Understanding 'trust' and 'consent' are the real keys to embracing GDPR

However, with just over 100 days until the GDPR comes into effect we’re seeing misconceptions about the new legislation, especially when it comes to how the GDPR defines consent and data privacy. Businesses can continue to deliver the personalised experience that consumers have come to expect, while complying with personal data protection rules - the key is in understanding the difference between unambiguous and explicit consent.

The GDPR requires businesses to obtain unambiguous consent from users. This includes a user continuing to browse a website, as online identifiers (e.g. cookies) alone are categorised as non-sensitive personal data, an explicit opt-in is not required. Explicit consent means a person must opt-in and to the use of sensitive personal data which might include race, religion, sexual orientation, political affiliation, and health status.

In addition, the GDPR requirements state that consent must be “freely given, specific, informed, and unambiguous”. But what does that mean? “Freely given” means consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if consent is not given. For example, users are free to refuse Criteo’s services directly from the cookie message without consequence.

“Specific” and “informed” mean that to be valid, consent must be specific and based on appropriate information. In other words, blanket consent without specifying the exact purpose of the processing is not acceptable.

Finally, “non-ambiguous” means that consent must derive from an active behaviour from which consent can be reasonably concluded. For example, when an individual continues to browse a website and thus accepts the use of cookies to monitor their browsing.

As the world of marketing embraces newer, ever-more innovative technologies that help to enhance the shopper experience, the GDPR represents legislation for the modern age. A positive development that will foster ongoing trust in our digital economy and enhance an industry built on clear visibility, accountability and control for brands and consumers. What’s more, with the regulation replacing the Data Protection Directive from 1995, it represents a framework built on modern standards and capabilities that will ensure that the entire industry meets the high standards that the modern shopper demands.

Criteo’s European roots mean that we have consistently dealt first-hand with the stricter EU standards, and as a global company with major offices in multiple EU countries we are already well accustomed to complying with country-level requirements across the world. Our own Privacy by Design is indicative of our long-standing practice and commitment to ensuring industry-leading privacy, security and safety. We welcome this regulation as a much-needed evolution in data privacy governance – a win-win for consumers and businesses alike, that will be essential in continuing to build and grow the understanding and trust between consumers and businesses.

John Gillan is managing director, UK and Northern Europe, of Criteo