Data Privacy on the rise: Part 1 – Introduction and Risk Analysis

Overview

Since GDPR came into effect in 2018 in Europe, more and more countries have followed suit. The shift toward consumer data protection across the globe has resulted in CCPA, LGPD, and POPI, among others. According to DLA Piper, the following are already in effect or will be in effect shortly:

As such regulations spread worldwide, sooner or later, each and every business will be forced to adhere to data privacy regulations. This will impact anyone who runs a website, too.

Data collection prior to GDPR

Prior to the introduction of the GDPR, data collection was completely hassle-free and did not require user consent.

The user opened a web page in a browser on their device, and as soon as the website was downloaded, various scripts (so-called tags) sent data to the corresponding systems – regardless of whether these were web analytics systems or marketing automation platforms. Even the mere inclusion of certain technologies triggered data collection by third parties (e.g., Google Maps or YouTube).

(Some) Requirements to fulfill GDPR

Let’s briefly examine some of the requirements to fulfill GDPR regarding data collection on websites.

	Consent on a free-will basis User must be able to provide consent freely, and it must be possible to access the website without consent (i.e., access to view those services. It is not technically necessary to provide the service).
	Making informed decisions All relevant information (i.e., purpose of processing, processor, etc.) must be available at the point of giving consent.
	Granularity The purpose of the data collection must be explained granularly; general consent is not valid.
	Explicitness Consent must be given explicitly, e.g., by clicking or tapping; implicit consent is not considered valid.
	Consent prior to data collection Technologies not covered by legitimate interest should only be loaded if consent was given.
	(Easy) Opt-out Refusing to consent or revoking a given consent must be as easy as giving consent.
	Documented consent The website owner must be able to prove that the user’s consent was given and that the consent meets the requirements for valid consent.

How data needs to be collected since GDPR came into effect

GDPR revolutionized the way user behavior data is collected on websites. Such data, which ultimately also serves profiling purposes, may only be collected with the explicit consent of the user. This consent must be voluntary, must be based on informed consent, and must be possible for each technology used. Such requirements created a necessity for consent management systems because, after all, it must be meticulously noted for each user exactly which technology the consent was given for. Thus the idea of the Consent Management Platform, or CMP, was born, which is dedicated to precisely these tasks.

As per GDPR requirements, the user should also be given the opportunity to explicitly consent to the collection of data. This was, and is, mainly achieved with the help of consent banners, which are displayed by the consent management platform (CMP) when the user visits the website for the first time. A CMP ensures that only when the user gives consent to data collection, is the data collected accordingly and passed on to the respective platform.

Data protection regulations cause data gaps

The requirement for explicit consent causes problems when it comes to new customers that were acquired by means of a campaign. Since data per se may only be collected after the user has given consent, information regarding campaigns may be lost when the user is referred to the landing page for the first time and is asked to give consent to data collection. Depending on the campaign, channel, and technology used with regard to consent management, data relating to this user will only be collected from the second interaction on the landing page or with the website. In addition, every user has the right to refuse data collection and profiling on websites. The principle also applies that the user should be able to determine very granularly which technologies are allowed to collect data and which are not. This also applies to other existing and future regulations.

There is, therefore, a significant danger that a data gap can, and will, occur in numerous places.

Well, the remainder are the new 100%..!

After the GDPR was introduced and came into force in Europe, website owners had different experiences regarding data collection with Google Analytics (as well as other technologies). Decreases in data collection of 10% to even 90% could be observed – depending on the website and industry. This repeatedly raised questions about the validity of the remaining data. It was also repeatedly speculated that very specific “customer groups” might want to avoid tracking. One of the most abstruse claims, however, was that there were certain users, who in the past had been responsible for high ecommerce sales numbers, who would now deliberately avoid data collection with Google Analytics in order to falsify the revenue statistics. Of course, a data protection regulation of this magnitude poses a challenge to marketers and website operators. Ultimately, both can only hope that as many website users as possible give their consent to data collection. Nevertheless, a change in mindset is now necessary in order to be able to continue to evaluate and interpret the remaining numbers with confidence. Therefore, as of the introduction of a CMP, the collected data and figures represent the new 100%. A further challenge offered by a marketer’s new worldview is that it makes little sense to compare the data collected with the historical data from this point on. Here at e-CENS, we work to overcome these challenges and will continue to lead the conversation as to how we can best navigate the new Web2 realities.

Upcoming

Next in the series, we consider how a CMP works…