforcement by local data protection authorities in each EU member state. Its objectives are to:
- Modernize the legal system to protect personal data in an era of globalization and technological innovation.
- Strengthen individual rights while reducing administrative burdens to ensure a free flow of personal data within the EU.
- Bring clarity and coherence to personal data protection rules and ensure consistent application and effective implementation across the EU.
User Consent Qualifications
Since 2009 and the amendment of the ePrivacy EU Directive – also known as the cookie directive – in-browser messages have been the rule to obtain cookie consent within the EU.
Explicit consent means the user must opt in. This applies to sensitive personal data such as race, religion, sexual orientation, political affiliation and health status.
This definition of nonambiguous consent is supported by numerous international governing bodies and agencies, including the guidance issued by the Spanish Data Protection Authority and other authorities.
Consent can only be valid if it is “freely given,” where the data subject can exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if he or she does not consent. Ultimately, users must have the ability to refuse services directly from the cookie message without suffering any consequences.
For consent to be valid, it must be “specific” and “informed” by appropriate information. In other words, blanket consent without specifying the exact purpose of the processing is not acceptable. For example, an opt-out message that specifically informs users they are consenting to “cross-site tracking technology” would not pass muster.
The GDPR is a positive development that will foster trust in the digital economy and provide an environment of transparency, control and certainty for advertisers and customers. If GDPR provides efficient tools to reinstate trust in the ecommerce ecosystem, it comes with a shared responsibility for all actors to review their practices to effectively make this trust happen.