If you need HELP, SUPPORT or just have a GDPR question please call +44 (0) 208 133 2545 or email us at email@example.com.
Alternatively please visit our contact page
FREE GDPR Helpline
Call +44 (0) 208 133 2545
This blog is part 2 in our series on the marketing implications of the new GDPR.
Informed or explicit consent and transparency are key issues for the final version of the EU General Data Protection Regulation (GDPR) that’s set to be agreed before the close of 2015.
In a recent report commissioned by regulator Ofcom and written by German-based consultancy WIK-Consult, the authors note that it’s important to recognise that within the EU informed consent is needed both for placing cookies or similar tracking devices on a user’s device. The current laws and regulations in this area are the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 as well as the Data Protection Directive 95/46/EC.
The forthcoming GDPR also provides for a higher level of consent and transparency than exists at present and under the Trilogue negotiations taking place right now between the European Commission, European Parliament and Council of Ministers the parties will have to agree whether in certain circumstances such consent can be implied or whether it needs to be explicit in all cases.
Based on the premise that the opportunity costs of reading ‘gobblygook’ and largely unintelligible legal terms and conditions are the main reasons that keep users from engaging with them, the authors of the report conclude that making terms and conditions more accessible will improve the likelihood of them being read in the first place and for consumers being able to provide informed consent as a result.
“The use of everyday language and concise information has been conceived as a means to reduce the time consumers have to spend reading terms and conditions. In line with this, web design and software tools have emerged to enable the development of intuitive and easy-to-use information and consent options.”
“Furthermore, there are various studies that advocate the use of privacy labels similar to the ones used in food labelling to certify organic or fair trade product schemes. In light of studies demonstrating the misconceptions that such labels may trigger in consumers in relation to the protection of their personal data, such approaches may be debated.”
“Nevertheless, the European Commission encourages the use of icons and the European Parliament has proposed requirements for companies to use icons to inform consumers about data-processing practices,” say the report’s authors.
Article 5 of the proposed GDPR requires that personal data must be protected ‘lawfully, fairly and in a transparent manner in relation to the data subject.’
The requirements for lawful and fair processing aren’t new but the addition of an explicit requirement of transparency is new under GDPR and is an important principle for marketers to adhere to.
Article 11 of the proposed GDPR requires that the Controller has transparent and easily accessible policies relating to the processing of personal data and the exercise of individuals’ rights.
Lawyers on the whole may find this a bit of struggle (!) which is why marketers have a major role to play in how this comes about because of the skills they have in using ordinary, jargon-free and non-legalistic language as a tool for influencing behaviour in order to achieve a desired outcome – in this case, informed consent from the consumer.
Recital 46 of GDPR explains that any information addressed to the public or to the data subject must be ‘accessible and easy to understand’ using ‘clear and plain language’.
The recital refers to online or behavioural advertising as an example of complex data processing that can make it difficult for a data subject to know whether personal data relating to them is processed and if so, by whom and for what purpose.
In the UK, companies and organisations have already started to adopt a more ‘user friendly’ approach ahead of GDPR by using “just in time” consent notices that pop-up at appropriate times when the user is online.
More harmonised information provisions as provided under GDPR across the whole of the European Union will go a long way to reduce users’ burdens for reading and understanding rambling consent notices that can vary from web site to web site and from country to country.
Another innovation being contemplated is the use of icons instead of text pop-ups or other forms of condensed information that helps the consumer make an informed choice of whether to consent to data processing or not.
Marketers are also encouraged to use icons that can help build trust when they are part of an official certification scheme as envisaged under the draft GDPR.
Privacy policies that reflect a consumer’s individual cultural background and preferences will undoubtedly contribute to better understanding of the rights as well as obligations of the Controller in relation to that data.
Academic research carried out into the so-called ‘Knowledge-based Individualized Privacy Plans’ or KIPPs for short shows that marketers can improve consumer comprehension of the significance of privacy notices by personalising information based on different levels of pre-existing knowledge.
In many respects, that’s what effective direct marketing is all about.
Under Article 14 of GDPR the following information must be provided as a minimum to users:
In addition, where the data is collected from the data subject, the Controller must also inform the data subject whether the provision of data is voluntary or mandatory as well as the consequences for failing to provide the data. For example, the product or service may not be capable of being delivered unless the use of certain personal data has been consented to.
The first thing to notice is that Article 14 of GDPR is more extensive in its scope than under the requirements of the current EC Directive, although in practice many organisations and companies already use consent notices that would broadly be compliant under GDPR.
The European Parliament also wants Controllers to include information about profiling, measures based on profiling and the envisaged effects of profiling on individuals which goes beyond what the Council of Ministers wants to see happen.
In the GDPR draft of the European Parliament, Article 13a was added (removed by the Council of Ministers in its GDPR version) that requires:
The European Parliament envisaged that such information would be provided to data subjects in a table format. Such requirements will no doubt be subject to negotiation under the Trilogue phase and over the coming months we will see whether the Council of Ministers relent and agree to have this incorporated into the final agreed version.
Academic research shows that there’s a dissonance between the assumptions and requirements stipulated in law about informed consent and actual consumer behaviour in practice.
As many marketers will note, consumers tend to exhibit behaviour that’s sometimes inconsistent with their stated concern for data privacy. The Ofcom report authors conclude that behavioural economics and in particular experimental studies can go some way to explain some of the reasons behind such behaviour as well as indicate potential ways to mitigate it.
So-called ‘Context-aware nudging’ of the consumer has emerged as one approach but nudging the consumer won’t solve all issues around informed consent all at once.
It seems that a single solution for all – or at least most – of the issues raised is as yet to be found. And that of course could change as a result of consensus around GDPR over the next 6 months.
It’s likely that more evidence is required to investigate the extent to which a multi-faceted approach taken by marketers and involving several factors in combination might offer a potential solution to the need for informed and explicit consent from the consumer.
In this context, research must also include the Internet of Things (IoT) as the pace of technology change here is likely to further exacerbate the issues around informed consent in practice.
There are several things marketers should think of doing NOW:
The original article can be found here.
Marketing Implications of the New EU General Data Protection Regulation (GDPR) Part 1