To say the new EU legislation on privacy and data storage, better known as GDPR, has stirred up the online marketing industry would be the understatement of the year. Numerous articles have been written, legal consultants are having a field day and every morning you receive tons of emails urging you to consent to data storage by some company you can’t remember ever creating a profile for.
Behind all this, there is a fundamental uncertainty. Everybody agrees that after May 25th, things will fundamentally change. Yet just what this change will bring about exactly, is unclear. Yes, you need to ask your customers before you can save and use their email address. Yes, the happy days of pre-ticked boxes are over. And yes, you have to be transparent on any personal data you store.
But how are you going to decide what data is personal and what isn’t? Just how granular does consent have to be? Can you continue profiling potential customers? Companies are insecure about how consumers are going to respond to GDPR and how the authorities are going to interpret and administer the new legislation. And there is the question of what changes in jurisdiction GDPR-related court cases will bring about.
One of the topics which raises the biggest uncertainties is tracking. GDPR is not a regulation aimed at the online industry, let alone the online marketing industry. It has nothing to say about tracking specifically. However, that does not mean business as usual for tracking. Particularly the prohibition of storing data that can identify a person indirectly will have consequences for common tracking practices. Even the ID of a simple cookie used to track an ad impression or a click on a banner might be considered data that allows indirect identification.
As pointed out by MarTech, ‘legitimate interest’ is not the get-out-of-jail-free card to get any data you need for tracking. Your legitimate business interest has to be weighed against the interest of the person involved. Which interest will be heavier will probably be defined in court, but waiting for this moment is not something most online marketing companies will see as a fruitful strategy.
The good news is that there actually are things you can do. Publishers and advertisers can start to ask users to consent to tracking proactively, and companies providing tracking technology can implement solutions which support them in doing so. But there is an even simpler solution to avoid data privacy issues: start respecting the do-not-track header in the browser settings of consumers.
The do-not-track option was introduced by Microsoft for Internet Explorer in 2010 and was soon adopted by other browser services, including mobile ones. The idea behind the header is simple: it informs any website that the user of the browser does not want to be tracked, i.e. data on her or his behaviour should not be stored. Any tracking technology on the website could use this information to disable itself – could because very few tracking technology providers actually honour this.
Nevertheless, the do-not-track header is a very straightforward statement from the side of the consumer. GDPR may not mention it, but being all about consent, it goes against the grain of the regulation to ignore it. Naturally, respecting the do-not-track header will have an impact on business. Usage varies from browser to browser, but according to online privacy organisation Baycloud Systems, 10.5% of all browser users have activated the do-not-track header by default. Especially advertising companies with performance-based business models will suffer from this.
However, business models can be adjusted, while GDPR cannot. The online marketing industry has a clear choice to make. Either it tries to maintain its current practice and risk facing a lot of legal repercussions and controversies, or it takes GDPR as an opportunity to take people’s concern about data privacy seriously and adjust practices accordingly. The main job for technology companies is to enable these practices and develop tracking solutions that are consent-based. Respecting do-not-track headers is not the magic key, but it is a damn good start.