Informed consent and transparency will be hallmarks of GDPR
This blog is part 2 in our series on the marketing implications of the new GDPR. See part one here.
Informed or explicit consent and transparency are key issues for the final version of the EU General Data Protection Regulation (GDPR) that’s set to be agreed before the close of 2015.
In a recent report commissioned by regulator Ofcom and written by German-based consultancy WIK-Consult, the authors note that it’s important to recognise that within the EU informed consent is needed both for placing cookies or similar tracking devices on a user’s device. The current laws and regulations in this area are the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 as well as the Data Protection Directive 95/46/EC.
The forthcoming GDPR also provides for a higher level of consent and transparency than exists at present and under the Trilogue negotiations taking place right now between the European Commission, European Parliament and Council of Ministers the parties will have to agree whether in certain circumstances such consent can be implied or whether it needs to be explicit in all cases.
Based on the premise that the opportunity costs of reading ‘gobblygook’ and largely unintelligible legal terms and conditions are the main reasons that keep users from engaging with them, the authors of the report conclude that making terms and conditions more accessible will improve the likelihood of them being read in the first place and for consumers being able to provide informed consent as a result.
“The use of everyday language and concise information has been conceived as a means to reduce the time consumers have to spend reading terms and conditions. In line with this, web design and software tools have emerged to enable the development of intuitive and easy-to-use information and consent options."
“Furthermore, there are various studies that advocate the use of privacy labels similar to the ones used in food labelling to certify organic or fair trade product schemes. In light of studies demonstrating the misconceptions that such labels may trigger in consumers in relation to the protection of their personal data, such approaches may be debated."
“Nevertheless, the European Commission encourages the use of icons and the European Parliament has proposed requirements for companies to use icons to inform consumers about data-processing practices,” say the report’s authors.
Proposed wording in GDPR
Article 5 of the proposed GDPR requires that personal data must be protected ‘lawfully, fairly and in a transparent manner in relation to the data subject.’
The requirements for lawful and fair processing aren’t new but the addition of an explicit requirement of transparency is new under GDPR and is an important principle for marketers to adhere to.
Article 11 of the proposed GDPR requires that the Controller has transparent and easily accessible policies relating to the processing of personal data and the exercise of individuals’ rights.
Lawyers on the whole may find this a bit of struggle (!) which is why marketers have a major role to play in how this comes about because of the skills they have in using ordinary, jargon-free and non-legalistic language as a tool for influencing behaviour in order to achieve a desired outcome – in this case, informed consent from the consumer.
Recital 46 of GDPR explains that any information addressed to the public or to the data subject must be ‘accessible and easy to understand’ using ‘clear and plain language’.
The recital refers to online or behavioural advertising as an example of complex data processing that can make it difficult for a data subject to know whether personal data relating to them is processed and if so, by whom and for what purpose.
In the UK, companies and organisations have already started to adopt a more ‘user friendly’ approach ahead of GDPR by using “just in time” consent notices that pop-up at appropriate times when the user is online.
More harmonised information provisions as provided under GDPR across the whole of the European Union will go a long way to reduce users’ burdens for reading and understanding rambling consent notices that can vary from web site to web site and from country to country.
Another innovation being contemplated is the use of icons instead of text pop-ups or other forms of condensed information that helps the consumer make an informed choice of whether to consent to data processing or not.
Marketers are also encouraged to use icons that can help build trust when they are part of an official certification scheme as envisaged under the draft GDPR.
Privacy policies that reflect a consumer’s individual cultural background and preferences will undoubtedly contribute to better understanding of the rights as well as obligations of the Controller in relation to that data.
Flipping this on its head, warnings about unexpected terms in a privacy policy may serve as a means to help consumers become aware of unusual practices and become a ‘red flag’.
Academic research carried out into the so-called ‘Knowledge-based Individualized Privacy Plans’ or KIPPs for short shows that marketers can improve consumer comprehension of the significance of privacy notices by personalising information based on different levels of pre-existing knowledge.
In many respects, that’s what effective direct marketing is all about.
