Data Privacy on the rise: Part 1 – Introduction and Risk Analysis
Holger Tempel
Holger is among the first Google Analytics partners worldwide since early 2005. Holger is considered one of the leading experts on digital analytics and is a renowned trainer who can simplify complex ideas into real-world practical examples with actionable insights.
Overview
Since GDPR came into effect in 2018 in Europe, more and more countries have followed suit. The shift toward consumer data protection across the globe has resulted in CCPA, LGPD, and POPI, among others. According to DLA Piper, the following are already in effect or will be in effect shortly: As such regulations spread worldwide, sooner or later, each and every business will be forced to adhere to data privacy regulations. This will impact anyone who runs a website, too.
Data collection prior to GDPR
Prior to the introduction of the GDPR, data collection was completely hassle-free and did not require user consent. The user opened a web page in a browser on their device, and as soon as the website was downloaded, various scripts (so-called tags) sent data to the corresponding systems – regardless of whether these were web analytics systems or marketing automation platforms. Even the mere inclusion of certain technologies triggered data collection by third parties (e.g., Google Maps or YouTube).
(Some) Requirements to fulfill GDPR
Let’s briefly examine some of the requirements to fulfill GDPR regarding data collection on websites.
Consent on a free-will basis User must be able to provide consent freely, and it must be possible to access the website without consent (i.e., access to view those services. It is not technically necessary to provide the service).
Making informed decisions All relevant information (i.e., purpose of processing, processor, etc.) must be available at the point of giving consent.
Granularity The purpose of the data collection must be explained granularly; general consent is not valid.
Explicitness Consent must be given explicitly, e.g., by clicking or tapping; implicit consent is not considered valid.
Consent prior to data collection Technologies not covered by legitimate interest should only be loaded if consent was given.
(Easy) Opt-out Refusing to consent or revoking a given consent must be as easy as giving consent.
Documented consent The website owner must be able to prove that the user’s consent was given and that the consent meets the requirements for valid consent.
How data needs to be collected since GDPR came into effect
GDPR revolutionized the way user behavior data is collected on websites. Such data, which ultimately also serves profiling purposes, may only be collected with the explicit consent of the user. This consent must be voluntary, must be based on informed consent, and must be possible for each technology used. Such requirements created a necessity for consent management systems because, after all, it must be meticulously noted for each user exactly which technology the consent was given for. Thus the idea of the Consent Management Platform, or CMP, was born, which is dedicated to precisely these tasks.
Data protection regulations cause data gaps
The requirement for explicit consent causes problems when it comes to new customers that were acquired by means of a campaign. Since data per se may only be collected after the user has given consent, information regarding campaigns may be lost when the user is referred to the landing page for the first time and is asked to give consent to data collection. Depending on the campaign, channel, and technology used with regard to consent management, data relating to this user will only be collected from the second interaction on the landing page or with the website. In addition, every user has the right to refuse data collection and profiling on websites. The principle also applies that the user should be able to determine very granularly which technologies are allowed to collect data and which are not. This also applies to other existing and future regulations. There is, therefore, a significant danger that a data gap can, and will, occur in numerous places.
Well, the remainder are the new 100%..!
After the GDPR was introduced and came into force in Europe, website owners had different experiences regarding data collection with Google Analytics (as well as other technologies). Decreases in data collection of 10% to even 90% could be observed – depending on the website and industry. This repeatedly raised questions about the validity of the remaining data. It was also repeatedly speculated that very specific “customer groups” might want to avoid tracking. One of the most abstruse claims, however, was that there were certain users, who in the past had been responsible for high ecommerce sales numbers, who would now deliberately avoid data collection with Google Analytics in order to falsify the revenue statistics. Of course, a data protection regulation of this magnitude poses a challenge to marketers and website operators. Ultimately, both can only hope that as many website users as possible give their consent to data collection. Nevertheless, a change in mindset is now necessary in order to be able to continue to evaluate and interpret the remaining numbers with confidence. Therefore, as of the introduction of a CMP, the collected data and figures represent the new 100%. A further challenge offered by a marketer’s new worldview is that it makes little sense to compare the data collected with the historical data from this point on. Here at e-CENS, we work to overcome these challenges and will continue to lead the conversation as to how we can best navigate the new Web2 realities.
Upcoming
Next in the series, we consider how a CMP works…
Holger Tempel
Holger is among the first Google Analytics partners worldwide since early 2005. Holger is considered one of the leading experts on digital analytics and is a renowned trainer who can simplify complex ideas into real-world practical examples with actionable insights.