Today’s consumers understand the trade-offs that are necessary between privacy expectations and being delivered a relevant advertising experiences. According to a recent Criteo-IPSOS survey, 90 percent of EU internet users are aware of behavioural targeting and 75 percent of respondents expect to be served ads that match their interests. With the General Data Protection Regulation, otherwise known as GDPR, coming into effect on May 25, today’s savvy consumers will be supported by a new clarity and coherence to personal data protection and a data protection framework updated for the digital age.
Shoppers are familiar with cookies and the role they play in the advertising-driven business model that powers the content they access. This understanding and trust between consumers and businesses is fundamental to the foundation of the digital economy, and we’re confident that the GDPR will increase the transparency, control and certainty for all.
However, with just over 100 days until the GDPR comes into effect we’re seeing misconceptions about the new legislation, especially when it comes to how the GDPR defines consent and data privacy. Businesses can continue to deliver the personalised experience that consumers have come to expect, while complying with personal data protection rules - the key is in understanding the difference between unambiguous and explicit consent.
The GDPR requires businesses to obtain unambiguous consent from users. This includes a user continuing to browse a website, as online identifiers (e.g. cookies) alone are categorised as non-sensitive personal data, an explicit opt-in is not required. Explicit consent means a person must opt-in and to the use of sensitive personal data which might include race, religion, sexual orientation, political affiliation, and health status.
In addition, the GDPR requirements state that consent must be “freely given, specific, informed, and unambiguous”. But what does that mean? “Freely given” means consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if consent is not given. For example, users are free to refuse Criteo’s services directly from the cookie message without consequence.
“Specific” and “informed” mean that to be valid, consent must be specific and based on appropriate information. In other words, blanket consent without specifying the exact purpose of the processing is not acceptable.
As the world of marketing embraces newer, ever-more innovative technologies that help to enhance the shopper experience, the GDPR represents legislation for the modern age. A positive development that will foster ongoing trust in our digital economy and enhance an industry built on clear visibility, accountability and control for brands and consumers. What’s more, with the regulation replacing the Data Protection Directive from 1995, it represents a framework built on modern standards and capabilities that will ensure that the entire industry meets the high standards that the modern shopper demands.
Criteo’s European roots mean that we have consistently dealt first-hand with the stricter EU standards, and as a global company with major offices in multiple EU countries we are already well accustomed to complying with country-level requirements across the world. Our own Privacy by Design is indicative of our long-standing practice and commitment to ensuring industry-leading privacy, security and safety. We welcome this regulation as a much-needed evolution in data privacy governance – a win-win for consumers and businesses alike, that will be essential in continuing to build and grow the understanding and trust between consumers and businesses.
John Gillan is managing director, UK and Northern Europe, of Criteo