14th Feb 2018 –
There’s a lot more to learn.
Here are some good places to start:
And so we’re documenting the grey areas.
Because it doesn’t really matter that not every law is done. We know the core structure, and that means each country law can slightly vary. But we have the basics.
If you understand the law you can understand very clearly when you’re venturing into blackhat-privacy and grayhat-privacy hacks. And you can determine what tools to remove from your stack and what cool marketing hacks you really you can keep. Read recital 26 of GDPR.
No pre-checked boxes…no bribing, no cookie walls…
The principles of data protection should apply to any information concerning an identified or identifiable natural person.
And those tools can ONLY run, if a visitor gives them the green light. For even the smartest of marketers—you’re looking at a traffic cut.
- GDPR replaces the Data Protection Directive 95/46/EC. All clear?
- GDPR deals with A LOT more than only digital privacy. And so there is a sub-law called ePrivacy Regulations to give more specific rules. Still clear?
- ePrivacy Regulations replaces the ePrivacy Directive, still with me?
- GDPR is approved and will become law May 25, 2018, ready?
- Each European country can make their own “flavor” of GDPR and only two countries have done that of two dozen…say what?
- ePrivacy Regulations most likely won’t even be ready by May 25th, 2018….ehhh come again?
So where cookies are mentioned once in GDPR, ePrivacy Regulations are full of detailed descriptions of what is and what is not allowed… but we are lacking that final law (it’s in draft no. 1533). Handy right?
So what do we do? What rules do we follow?
In short, my version: Personal data (and that’s a lot) should only be collected with either legitimate interest (in another article, more on that), or in exchange for consent, as part of a contract. There are a couple more exceptions that won’t apply to 90% of digital marketers but you can read them all here.
You can use any tool in your stack that does not store cookie ID’s and does not store personal data. No fingerprinting and other nasty hacks to avoid cookies…
The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
It looks like web analytics (counting visitors) will be allowed, but it’s not 100% clear on what analytics tools and features are permitted. That’s up to ePrivacy Regulations—a law, that again, is not finished.
You should also be ready to signal a breach of security on that data within 72 hours of it occurring. So make sure you’d be capable of informing the data subjects, and the authorities, if one were to occur.
Digital Marketing & GDPR what do we know?
From article to article you’ll read about the scary, 20 million euro (24 million USD) fines.
Yep. You need to explain to website visitors, leads, and customers, how you collect and store their data. Don’t use it in any other way than the ways you share.
So no cookie ID’s, unique identifiers and no storing personal data on the websites those tools are allowed.
Personal Identifiable Data (PII)
Convert Experiences (our A/B testing software) will run without cookie ID’s and unique identifiers and no personal data storage. So that’s something to look for as you evaluate your marketing tools.
The intention of Europe’s GDPR law
Storing personal data will affect you as digital marketing owner because you need to ask for consent.
Which puts you in an awkward position.
So they don’t want any unique identifiers. Not even in cookies—and surely no personal data.
<unchecked checkbox>, I’m consenting to a phone call from a representative of company X.”
“But Dennis you are forgetting….”
Natural persons may be associated with online identifiers provided by their devices, applications, tools, and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.
Europeans want this law, it reaches far beyond Europe and it touches every database in the world where Europeans are stored with some form of personal data.
To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.
Sorry, not my law…
(Or skip the italics and trust the summary I wrote after them).
- stored safely inside Europe.
- able to be erased or modified on request.
Obviously, I’m forgetting tons and tons of things. It’s 300+ pages of GDPR law and over 100 on ePrivacy Regulations draft 1533. But the idea is clear.
Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.
To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.
So you have to ask clear consent, per type (group) of tools.
What? Consent? Yes, explicit consent!
Personal data is a European version of PII. But ohhh boy it’s different. Here a comparison table.
And those are….
…even if that data is stored and handled outside Europe…
So it’s incredibly important.
This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
We implement what GDPR says, that’s what we do.
What can you do without consent?
And the articles on GDPR seem to just make it more complicated.
…AND, it brings with it, new ePrivacy Regulations (ePR) for EU citizens…
Now you can grab a legal team, and you can find all the gray areas of what and what is not allowed. But let’s first just understand the core idea, the intention, behind the regulation.
Darn… that is going to lower conversion rates right?
So is it worth it to ask for consent? Maybe…
The price is of failure is, but the rules are unclear. So what do we do?
So no…by signing up to this whitepaper you accept the terms blah blah nobody will read this.
General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC…
So it’s a mess, but nobody is telling you this. Since money is to be made.
For now, that’s what we know.
If you run 10 retargeting tools that combine historical searches, page visits etc…? Put those in one group and see if you can explain the benefit clearly to visitors, so they consent.
In GDPR, we know that cookies are mentioned only once. Recital 30 states:
When you collect personal data, it needs to be…