A year with GDPR
It has been one full year now of pop-ups asking for consent for our personal data usage on each website we visit and of email requests to re-subscribe to websites we didn't even remember existed.
It was one year ago, on the 25th of May 2018, that the General Data Protection Regulation (GDPR) came into force with a huge impact on the online world. In fact, though it mostly targeted EU citizens and businesses, it applies to all companies that operate in the EU, and so also had a significant effect on organisations around the world.
As expected, complaints that GDPR was being violated flooded into the responsible authorities almost immediately after its official launch. CNIL, the French data protection authority, reportedly received a 64% increase in the number of privacy complaints in the first six months of GDPR’s coming into force. Similar increases were observed in all the equivalent authorities across the EU.
Rights and opportunities with GDPR
GDPR is a set of rules aiming to build trust in the digital future of Europe, but it also succeeded in greatly raising user awareness on their data privacy rights. Better late than never, most internet users in the EU are now aware that they need to provide their consent in order for websites to be able to track their browsing history as well as gather and use their personal data. Without their consent, websites cannot do this, representing a victory for personal data privacy rights.
Consent management and data breaches in particular are probably among the hottest topics covered by GDPR. In fact, one side-effect of this new regulation is that a whole new industry has evolved around them; from data protection officer job roles and new legal entities to specialised services and software aiming to report on the company's compliance status with the new rules – CIVIC’s own Cookie Control product is among these.
But what was the impact of GDPR for online business?
On the morning of the official GDPR launch, some businesses shut down operations completely, unable to comply with the new data protection requirements. Among these are the social analytics tool Klute is thought to be such a case and the gaming company Uber Entertainment. In GDPR’s opening days, email marketing tools were on fire. Panicking marketers sent out millions of emails asking their subscribers to (re)confirm subscription to their services or just to inform them of their new data privacy policy. The result? A huge decline in marketing. They flooded their audience's inboxes, but achieved a very low success rate (between 10%-24% globally) of total users asking to re-consent.
Some companies felt worried; were they right?
One big GDPR topic that some companies seriously worried about is data breaches: fines were to be applied on companies that did not safeguard their personal data collection and storing processes properly. With the maximum possible fine of up to a 4% of a company's global annual revenue, most organizations started to report even minor incidents as potential breaches. EU data protection authorities have reported a total of almost 60,000 alerts for data breaches sent to them up until February 2019 but less than 100 fines had been issued against these. Nevertheless, in the first months of GDPR, £500,000 fines were issued from the Information Commissioner's Office (ICO) to Facebook and Equifax as well as lower £400,000 fines to other big companies such as a Portuguese hospital where there was a serious data breach.
So although the number of fines is relatively small, if companies lack the necessary respect for personal data privacy, they should indeed feel worried.
Cookie compliance
Cookies are a key part of online business in the modern world – they can have a wide variety of functions and as such play an important part in GDPR’s new rules, especially when it comes to consent. The EU explains here which cookies user consent is not required for. Once you understand the regulation, it is relatively easy to divide website cookies into two main categories: essential and non-essential. Essential cookies are those that are required to provide the information requested by the user, which could be simply viewing the content of a website or using the features of an e-commerce store. These are strictly necessary for the normal website functions. An informational message displayed to the users is considered enough for the essential cookies category. If the users do not give consent, they may not be able to experience some or all the functionality of the website. All other cookies are considered non-essential. This category contains the cookies used for analytics, advertising, affiliate marketing, third-party functional cookies and so on. GDPR rules mainly target the non-essential category and aims to give users a real and informed choice in this area.
Taking into consideration the above, we are still viewing numerous websites which save non-essential cookies to browsers by default. These websites are actually declaring non-essential cookies as essential and are not offering the informed decision to their users, as they should. This can be misleading to users so is not GDPR compliant, and the website owners should clearly re-asses which cookies they are indicating as essential and saved by default.
Each time a user’s consent is requested, that request should be limited to a specific context and the personal data processing activities should be clearly described using language that is easy to understand.
Responsible data collection and privacy compliance have to be a high priority
It is time to create transparent relationships and trust with your website visitors:
- track your visitors only with their consent
- state clearly what you intend to do with your users’ personal data in an understandable and honest way
- delete your visitors' personal data upon their request, and
- send them your offers and other materials only if they have given consent
Sound fair? It is, as long as you follow the rules above.
CIVIC responded to user consent needs with Cookie Control
Since 2012, CIVIC has been at the forefront of cookie compliance and as a result, we provided our clients with a solution to GDPR cookie compliance with our Cookie Control product. We developed this GDPR-compliant tool that you probably need for communicating and managing user consent on your website. Cookie Control has already been installed on more than 500,000 websites and interacts daily with millions of internet users worldwide. Aiming to assist as many websites as possible, we offer three editions of the tool; Pro Multi-site, Pro and Community. You can compare their features and download the Cookie Control version which suits you best. We also offer plug-ins for Wordpress, Joomla and Drupal. We are constantly supporting and upgrading functionality as well as developing plug-ins for other popular website management tools.
We would love to hear your thoughts on the problems your business faces regarding user consent, and we might even be able to help out too! Please also let us know any features you would like to see added on the next version of CIVIC Cookie Control – your opinion is really important to the development of this product.