All Posts

August 28, 2019

Keeping up with GDPR, PECR and the evolving privacy and data protection landscape

Written by David Corchado
Find me on:

The Change

In early July, the ICO released its new guidance on the use of Cookies and similar technologies, which addressed the use and requirements for collecting information from website visitors and included updated directions for complying with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (‘PECR’) and the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). Investis Digital’s compliance team has been analyzing this new information and how it will impact your website’s requirements with relevant legislation.

This new guidance has further clarified how cookies should be used under GDPR. To bring a website into compliance with the new requirements, we believe that most websites that serve Europe audiences will require changes. These changes should include a fresh analysis of the existing cookie behavior on the website; and if a model of “implicit consent” is being used, changes should be made to the JavaScript to ensure that explicit consent is required before dropping a cookie.

What does 'good' look like?

At a high level, the changes we recommend include:

  • Blocking any cookie that from the perspective of the user, that is “non-essential.” This includes blocking by default, all marketing, analytics, preference, and performance cookies until such time that consent is expressly given.
  • Adopt a model of explicit consent before writing any identifying code to a visitor’s equipment. If you are currently using the model of “soft” or “implicit” consent on your website, you are now required to change that so that the default setting is with consent turned off. This means that website visitors must receive the above warning before a cookie can be set. If you used implicit consent previously, visitors received a warning, but cookies were set, until the point that they elected to block cookies. Investis Digital’s own use of Google Analytics will be compliant with this new rule and any data that makes its way into your Connect.ID Intelligence dashboard will be guaranteed to always have proper consent in place even with evolving industry rules.
  • For the consideration of consent, website visitors must take a clear and positive action to consent. This means pre-ticked boxes or sliders defaulted to “on should not be used. Similarly, strong language that urges the user to enable tracking, or prevents visitors from using your website’s functionality until they consent, is not permitted.  You can read more about this specific recommendation in the ICO’s blog titled: Cookies, What does good look like?
  • Ensure that your cookie policy is current and adequately identifies the tracking technologies on your page. You must similarly hold vendors with technology that lives on your pages for the same controls and ability to opt-out. Note: Investis Digital has no control over technology delivered through 3rd party integrations and has no ability to block cookies that are delivered server-side. This includes popular integrations like Facebook, and Google for Job Search. For websites with multiple 3rd party vendors that have tracking technologies on their page, a longer classification exercise will be required to identify those technologies and put in place a more advanced cookie warning so that visitors can toggle different cookie types independently.

Following the completion of these changes under Investis Digital, websites will see a splash page similar to the one below:

thumbnail_image004

If a website visitor elects to continue blocking cookies, they will be redirected to a second page that allows for further controls of cookie settings: 

thumbnail_image009Critically important: with this new guidance to block tracking cookies by default, website analytics will see a very sharp decrease in traffic. Note that this does not mean users are not seeing your content, it does mean that those users have elected to be anonymous.

Data Compliance and Protection as a Moving Target

Evolving requirements and pending regulations are creating uncertainty among businesses and it isn’t clear where the priority for enforcement will be next. With this constantly shifting landscape, it is clear that the business community will benefit from a universal standard for privacy. In the United States, the California Consumer Privacy Act (CCPA) comes into effect on January 1, 2020 and while it does have overlap with GDPR, it brings additional requirements including a requirement that an entire household should be considered an entity for privacy purposes. Our opinion is that the household rule will not affect you unless you are using programs that leverage addressable TV or Cross Device advertising network.

Note: the scope of work to ensure compliance with the recent ICO cookie rules do not cover future changes that will be required for CCPA. Our U.S. based clients should expect more communication and potential more website changes once information on CCPA is reviewed by our Counsel. More to come on this in a separate blog post.

With so many different government entities now trying to lead on data privacy and protection, it is getting more difficult to keep track of the different requirements a global audience can bring. Without a single universal standard for data protection, you can imagine that in circumstances where you have website visitors across DACH, France, the UK, and California, a website owner may be held accountable for 4 different standards with corresponding privacy policies and business activities for each. To solve for this, you would need to either choose the most restrictive privacy framework and apply it across all regions; or adopt 4 different data protection and privacy frameworks and use geo-location technology to plot the location of your visitor and serve them the appropriate policy. Investis Digital is currently evaluating geo-location technology for websites we host. Stay tuned for our guidance over the next few months.

What does this mean about analytics in the future?

We believe, the overall impact of these changes will yield a better experience for website visitors. Especially visitors to advertising-heavy websites since limiting the number of ads on a page will produce quicker page-load times and make better use of mobile screen size. This should be seen as a positive as a consumer. Understanding who is capturing, storing and selling your personal data is a very a big positive. However, the majority of public websites particularly those that aren’t monetizing content don’t sell or transfer website visitor data will suffer as a result of having less available data for their website analytics. This may mean less urgency around refreshing content because of a lack of clarity around which content is performing well. In order to counteract these risks, the tactics we deploy to understand our website audience will need to change. If you are not doing it already you should begin taking a look at other techniques such as:

  • Reviewing 3rd party data that has been freely given to understand user preference
  • Focus groups, customer interviews and surveys
  • Scanning website logs for non-individual data points that impact server resource consumption
  • Paid Search keyword buying patterns, search volume trends and competitor analysis. In a world with limited website analytics, data from SEO, Paid Search and third-party platforms is vital. 

Contact us to learn more about how we are already doing this for some clients.

Conclusion

Our company began as a European-based technology services provider focused on the FTSE 350. From the beginning, we have held ourselves accountable to the very strongest of data and privacy protection governance models because that was what our clients demanded. When Investis Digital rolls out a new service we think about how we can embed privacy-by-design. It is for this reason that Investis Digital does not store sensitive data nor do we sell even benign data to 3rd parties. The need for such high standards of security and governance has always been a requirement of our clients and this level of accountability has never been more important than it is today.

For questions, please contact your Investis Digital account manager or email me at david@investisdigital.com

Subscribe to Email Updates