Insight | Strategy

A year of GDPR: the good, the bad, and the non-compliant

A year of GDPR: the good, the bad, and the non-compliant

We look at some questionable responses to the GDPR legislation that was brought in a year ago and ponder whether anything has really changed.

A year ago, the “EU General Data Protection Regulation” (GDPR) came into force. You probably noticed - it seemed like every company you’d dealt with since the dawn of the internet was emailing you to ask if they could “keep in touch”.

12 months later, how did companies respond to GDPR? Was it effective? What’s next? And what was it supposed to do, anyway?

GDPR - What is it for?

Let’s start with the last of the above points: what was GDPR actually supposed to do?  Essentially, GDPR is a set of far stricter rules on collecting, storing and using personal data, designed to give people more control over how their data is used. They should also make companies take their responsibilities seriously, with massive penalties for companies which abuse - or lose - personal data.

All companies which process data about people in the EU now have to follow the same set of rules (even if those companies are not based in the EU), so data is protected regardless of the companies it is shared with. This aims to ensure no business is able to gain an advantage by using personal data in a way that others wouldn’t be allowed to. Essentially, if your customers are in the EU, you have to follow the rules.

What type of data counts?

What exactly constitutes “personal data” is pretty broad. Unfortunately, there’s no easy-to-follow checklist for what is and isn’t included. The rules say that ‘personal data’ is anything that relates to an ‘identifiable individual’; in other words, any data that could be used (by you or someone else) to identify a particular person (not a company). 

This therefore varies depending on what other data you have. For example, just knowing someone’s name doesn’t really allow you to identify them. If you also know their date and place of birth, this data combined could identify the person. You’ve got ‘personal data’.


What did companies have to do?

Probably one of the most immediately noticeable changes was the way companies get a person’s consent to process their data. For many companies, one pressing concern was marketing data - hence the flurry of emails most of us received in the run up to and immediately after the deadline.

The regulations require companies to make it clear and easy to understand what they want your data for, what they’ll do with it, and who they’ll share it with. This includes getting your consent before they add your email address to their marketing newsletter, and making it as easy for you to withdraw your consent as it was to give it.  

Some companies perhaps weren’t concerned, as they knew that they’d clearly asked for consent when they obtained the data, and could trace where the data came from. Others, however, weren’t so sure or thought they’d best play things safe, so set about emailing all their existing contacts to ask for consent - though the approaches taken, and how loosely they interpreted “clear consent”, did vary.

The “Tell us now, or never hear from us again” 

This option probably seemed like the safest bet for a lot of companies. If they couldn’t show when or how they originally got your consent, they simply asked if you consented to them marketing to you in the future.  

It might have seemed a scary prospect for some marketers with a subscriber list cut in half… but really, is there any point in continuing to email someone who really isn’t interested, GDPR or not?

The “blah blah blah oh can we still email you?”

Similar to the above, but a few companies made the mistake of burying the request for consent in amongst the rest of their newsletter. Granted, GDPR might not have been the most exciting news, but this approach may have meant a few people didn’t realise they needed to do something to still receive your emails and may end up missing out.

The “Here’s how to tell us to stop emailing you” 

This seemed a pretty straightforward approach. The company provided a nice, clear “click here to unsubscribe” button. If you didn’t want to be contacted, this made it nice and easy to let the company know, which fits neatly with the GDPR rule that it must be easy to withdraw consent.  

This does, however, rely on someone who isn’t interested in receiving emails from a company actually opening said email to unsubscribe. The approach assumes that if you’re not really interested enough to say otherwise, you consented - which is perhaps not quite in line with what GDPR set out to tackle.

The “Enter our Competition (and subscribe to our newsletter if you do)” 

This approach was clever, but also a little sneaky. Emails contained a big headline inviting people to enter some exciting sounding competition, but the footnotes stated doing so would indicate your consent for continued marketing.

This approach feels a bit dubious, when the GDPR rules say that the consent must be clear, and easy to distinguish from other subjects. Consenting by entering a competition doesn’t necessarily feel like it meets this requirement - it’s back to the bad old days of “Tick this box to indicate that you don’t want us to not share your details with all our friends”

Presumed consent

The last two approaches to “getting consent” above bring us nicely to another GDPR rule - it’s no longer ok to “presume consent”.This means that a company can’t decide that if you didn’t tell them otherwise, you consented to them doing whatever they fancy with your data. 

Companies now have to explicitly ask for your permission, and tell you exactly what for. This means the days of teenie tiny hidden-at-the-bottom-pre-checked-checkboxes is over… or at least, should be.

- it sometimes felt like consent forms were trying to make it difficult to opt out...

Everyone loves cookies 

Another big change many of us noticed across the internet was the sudden appearance of ‘cookie banners’. These ranged from discreet, through mildly irritating, to downright pains in the backside. But what are they all about?  

