Apple privacy changes are right around the corner, and marketers who rely on Facebook ads are bracing for major impact. Here's what you need to know.
The battleground around customer consent versus legitimate interest is a fierce one. When the UK passed its GDPR standard for how companies can collect and process consumer data, it sent shockwaves throughout the world. Yet, it was only the first such standard. Canada has since issued its own standard, as has the state of California.
GDPR defined: GDPR stands for the General Data Protection Regulation. It’s the toughest data privacy and security law in the world. Though drafted and signed into law by the European Union (EU), GDPR carries heavy legal responsibilities for organizations around the globe if they collect data related to EU citizens. GDRP went into effect on May 25, 2018.
Soon, updates to Apple and Google operating systems will further anonymize data, making it harder for companies to understand how users found their sites to begin with. This has Facebook highly concerned, given its primary revenue driver is its ad product – and without proper attribution, companies won’t be able to tell how effective an ad on Facebook, or its other properties like Instagram, really is.
Impact of General Data Protection Regulation (GDPR) for online businesses
- GDPR Article 6(1)(a) – Consent as a lawful basis for processing data: The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- GDPR Article 6(1)(f) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Those two articles break down what’s known as consent collection and legitimate interest collection. Let’s make sure you gain a good understanding of both.
How your organization can become GDPR compliant: Sorting out customer consent once and for all
Becoming GDPR compliant relies upon customer consent.
Customer consent is considered the gold standard of data collection: A consumer must click a button (that cannot be pre-filled) to say that they agree to give their information to the company.
You’ve undoubtedly seen these on a variety of sites you’ve visited recently. Here’s an example from SAP’s Future of Commerce website:
Customer consent requires the customer – each and every individual one – to physically consent to the collection and processing of their data.
A solid data privacy platform is crucial to earning customer trust and loyalty. So why aren't more companies providing one?
Much like customer consent’s requirement to not have a box pre-checked and to require a physical consent, TCPA policies also require a physical agreement to be sent text messages, and that agreement cannot be pre-checked. Further, the language for the agreement must include information on how often a user will get sent messages, and how to unsubscribe and stop all messages.
GDPR is not alone, then, in this requirement for a more manual consent process.
According to experts, data privacy is now crucial to businesses. The massive GDPR fine levied against Google seems to prove it.
Legitimate interest is more of a gray area within GDPR, and as a result, many marketers prefer it. Adding a requirement for a manual agreement for data collection adds friction to a website, and friction can severely reduce conversion.
- The processing is not required by law but is of a clear benefit to you or others;
- There’s a limited privacy impact on the individual;
- The individual should reasonably expect you to use their data in that way; and
- You cannot, or do not want to, give the individual full upfront control (ie consent) or bother them with disruptive consent requests when they are unlikely to object to the processing.
This makes legitimate interest far more flexible than customer consent.
When to use consent v. legitimate interest: A handy legitimate interest assessment
Based on our breakdown of consent versus legitimate interest so far, you might be thinking that it’s just easier to use legitimate interest in all cases. That’s not necessarily true. In fact, the ICO has made it clear that you cannot use legitimate interest as the default collection method for your company.
Although legitimate interest is a flexible concept and will often be relevant, it does not apply to everything and you are not able to use it as the default basis for all your processing.
This is why most websites ask for consent upon you landing on the site.
We all want customers to trust us with their business. But where and how do you start building customer trust? Follow these five principles to understand, build, and maintain customer trust.
So, when can you use legitimate interest? Luckily, the ICO offers a three-part test for determining if legitimate interest can apply for your project, website, etc.
- Purpose test – is there a legitimate interest behind the processing? Under the purpose test, you need to ask yourself if the data collection is ethical, legal, and for the benefit of both your company and the consumer. And then, you need to clearly state the purpose behind wanting to process that data without consent (or under legitimate interest).
- Necessity test – is the processing necessary for that purpose? Using the necessity test, you need to demonstrate that there is no other less invasive way to achieve your goal, and ensure that the processing is proportionate to achieving your aims.
- Balancing test – is the legitimate interest overridden by the individual’s interests, rights, or freedoms? Finally, under the balancing test, you need to ensure that processing the data doesn’t infringe on the rights and freedoms of the individual.
All right – so, this three-part test isn’t all that helpful. Let’s look at a few examples instead.
Applying the three-part test: GDPR legitimate interest examples
The following scenarios are offered by the ICO in their documentation to help companies better understand how to apply the three-part test and ultimately which data collection and information practices to use.
The charity case.
A charity wants to send fundraising material by post to individuals who have donated to them in the past but have not previously objected to receiving marketing material from them.
The charity’s purpose of direct marketing to seek funds to further its cause is a legitimate interest.
The charity then looks at whether sending the mailing is necessary for its fundraising purpose. It decides that it is necessary to process contact details for this purpose and that the mailing is a proportionate way of approaching individuals for donations.
The charity considers the balancing test and takes into account that the nature of the data being processed is names and addresses only and that it would be reasonable for these individuals to expect that they may receive marketing material by post given their previous relationship.
The charity determines that the impact of a fundraising mailing on these individuals is likely to be minimal however it includes details in the mailing (and each subsequent one) about how individuals can opt out of receiving postal marketing in the future.
The business seminar case.
Individuals attend a business seminar and the organizer collects business cards from some of the delegates.
The organizer determines that they have a legitimate interest in networking and the growth of their business. They also decide that collecting delegate contact details from business cards is necessary for this purpose.
Having considered purpose and necessity the organizer then assesses that the balance favors their processing as it is reasonable for delegates handing over business cards to expect that their business contact details will be processed, and the impact on them will be low. The organizer also ensures that it will provide delegates with privacy information including details of their right to object. The organizer subsequently collates the contact details of the delegates and adds them to their business contacts database.
There are no legitimate interest loopholes: It’s about ethical data practices
On the fence about what to use? Start with the gold standard of consent. From there, expand into legitimate interest but always do your best to explain upfront what data will be collected and for what purposes. Finally, always allow recipients of marketing material to opt-out of a list of being sent information – even if that information is based on consent or legitimate interest.
In other words, treat consumer data the way you’d want yours treated. GDPR requires companies to simply think a bit harder about what data they are collecting, if they need to be, and how to do so in an ethical way.
Some companies are taking this standard to a new level and using ethical data collection and transparency as a marketing tactic in its own right. Let’s look at Lush for instance. They have made Data Ethics a pillar of their company values.
“Now more than ever people are aware of how critically valuable their personal data is. In its lightest form, it is the tweets you post, the photos you upload, the people you DM. In its darkest forms, it is a tracker on your identity, an algorithm deciding whether you should be on a kill list. It is our belief that Data Privacy is a fundamental human right. The ethical data policy is about ensuring that all of Lush’s staff and customer data is secure and transparent. Our customers and staff have the right to know what we hold about them.”
As more and more countries, states and the like adopt GDPR-type standards, we are likely to see more and more companies adopting digital ethics best practices as internal values, and then using those as marketing fodder. This is the ideal goal of consumer data privacy and protection policies.