With the anniversary of GDPR looming, the first examples of non-compliance from major organizations have become more concrete. Yet there is still a degree of uncertainty around what is and what is not ‘compliant’ when it comes to obtaining user consent. Despite the media headlines and reams of material on the subject, there are a number of simple compliance mistakes that are surprisingly commonplace. Mistakes that could lead to toxic user data can expose your business to big fines, and undermine the trust of your consumers. This blog highlights these common mistakes and demonstrates how they can be easily avoided.
Six months before GDPR’s 25th May 2018 deadline, 85% of marketers claimed they had implemented their plans for compliance and felt confident about their approach. However, more than a year later, this seems optimistic, with many organizations being the subject of complaints and regulation. Not to mention one of the biggest names in consumer technology receiving serious fines ($44m) for breaches in data protection.
A number of companies have even voluntarily stopped doing business in the EU as a result of the new privacy regulations. Cross-device targeter Drawbridge, and location data firm Verve are just a couple of US-based firms that wound down their European operations last year, citing GDPR as the primary reason.
GDPR is daunting for any organization that handles data, and is understandably a real concern for publishers. Especially considering the need to provide a compliant consent notice for every individual partner they work with.
Despite the technical and operational ramifications of such a requirement, it is often the small mistakes found in the wording or layout of each of these consent notices that leave companies most at risk. By understanding these common errors, publishers can ensure their own consent notice is compliant, and also be certain that they’re correctly obtaining consent for their partners as well.
Common Data Compliance Mistakes
Lack of clarity over GDPR has led to laws being interpreted in very different ways by publishers and others. As a result, the opt-in forms served across different apps and sites vary wildly, meaning it’s hard to know who is compliant. Ogury conducted a study of the top 200 apps on the Google Play store and discovered that almost 98% of consent notices contained words or elements that could attract the attention of regulators for being non-compliant. For example, only 24% of the apps studied included a clear ‘yes’ or ‘no’ option for consent presented together with equal prominence (which is a mandatory requirement).
Here are five of the most common mistakes found on consent notices. All of which, could render your or your partners’ consent notice non-compliant, and thus lead to big fines:
1. Default pre-ticked opt-ins.
2. Refuse consent options that are so buried in the text, users are forced to hunt for them.
3. No button or option to opt-out, or withhold consent, displayed at all.
4. Important information – such as a description of the personal data collected, the purpose of collecting data, and list of vendors – only being accessible after multiple screens, or requiring an additional tap or click to access, instead of being presented upfront.
5. The widely-practiced method of ‘Implied Consent’, by which consent is assumed based on a user’s interest in accessing the site or service.
Take this particular consent notice (below). At first glance, it appears to provide the user with clear information on why they are opting in. However, it could be called into question by the regulators. Why? Firstly, there is no option to ‘opt-in’ or ‘opt-out’ on the first page. Secondly, there is a distinct lack of detail about the information being collected (as described in point 4 above) on the first page; the user even needs to accept page one before continuing. Thirdly, the opt-in/out sliders on the second page are auto set to ‘opt-in’ by default; anytime a default is used, it really should be set to refuse or ‘opt-out’.
These mistakes are common and may result from either a lack of understanding or the need to roll out a quick-fix. When it comes to GDPR, neither reason will save you from a big fine should the regulators pick up on them. Luckily, that doesn’t mean you have to bury yourself in the law for months on end.
Best Practice Recommendations
Based on GDPR itself, public guidance from regulators, and considering some of the recent enforcement decisions that have been made, here are five important things you should keep front of mind to ensure your consent notices, and those of your partners, are compliant:
- Do not pre-tick ‘accept’ or ‘opt-in’ options, as this can be considered as ‘forced consent’. Provide your users with a clear choice.
- Present clear, explicit opt-in and opt-out (or ‘yes’ and ‘no’) options, visible on the first page of your consent notice.
- Avoid all misleading information, such as claiming that consent is a requirement to use the app or service.
- Explain in plain language, the data that will be collected, purposes of data collection, and how the data will be stored and used.
