When does no actually mean no? Analysing consent under GDPR

The digital world is set for change. Brands will no longer be able to target and connect with consumers online in today’s carefree manner once the European Union’s new General Data Protection Regulation (GDPR) comes into force next May. New research reveals two thirds (67 per cent) of UK consumers are concerned about how brands use their personal information, such as their name, email, location, and marital status. The same proportion (66 per cent) worry their personal data security could be compromised by the latest IoT gadgets, including smart-watches, fitness trackers, and home devices such as Amazon’s Echo. 

As consumers demand a more personalised shopping experience online, these statistics are a worry for brands who rely on customer insight to tailor their services. Further to this, brands face a challenge in restoring confidence among shoppers with GDPR enforcing an opt-in/opt-out policy for consumers. Businesses are scrambling for answers on how and why they need to change their methods of data collection and management to meet the privacy requirements but one thing is clear – consumers will be empowered to say “no” when targeted with irrelevant marketing material. And more importantly, businesses will have to listen.

So, when does “yes” mean “yes”? 

This is a serious question that brands need to be addressing. They should sit up and listen to their customers when they say enough is enough. However, there is still a business to run and we know that data has become a marketer’s most valuable asset in the digital age. With GDPR’s requirement that consumers must specifically opt-in for all uses of their data, and must be given unrestricted rights to opt out, brands need to think and act clever in order to prevent a mass exodus of their customers and prospects. 

Businesses must stop seeing people as just numbers, but as individuals with their own digital identity. By persuading visitors to identify themselves at the point of site entry via registration, marketers can tie demographic, interest and behavioural data to these individual identities. However, the big pay-off is in being able to continually ask contextual questions which enhance the user journey, an approach called progressive identity. Online retailers, for example, can allow shoppers to gradually build a profile based on dress size, favourite designers and colours, giving consumers the power to share only the data points that they believe will provide them with the best value exchange, and making sure they know exactly where to go to update or edit these permissions, ensuring personalisation never comes as a surprise. 

Above all, it is important for brands to define and manage consent when GDPR is implemented, to not only stay compliant but to build trust and enhance relationships at a time when reputation is well and truly on the line.  

To do this, businesses must fully understand what is meant by ‘consent.’ GDPR sets a high standard for consent, meaning people will be offered genuine choice and control over how their data is used by companies. Consensual data helps businesses build trust and enhance their reputation. 

What impact will that have on your business? 

For a start, a review of legacy consent mechanisms will be required. Businesses will need clear and more granular opt-in methods, authoritative records of consent, and simple easy-to-access ways for people to withdraw consent. This revolution in data consent reflects a more dynamic view on the importance of permission based data, treating it as an organic, ongoing and actively managed choice, and not simply a one-off compliance box to tick and file away.  

Despite there being a business requirement to improve the consent process, there are still several areas of GDPR that call for more guidance, mainly in what will be an accepted user interface. Different requirements can have significant impact on business performance of registration pages and beyond. A few examples of GDPR requirements are: 

1. Keeping consent requests separate from other terms and conditions. The ambiguity here opens the door for businesses to question what this means they need to do. Does this require separate check-boxes for the general terms of service and for consent? Can consent to specific data uses not be contained within the terms and conditions or terms of service on a site?

2. Named consent. The guidance requires naming third parties used by the organisation. Large enterprises are often using tens of services to fulfil their business needs, from analytics services to customer identity and access management (CIAM) solutions. Will it be sufficient to present these in a consent statement linked from the registration page?

3. Alternatives to Consent. It seems it will be helpful to further detail how private-sector organisations can determine if they can process personally identifiable information (PII) based on ‘legitimate interest’ rather than on consent.

These questions are a few of many. For businesses to successfully implement correct consent requirements, there needs to be some clarity of ‘consent granularity.’ Many enterprise brand/media/ecommerce businesses will want to know what level of granularity will be acceptable. For example, will online registration pages need to include 3-4 check-boxes representing permission to use PII for services such as product recommendations, email marketing, loyalty programs, etc.? 

As more time elapses, we will need to see how “general” concepts of the General Data Protection Regulation will be turned into black-and-white rules that organisations can follow to achieve GDPR compliance and put in place the best way to get data customers have consented to sharing. 

At this stage, businesses need to focus on what they need clarity on, and to fully understand what consent under GDPR means for the business, its employees and its customers.  

Richard Lack, Managing Director - EMEA, Gigya
Image source: Shutterstock/Wright Studio

Read the rest of our GDPR coverage on this link.