Cookies are a small text file that a website places on your computer or phone, which are used for all sorts of different purposes (sadly, not as yummy as they sound). The use of cookies is actually governed by a slightly different set of regulations called the Privacy and Electronic Communications Regulations (PECR). 

These state that if your website uses cookies, you must tell people that they are there, explain what they are doing and why, and get consent to store a cookie. The information gathered by cookies can also count as personal data, which is then covered under GDPR.

Like with getting marketing consent, the approaches to cookie banners are varied.

“See our Privacy Policy”

The least obtrusive and annoying for the user. Some websites simply updated their privacy policy to make it clear what cookies they use, and why. However, some worried this wouldn’t count as “consent”. 

“By using this site, you accept cookies”

Generally clicking ‘ok’ makes these banners disappear so the user can safely forget about them. It’s more explicit, but sounding very much like the now-banned “presumed consent”: if using the site counts as consent, the visitor didn’t really have a chance to not consent, as they were already using the site by the time the consent notice was shown.  

“You can’t come in until you accept cookies!”

This has been considered somewhat annoying - you attempt to view a page of a site, only to be confronted with a full-page banner telling you that you must accept cookies before you can use the site. Even more annoying, you’ll sometimes be halfway through the first paragraph before this pops up. 

This is a fairly strict interpretation of the rules. It explicitly asks for consent, if at the cost of user experience. However, this ignores another aspect of the rules on consent - that it must be “freely given”, rather than forced or traded for a service like access to a website.

“Update your cookie preferences here”

This feels like the least annoying solution. The user is given the option to accept or decline individual cookies as they see fit. They can then either leave the default cookie selection as is, or modify cookies individually if they wish.

Is it practical, though? Or is this just too much information? How many users actually understand, or care, what cookies are placed? And for those who do decide to opt-out of some or all cookies, things aren’t always sweet as they seem. 

Tumblr’s implementation gave the user more than 350 individual pre-ticked checkboxes that they could untick one-by-one if they wished. Again, pre-ticking boxes goes against the grain of “no presumed consent”, but it would also be pretty unrealistic to expect a user to check all of those boxes, even if they were happy to share their data (maybe a ‘deselect all’ option would have been a good start though…)

What’s the ‘right’ approach?

If anything has become apparent in the last year, it’s that nobody seems quite clear on how best to go about implementing the rules on cookies. When trying to find the balance between good user experience (ie, no annoying popups) and giving users a clear choice as to whether personal data is being collected, it seems in many cases that one or the other ends up suffering.  

A key issue is ‘getting consent’. Many users just don’t want to be bothered by popups or banners asking them if it’s okay to store a cookie. But the regulations demand this, even if it’s not really what users want.

However, this may be set to improve. A new set of rules called the e-privacy directive is currently being debated, which may again change the way cookies are handled.

The end of cookie banners?

Currently in draft stage, a new set of rules is currently being discussed which could see the end of the ‘cookie banner’. One proposal is that instead of being set on a per-website basis, browsers should handle the cookie settings for the user, and apply this information to every website they visit. 

It was hoped that this would reduce ‘consent fatigue’: being asked to consent to cookies on every single site a person visits.  

This idea has proved controversial, with concerns that this won’t be effective, will be difficult to implement in a practical way, or that it places too much of a burden on the creators of browsers. But for website owners, this could mean the end of having to force annoying and often-complex cookie notices and consents on their visitors. For website visitors, the convenience of being able to set their preferences once and get on with whatever they were trying to do.  

As a company who has had to make a tricky decision on how forceful to make your cookie consents, what would you prefer? As a user, would you be happier to fill in your preferences once and forget about it, or do you actually want to be asked for your consent on every website you visit?

So has anything actually changed?

On the face of it, the majority of companies seem to be taking the new rules seriously, updating their privacy policies, and making some sort of of attempt at asking for consent for marketing and cookies, for better or for worse. 

Overall though, it seems that companies aren’t 100% clear on how they should be handling consents, and with the coming update to privacy laws still under discussion, it’s also not certain whether this will become clearer in the future and how things may change.  

And whilst companies may be making all the right noises about protecting personal data, it remains to be seen whether all have followed through with action. Shortly before the new rules came into place, Facebook suffered a huge data breach, with the personal data in 50 million accounts potentially exposed. 

Had this happened post-GDPR, Facebook could have been in for a huge fine and restrictions that may have effectively shut the business down if it was found that the company did not have sufficient measures in place.  

Since GDPR came into force, no major losses of personal data have been reported so there hasn’t been an opportunity to see how the various implementations of ‘getting consent’ hold up to scrutiny. 

Should a company suffer a data breach, everything about how they gather and process personal data would be subject on an in-depth investigation by the Information Commissioner's Office (ICO) - which may give a more conclusive answer as to whether some of the approaches we’ve seen fall on the right or wrong side of the law.