Specific information that must be provided to a data subject
Under Article 14 of GDPR the following information must be provided as a minimum to users:
- the identity and contract details of the Controller and where applicable any representative and Data Protection Officer (DPO);
- the purposes of the processing including the contract terms where the controller relies on contract performance as the legitimate basis for processing and the legitimate interests that are relied on, as applicable;
- the period for which the data will be stored;
- the existence of rights to request access, rectification and erasure or to object to the processing;
- the right to lodge a complaint with the supervisory authority, and contact details;
- recipients or categories of recipients of the personal data; and
- any further information necessary to guarantee fair processing.
In addition, where the data is collected from the data subject, the Controller must also inform the data subject whether the provision of data is voluntary or mandatory as well as the consequences for failing to provide the data. For example, the product or service may not be capable of being delivered unless the use of certain personal data has been consented to.
How is GDPR different from Directive 95/46/EC?
The first thing to notice is that Article 14 of GDPR is more extensive in its scope than under the requirements of the current EC Directive, although in practice many organisations and companies already use consent notices that would broadly be compliant under GDPR.
The European Parliament also wants Controllers to include information about profiling, measures based on profiling and the envisaged effects of profiling on individuals which goes beyond what the Council of Ministers wants to see happen.
In the GDPR draft of the European Parliament, Article 13a was added (removed by the Council of Ministers in its GDPR version) that requires:
- details of whether personal data is collected beyond the minimum necessary for each specific purpose of the processing;
- whether personal data is retained beyond the minimum period necessary for the specific processing;
- whether the data is processed for the purposes other than those for which they were collected;
- whether the data is disseminated to commercial third parties;
- whether the data is rented out and whether it’s retained in encrypted form
The European Parliament envisaged that such information would be provided to data subjects in a table format. Such requirements will no doubt be subject to negotiation under the Trilogue phase and over the coming months we will see whether the Council of Ministers relent and agree to have this incorporated into the final agreed version.
What conclusions can be drawn from these discussions at the EU and recent research for Ofcom?
Academic research shows that there’s a dissonance between the assumptions and requirements stipulated in law about informed consent and actual consumer behaviour in practice.
As many marketers will note, consumers tend to exhibit behaviour that’s sometimes inconsistent with their stated concern for data privacy. The Ofcom report authors conclude that behavioural economics and in particular experimental studies can go some way to explain some of the reasons behind such behaviour as well as indicate potential ways to mitigate it.
So-called ‘Context-aware nudging’ of the consumer has emerged as one approach but nudging the consumer won’t solve all issues around informed consent all at once.
It seems that a single solution for all – or at least most – of the issues raised is as yet to be found. And that of course could change as a result of consensus around GDPR over the next 6 months.
It’s likely that more evidence is required to investigate the extent to which a multi-faceted approach taken by marketers and involving several factors in combination might offer a potential solution to the need for informed and explicit consent from the consumer.
In this context, research must also include the Internet of Things (IoT) as the pace of technology change here is likely to further exacerbate the issues around informed consent in practice.
What should marketers do now?
There are several things marketers should think of doing NOW:
- Review the extent to which existing consent notices comply with the requirements of the EU Directive and also consider how these notices may need to be updated to reflect the requirements under Article 14 of GDPR and start that process now
- If consent is used as the legal basis for data processing, then consider whether the organisation or company will be able to meet the more restrictive covenants for consent under GDPR
- Consider the need for consent to be specific and explicit, capable of being withdrawn at any time and as the Controller, it is the organisation or company’s responsibility to bear the evidential burden of proving that consumer consent has been adequately and lawfully obtained
- Review the extent to which your organisation or company engages in behavioural advertising and ensure that the highest standards of consent have been adhered to
- Review existing consent mechanisms and the types of profiling currently undertaken and ensure that these adhere to the highest standards required under GDPR
- Assess whether the consent is appropriate to carry out the data processing envisaged or whether a more granular level of consent mechanism needs to be created in order to achieve this objective
- Finally, consider documenting all due diligence ahead of GDPR by carrying out an organisational Data Protection Impact Assessment (DPIA). This will help to demonstrate compliance with the GDPR principles and will be taken into account by the Supervisory Authority in the circumstances of a data breach in order to mitigate the imposition of punitive fines that could be as high as 5% of global turnover or €100m.