GDPR vs. ePrivacy: What You Need to Know
February 14, 2018 –
…AND, it brings with it, new ePrivacy Regulations (ePR) for EU citizens…
…even if that data is stored and handled outside Europe…
…in an age when the personal data is increasingly economically valuable.
So it’s incredibly important.
And the articles on GDPR seem to just make it more complicated.
- GDPR replaces the Data Protection Directive 95/46/EC. All clear?
- GDPR deals with A LOT more than only digital privacy. And so there is a sub-law called ePrivacy Regulations to give more specific rules. Still clear?
- ePrivacy Regulations replaces the ePrivacy Directive, still with me?
- GDPR is approved and will become law May 25, 2018, ready?
- Each European country can make their own “flavor” of GDPR and only two countries have done that of two dozen…say what?
- ePrivacy Regulations most likely won’t even be ready by May 25th, 2018….ehhh come again?
So where cookies are mentioned once in GDPR, ePrivacy Regulations are full of detailed descriptions of what is and what is not allowed… but we are lacking that final law (it’s in draft no. 1533). Handy right?
So what do we do? What rules do we follow?
So it’s a mess, but nobody is telling you this. Since money is to be made.
From article to article you’ll read about the scary, 20 million euro (24 million USD) fines.
The price is of failure is, but the rules are unclear. So what do we do?
We implement what GDPR says, that’s what we do.
Because it doesn’t really matter that not every law is done. We know the core structure, and that means each country law can slightly vary. But we have the basics.
And those are….
Digital Marketing & GDPR what do we know?
In GDPR, we know that cookies are mentioned only once. Recital 30 states:
Natural persons may be associated with online identifiers provided by their devices, applications, tools, and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.
This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
So they don’t want any unique identifiers. Not even in cookies—and surely no personal data.
Personal data is a European version of PII. But ohhh boy it’s different. Here a comparison table.
Personal Identifiable Data (PII)
For now, that’s what we know.
The intention of Europe’s GDPR law
Now you can grab a legal team, and you can find all the gray areas of what and what is not allowed. But let’s first just understand the core idea, the intention, behind the regulation.
If you understand the law you can understand very clearly when you’re venturing into blackhat-privacy and grayhat-privacy hacks. And you can determine what tools to remove from your stack and what cool marketing hacks you really you can keep. Read recital 26 of GDPR.
(Or skip the italics and trust the summary I wrote after them).
The principles of data protection should apply to any information concerning an identified or identifiable natural person.
Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.
To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.
To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.
The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.
In short, my version: Personal data (and that’s a lot) should only be collected with either legitimate interest (in another article, more on that), or in exchange for consent, as part of a contract. There are a couple more exceptions that won’t apply to 90% of digital marketers but you can read them all here.
When you collect personal data, it needs to be…
- stored safely inside Europe.
- able to be erased or modified on request.
You should also be ready to signal a breach of security on that data within 72 hours of it occurring. So make sure you’d be capable of informing the data subjects, and the authorities, if one were to occur.
Europeans want this law, it reaches far beyond Europe and it touches every database in the world where Europeans are stored with some form of personal data.
“But Dennis you are forgetting….”
Obviously, I’m forgetting tons and tons of things. It’s 300+ pages of GDPR law and over 100 on ePrivacy Regulations draft 1533. But the idea is clear.
Storing personal data will affect you as digital marketing owner because you need to ask for consent.
What? Consent? Yes, explicit consent!
Yep. You need to explain to website visitors, leads, and customers, how you collect and store their data. Don’t use it in any other way than the ways you share.
So no…by signing up to this whitepaper you accept the terms blah blah nobody will read this.
“<unchecked checkbox> I consent that by downloading this whitepaper, I will receive an email with the whitepaper.
<unchecked checkbox>, I’m consenting to a phone call from a representative of company X.”
Darn… that is going to lower conversion rates right?
Sorry, not my law…
What can you do without consent?
You can use any tool in your stack that does not store cookie ID’s and does not store personal data. No fingerprinting and other nasty hacks to avoid cookies…
So no cookie ID’s, unique identifiers and no storing personal data on the websites those tools are allowed.
It looks like web analytics (counting visitors) will be allowed, but it’s not 100% clear on what analytics tools and features are permitted. That’s up to ePrivacy Regulations—a law, that again, is not finished.
So is it worth it to ask for consent? Maybe…
So you have to ask clear consent, per type (group) of tools.
Which puts you in an awkward position.
If you run 10 retargeting tools that combine historical searches, page visits etc…? Put those in one group and see if you can explain the benefit clearly to visitors, so they consent.
No pre-checked boxes…no bribing, no cookie walls…
And those tools can ONLY run, if a visitor gives them the green light. For even the smartest of marketers—you’re looking at a traffic cut.
There’s a lot more to learn.
And so we’re documenting the grey areas.
Here are some good places to start: