This message is making the entire digital marketing industry sit up and take notice. The French data protection authority CNIL levied fines on Google and Amazon amounting to 100 million and 35 million Euros respectively. The reason: The absence of information which meant no informed consent to place tracking cookies could be given. Now that the French data protection authority is taking decisive action, it is only a matter of time before the German authorities follow suit. Companies should not wait any longer to act, especially given that most of them rely on services such as Google Analytics or Facebook. But what concrete measures can companies and, more specifically, website operators actually take? And will this decision affect the performance marketing of your company? Mischa Rürup, CEO at Usercentrics, provides some tips and tricks as to how companies can protect themselves now and gives his perspective of expected developments in the coming year 2021.
GDPR, e-Privacy and national rules – the difficulty with the legal jungle
For the first time, large US concerns such as Google or Amazon are being brought to justice for using tracking cookies without the valid consent of users. But why is a French national ruling such an important precedent for an entire industry? Many would probably now think “Due to GDPR, of course!” but it really is not that simple. It is true that the General Data Protection Regulation (GDPR) stipulates that website operators require a legal basis for the use of web technologies for marketing purposes. This applies since the law came into force in May 2018. A legal basis is the explicit consent of the user in most cases. Contrary to what was originally suspected, the French data protection authority did not base its decision on the GDPR (although it applies in all of Europe) but rather on the ePrivacy Directive. The reason: According to the GDPR, the Irish data protection authority would be responsible for data protection violations committed by the internet giant Google as it has its European headquarters there. But since the Irish DPC (Data Protection Commissioner) is frequently criticized for not cracking down hard enough, the CNIL is showing its own initiative.
What website operators must consider
5 concrete to-dos for companies
- Check whether your website triggers third-party requests without the user providing consent. It is important to know here that the GDPR does not just apply to cookies but rather all queries which leave your website (so-called HTTP requests). These can originate, for example, via embedded elements such as Google Maps or social media buttons.
- Check the right to choose in your consent banner. Does your banner have an Accept and a Reject button? The law only assumes that a right to choose exists when providing consent is just as easy as declining consent.
- Check the granularity. Can the user click on details, read up on every individual technology and decide granularly? Important: There is no such thing as general consent in an entire category such as tracking. An important component of valid consent is granularity.
- Do you know your opt-in rate? A low opt-in rate automatically leads to low performance marketing results. But given all the possibilities for optimizing your banner you should never mislead your customers and force them to provide consent e.g. by concealing the opt-out option.
- Do not, under any circumstances, overlook the apps because the provisions of the GDPR also apply to apps. Apps are often built into so-called SDKs which harvest data and profile users.
What can we expect in 2021?
Legal developments aside, voices in the market are getting louder, calling for the death of cookies. These developments do not in any way render technical upgrades obsolete. It is certainly true that a trend in 2021 is moving away from third-party data to first-party data; that is data harvested by the company itself which is not subsequently passed on to third parties. But also in this case cookies or similar technologies are placed directly onto the website and therefore require the specific consent of the user. The motto “Better safe than sorry.” therefore applies here also.
Compliance & Marketing in Harmony
Munich technology company Usercentrics is a market leader in the field of Consent Management Platforms (CMP). The SaaS solution from Usercentrics enables companies to gather, manage and document consent provided by users on all digital channels such as websites or apps – and achieve high opt-in rates in the process. This guarantees compliance with current and future international data protection guidelines such as GDPR, ePrivacy Regulation and CCPA and enables it to be integrated into the marketing and data strategy. Since its founding in 2017, the company has grown strongly and now has over 300 enterprise customers including Commerzbank, Fitness First and Telefonica. Further information can be found at usercentrics.com.