May 2018 will see the General Data Protection Regulation (GDPR) come into effect, described by the EU as the ‘most important change in data privacy regulation in 20 years.’
In simple terms, the GDPR is designed to ‘protect EU citizens from privacy and data breaches in an increasingly data-driven world.’
Practically, it means all companies that hold personal information on EU citizens will need to be clear and transparent about how they collect, process and store this data, and ensure they have unequivocal permission from the consumer.
The Protection of Personal Data
Crucially, the GDPR applies to companies even if they don’t have offices or any other physical presence inside the EU itself. It’s having personal data on an EU citizen that matters, rather than the geographic location of the processor or collector. What’s more, the GDPR moves things like IP addresses and cookies out of their current “grey area” firmly into the territory of what counts as personal information.
There can be little doubt that this will have a major global impact, especially as companies that transgress the legislation could face significant fines (€20m, or up to 4% of global revenue).
One of the most obvious consumer-facing implications is that people will need to opt-in (rather than opt-out), actively confirming that they agree to their data being collected and used.
This way, reliance on “assumed” consent will (rightfully) become a thing of the past.
Other key requirements include that any language used must be easy-to-understand, that explanations can’t be buried in long terms & conditions documents, and that it must be easy for consumers to withdraw their consent at any time after it is given.
At GlobalWebIndex, we have always placed this type of respect and openness at the center of our consumer research. In fact, it’s mentioned explicitly in our company values: ‘As a business, we respect the consumer. We are transparent and honest about how we collect and use data, preferring to offer more rather than less control to the people that we’re profiling for the benefit of our clients.’
While some companies will look at the GDPR with uncertainty – considering how they need to change their policies in order to be compliant – for us, the directive is a welcome confirmation that the principles we have long lived by are the right ones.
Let me get more specific…
Most people reading this will have encountered long and complex privacy policies during the course of their internet browsing.
We all know the drill: Very small fonts sizes, complex legal jargon and densely filled pop-up boxes that consumers naturally want to dismiss quickly to get on with their chosen activity.
For those who do attempt to read and understand the full conditions, the complexity and inaccessibility of the text can make it very difficult.
At GWI, we take a different approach. We use normal-sized font, we put text on the main screen rather than in a dismissible pop-up box, and we use everyday language that is deliberately written to be as accessible and understandable as possible.
When it comes to cookies – the area where arguably the biggest knowledge gap exists on the consumer side – we try to explain what they are and what they do in simple terms. We outline to respondents how cookies might be used in relation to the specific data they are about to submit; when this might involve relatively sophisticated or complex processes, we try to explain the principles in a relatable, real-world way. For example, when outlining what lookalike modeling is, we contextualize it in a way that most people find easier to understand:
“[It’s similar to the] technique that music recommendation engines use to suggest albums you may like (e.g. We know this person likes bands x + y + z, and we know that you like bands x + y. So it’s probable that you’ll also like band z).”
We have always believed that our respondents (who are ultimately helping our clients make the right strategic decisions) should be comfortable with the ways in which their data might be used, so it’s certainly pleasing to see this being enshrined in the GDPR.
The Question of Consumer Consent
The process of giving consent is another area where many of us have probably encountered some of today’s less-than-transparent practices (and in particular, the use of small, pre-ticked boxes that some people might not be acknowledging fully before they move on to the next screen).
In day-to-day browsing, probably the best example of how this isn’t always consumer-centric is when your inbox starts filling up with unwanted marketing emails that you weren’t aware you had signed up to receive.
This includes the installation of browser plug-ins which are bundled in with other downloads; technically, the consumer has consented to the installation, but were they always aware that they were giving this permission? Did all of them consciously leave that additional box in its pre-ticked state, or did at least some of them simply not register it was there or realize what they were accepting?
Similarly, when consumers sign up to anti-virus or similar services that sell their data as a by-product, are they always aware it’s happening? It seems unlikely.
At GlobalWebIndex, we have always done things differently, and it’s our hope that the GDPR will drive the industry towards the levels of transparency that we consider to be essential. Apart from all of our data being anonymized and aggregated, every single data point is actively provided by consumers (even when passively matched in analytics). Moreover, the consent we gain for this has to be considered industry-leading in terms of its recency, transparency and explicitness.
Many online researchers rely on the consent that was obtained when a respondent first joined the research panel, but this could have been given days, months or even years prior to a particular survey being taken. While there’s nothing wrong with that from a legal perspective, it’s not as transparent as it could be. Consent has been given, but it’s probably fair to say that at least some people won’t read the fine print during a sign-up process (especially if they’re eager to complete their registration and get going). Others simply won’t remember.
Our view is that consent should be re-confirmed at the start of each piece of our Core research. We want to tell respondents how the data they are about to submit there and then might be used, and to collect fresh, explicit consent for that.
To date, we are the exception rather than the rule when it comes to taking such an approach, but we look forward to the GDPR instilling more respectful practices across the industry.
After all, isn’t it better to know that the respondent consented to that exact dataset being used in that exact way, rather than capturing generalized consent at just one moment in time? And as per our company values, isn’t it better to give the consumer more knowledge and control, rather than the minimum required?