- Do not hide or bundle different terms and reasons for your data collection together. Ensure each purpose of the data you are collecting is distinct and easily understandable to users.
Compliance Zero to Hero
Fidzup, one of a number of French startups investigated by the French regulator CNIL, went from a compliance zero to hero by fixing the issues outlined above. The company had been flagged for not obtaining valid consent to collect users’ geolocation data, which they use for marketing purposes. In simple terms, users were not being clearly informed that their data was being used for location-based ad targeting purposes, nor were they told it was being shared with the company’s partners.
Some of the compliance mistakes made by Fidzup included:
- Users’ were not informed that data was being collected from the outset. This information was only presented in the general app terms & conditions after the data had already been processed.
- Users’ consent was not freely given as they had no opportunity to withhold it and avoid the processing by Fidzup.
- Finally, the users’ consent was not specific as they were only asked to give a single consent to data processing for the apps and the ad targeting purposes.
Fidzup was able to fix its consent problem by creating a proprietary consent management tool for its product, that clearly states its reasons for data collection up front. By outlining all of its data collection purposes, unbundling all terms, and demonstrating how this will be used by Fidzup themselves and their partners, it was able to offer its users a clear explanation, along with the option to provide or withhold, consent. In doing so, it led to the regulator withdrawing proceedings.
Don’t be fooled by this fairy tale story though. GDPR fines are very real and not every company will be given the benefit of time to fix compliance issues. Prevention is always better than a cure.
Don’t stop at your own consent notice
It’s one thing to ensure your own consent notice is compliant, but quite another to ensure that you are on the right side of the law when it comes to obtaining consent for every supply partner, technology solution, tracking or analytics provider you work with. Unless you have limitless tech and legal resource at your disposal, we do not recommend taking this task on yourself. There is a much simpler way; use a regulated Consent Management Platform (CMP) such as Ogury Consent Manager.
A CMP is a platform that can be used by publishers for requesting, receiving and storing users’ consent, with multiple partners. The CMP then sends this information to all relevant partners in the supply chain, to ensure compliance is achieved throughout the chain.
Ogury Consent Manager, a registered IAB CMP, streamlines the user consent process by combining all consent notices from every partner and solution in one convenient place. As a result, users are shown just one clear consent notice, that minimizes disruption and enhances overall experience within apps and mobile sites. In providing a single and precise consent notice that covers consent requirements for every partner, publishers can avoid the aforementioned compliance mistakes and the fines that ensue.
Ogury Consent Manager goes beyond the capabilities of a standard CMP with its first-of-a-kind capability called ‘Fair Choice’. Understanding that compliance is fundamental today, but transparency, fairness, and user choice are the only way to build long-term trust; Ogury Consent Manager gives users three unique options when it comes to consent.
- Opt-out of sharing their data, access content for free, but receive a lot of irrelevant and impersonal marketing.
- Pay a fairly priced monetary fee, without sharing data, in exchange for a marketing-free experience.
- Consent to share their data, access content for free, and receive valuable, relevant marketing from premium brands.
Don’t leave it to chance
GDPR compliance is not the most exciting subject for the fast-paced world of technology, marketing, and modern business; but it’s a fundamental requirement today. The steps we’ve outlined above should help you run a little audit on your operation, demystify confusion, and give you some tips to avoid common compliance mistakes. However, the only way to be truly certain is to seek legal guidance and/or enlist the services of a DPO.
Don’t fall for the common misconception that GDPR only affects Europeans. The regulation impacts any business that handles European data, regardless of where they are based. What’s more, with equivalent laws starting to pick-up pace in other continents, such as the California Consumer Privacy Act (CCPA) in the USA, data protection should be on everyone’s radar.
If you want to put your own GDPR expertise to the test, why not take our fun, free and quickfire GDPR Grandmaster Challenge, to find out just how knowledgeable you are on the subject.
Should you have any questions or queries about Ogury Consent Manager or any of Ogury’s MJM solutions, contact us at: firstname.lastname@example.org
Romain Escaich, Head of Publisher Development, EMEA