A look at what is (and isn't) going to change under the GDPR.
By David Vranicar, Senior Content Manager
The funny thing about the GDPR, which is causing heartburn among analysts and digital marketers around the globe, is that it doesn’t actually talk about tech.
The General Data Privacy Regulation – all 55,000 words of it – is pure analog. Cookie appears once, computer three times, internet four times.
So why all the angst about GDPR? Well, even if the GDPR itself reads like a 20th-century philosophy essay, new rules are indeed coming. And they will impact any company that has a modern analytics or marketing operation.
Those rules, though, don’t come from the GDPR itself. Instead, they come from the GDPR’s sister document, the European Commission’s ePrivacy Regulation, which tries to apply GDPR principles to the digital world. Like the GDPR, the ePrivacy Regulation is scheduled to take effect on 25th May 2018.
Let's look at some of the actual text to get a better understanding of what, exactly, GDPR is all about. This should help clear up what is (and isn't) going to change, and what you can do about it.
1. ePrivacy Regulation, Section 6
While the principles and main provisions of Directive 2002/58/EC… remain generally sound, that Directive has not fully kept pace with the evolution of technological and market reality.
That is definitely true: The Directive they’re referring to was written in 2002, the digital equivalent of the Mesozoic Era. After all, since 2002, Facebook
- was founded
- became the world’s most popular social media platform
- acquired the world’s most popular messaging app (WhatsApp, founded in 2009)
- acquired the world’s popular photo-sharing app (Instagram, founded in 2010)
- acquired prime real estate on hundreds of millions of smartphones
Speaking of smartphones, the iPhone was five years away in 2002.
So yes, it’s time for an update.
2. ePrivacy Regulation, Section 15
Interception also occurs when third parties monitor websites visited, timing of the visits, interaction with others, etc., without the consent of the end-user concerned.
If “interception” feels like a loaded word, it is. This passage is in the same paragraph as snooping on phone calls!
ePrivacy doesn’t name names, but one can imagine the sort of interception technology in question. Google DoubleClick, for example, is an omnipresent tool that publishers embed in their websites so Google can track who is looking at what, and then target them later with relevant ads. Real-time retargeting providers like Criteo would also figure to be engaging in “interception” when they build profiles of individuals’ interests for display ads down the road.
Again, these companies are not mentioned in the Regulation. No companies are mentioned. But this sort of technology pops up in the same breath as “listening to calls.”
That’s a good indication of how the European Commission is looking at analytics and marketing tools. And a good indication why companies who use these tools might be a bit spooked.
3. ePrivacy Regulation, Section 21
Cookies can also be a legitimate and useful tool, for example, in measuring web traffic to a website.
Phew, so it’s not all bad. Analytics lives!
The Commission formally acknowledges the crucial role that cookies play in today’s digital ecosystem.
And for good reason. Without cookies, the internet would be a wasteland. Let’s say you log into LinkedIn, see something interesting in your feed, click on it and then navigate to that LinkedIn content. In a cookie-free world, you would have to log in again just to view whatever it is you clicked on two seconds prior.
Anything that enables even a vague sense of personalization would disappear without cookies. Shopping carts would be forgotten, and recommendations based on previous content and purchases wouldn’t exist.
So cookies are not banned. However…
4. ePrivacy Regulation, Section 23
End-users should be offered a set of privacy setting options, ranging from higher (for example, ‘never accept cookies’) to lower (for example, ‘always accept cookies’) and intermediate (for example, ‘reject third party cookies’ or ‘only accept first party cookies’).
Those privacy setting options, by the way, will be handled on the browser level – not the website level. So instead of blindly clicking “I accept” every time they go to a new website, visitors will configure their browsers once. Those settings will follow them around the internet and apply to every website they visit.
We know the no-cookie internet experience would be a disaster. So the “never accept cookies” option doesn’t seem like one that marketers or analysts would need to worry about.
But a setting like “reject third-party cookies” – that’s where things get dicey for advertising technology and the marketers that rely on it.
Think about the technologies we talked about earlier – Google DoubleClick and Criteo. Those are exactly the types of solutions whose cookies would disappear in a reject third-party cookies ecosystem. They wouldn’t be able to place relevant ads because it would be impossible to determine what is relevant.
Basically, a no third-party cookie setting would make advertising tools blind.
