GDPR update: implicit consent and pre-checked boxes forbidden
GDPR: if you mentioned that term in the weeks before May 25th 2018, it triggered nervous breakdowns for many IT or marketing professionals. But since it came into effect, things have been surprisingly quiet. Until now. The EU Court of Justice recently ruled in one of the first lawsuits regarding consent within the GDPR, which changes quite a bit in how we handle GDPR. Now, what exactly is the impact of that ruling?
First of all, because of all the vagueness surrounding the topic, it’s excellent a lawsuit took place to finally clarify legislation. In the UK there was controversy over contradictory statements around consent and leaving a lot of marketers (mainly) in a situation of uncertainty. The risks of being not being compliant were high, as we’ve seen with major fines being given to corporations for breaching data protection laws. For example, following an investigation earlier this year, British Airways was fined £183million by the Information Commissioner’s Office (ICO) after hackers stole the personal data of half a million of the airline’s customers. And Google was the first American company to face sanctions under GDPR and was fined £57million for “unambiguous consent” within their new account sign up process. This new ruling provides the clarity many were searching for, although, some might argue that it is further limiting the work of marketers. But ultimately, for the end-user, its a positive step forward for the masses in favour of privacy protection.
In short, the ruling states:
- Implicit consent is not allowed as a method to get (cookie) consent, (implicit consent means ‘if you continue using this website, we will register that as your consent’);
- Pre-checked boxes, even on a cookie bar settings page, are not allowed;
- All consent to advertising or personalisation related cookies needs to be acquired through an explicit action, like checking a box or actively clicking an ‘I accept’ button or both.
So, for the activation of all marketing tags, an explicit user action is required, like checking a box or pressing an ‘I accept’ button. This probably means you will need to update your cookie bar.
An interesting detail is that you are not required to get consent through checkboxes. If in your cookie bar, you clearly describe that after the users’ consent, you place cookies for advertising or personalisation purposes, the click on an ‘I accept’ button is enough. As long as you also provide an ‘I do not accept’ option.
Impact on marketing
Most cookie bars now follow the implicit consent principle, which delivers many users to your re-marketing audiences. Complying with this new ruling will significantly impact the volumes of users that will flow into your marketing campaigns because you depend on the explicit action.
If you update your cookie bar, we suggest making it informative. However, you should pay attention to how you can facilitate users into making a quick yes or no choice of their liking. In the UK, Channel 4 is an excellent example of a cookies bar that uses personalised language to reassure users of data protection and security. Likewise, Coca-Cola displays an informative, user-friendly and functional cookie bar.
The cookie is not dead. Yet.
Together with the developments around Intelligent Tracking Prevention, the new ruling is a big step towards a cookieless world. It’s a new reality. Even companies like Google and Facebook do not yet have a solution to this situation; besides that they acknowledge it.
The cookie isn’t dead, yet. But from a marketing perspective, it is wise to start shifting focus from gaining and targeting new or unknown users, to better servicing your existing users or clients with your first-party data. That, in the end, is also the purpose of both these legislative and technical developments: protect the privacy of your users and shift focus to helping the people that make themselves known to you. It might feel like a different of even more complicated way of doing business and marketing. Then again, putting the clients’ needs first should always be a primary goal.
In short, our advice is to do three things:
- update your cookie bar to make it GDPR compliant to the new ruling
- audit and if necessary update your marketing tag setup, so that for example your remarketing tags only fire after the new explicit consent
- think about how this impacts your marketing strategy and how you can improve the use of your first-party data.
The first two tips are easily implemented now, whereas the third is more strategic to be considered as a long term action. It’s no secret users appreciates open and transparency when it comes to how their personal data is being used online. As the UK prepares for Brexit, the impact of data protection rights and how GDPR will evolve in Britain continues to be a heated topic gaining mass attention in the press and on the streets with protestors demanding answers, and most importantly, demanding privacy.
Please note that this article is advisory only. Even though we’re happy to help, further advice would always be to involve your legal counsel as a company. This way, you’re sure how to decide what actions you should take.