Before we wrap up, let’s highlight two short passages from the European Data Protection Supervisor’s June 2017 “Opinion on the Proposal for a Regulation on Privacy and Electronic Communications (ePrivacy Regulation)”. These critiques will presumably be taken into account for the next version of the ePrivacy Regulation, which is due later this year.
5. EDPS Opinion, Section 12
[T]he EDPS recommended that the ePrivacy Regulation should also create an additional exception for first party analytics cookies… The EDPS welcomes the fact that a new exception has been created.
More confirmation that analytics cookies are okay. And a clear declaration that those must be first-party cookies.
Which raises the question: How does the European Commission distinguish between first-party cookies and third-parties cookies?
We’re about to get technical, but it won’t hurt. Promise.
Generally speaking, first-party cookies are cookies that originate from within the same domain as the website someone is visiting. So a first-party cookie placed while browsing nike.com comes from nike.com.
A third-party cookie, meanwhile, is a cookie that (a) comes from a different domain, or (b) is “set by a data controller that is distinct from the one that operates the website visited by the user.”
So case (b) hinges on a data controller. What’s a data controller? So glad you ask.
As explained in yet another Commission document, data controllers are entities that collect and process data, as well as entities that “determine the purposes and means of the processing of personal data.”
In short, data controllers are the entities that own the data being collected.
This data controller requirement for first-party cookies is a subtly important nuance. It means that the company that runs a website must own the data being collected on that website – even if it cookies are being set from within the same domain.
If we can unpack all of that and weave it into a sentence, it would look like this:
Cookies can only be set by the data controller that operates the website setting the cookie, and must be set from within the same domain as the website.
6. From the EDPS Opinion, Section 12
[Data gathered about individuals] may not constitute a detailed picture of individual users… The information must also not be merged with other information to build a profile of a user, or be used to target the user.
Gulp. This is a biggie.
The impact on marketing tools seems clear enough: If you can’t use data for any purpose other than to obtain insight into how a website functions, then you can’t use it to send email, target potential buyers, bid on search phrases, etc.
There is a big impact on analytics, too.
Analytics tools are no longer designed to simply collect data. They are designed to understand the individuals coming to your website or using your app, and to turn those insights into some sort of revenue-generating action.
This, for example, is marketing copy from an American analytics company:
You can even connect online to offline so as to better understand user behavior across CRM, points of sale, call centers, devices, and the Internet of Things.
The final ePrivacy Regulation – just like the GDPR itself – will surely include exceptions for pseudonymized data: Companies will be able build profiles if personal info is properly hashed. But with the Commission clearly clamping down on cross-platform, cross-device profiles, the process and practices related to anonymization will be under the microscope.
OK, so there's some of the scary stuff in there. But it’s not like the European Commission wants to shut down digital commerce. There are ways forward, you just have to be a bit careful.
Remember: Analytics is not being banned. It’s just that the rules around what is and is not allowed are evolving. And it’s quite possible that an analytics setup that is perfectly fine today will be problematic come 2018.
Max fines are set at €20,000,000 or 4% of global annual turnover – whichever number is higher.
The GDPR and ePrivacy Regulation are set to come into force on May 25, 2018. Then again, molasses might win a race against the European Commission, so don’t hold your breath. Especially because in addition to the EDPS recommendations, the European Parliament Committee on Civil Liberties, Justice and Home Affairs offered 800 suggested amendments in July.
Whatever happens, and whenever it happens, there are a few core ideas that the Commission appears likely to uphold. And a few core techniques you can use to keep headaches at bay.
- First, study what’s likely to happen, and understand how it impacts your analytics and marketing tools. That means lots of legalese and rereading a handful of Terms & Conditions agreements. It might be the most valuable homework you ever do.
- Second, ask your analytics and marketing solution providers to confirm compliance with all current and upcoming European regulations. It won't be possible to get all of this ironed out now – the final regulations have not been agreed upon – but at some point the rules will be clarified, and your contracts should reflect that.
- Third, have a bias for first-party data. The Commission has repeatedly sought to restrict third-party data while repeatedly creating exemptions for first-party data. Even if there is uncertainty around the exact rules that are coming, you can bet that first-party data will be favored over third-party data.
- Finally, reconsider if you need each and every tool of your stack. Each piece of software that you run in the background of your website makes you just a little bit more exposed to these rules, and whatever rules come next.
If you have any questions about how GDPR and ePrivacy regulations affect your analytics, or about how Webtrekk is positioned to deal with the upcoming changes, just get in touch.
The GDPR is necessary, but should not be feared — especially in Germany. Let's break it down.