back button

Back

« Do I need to collect consent? » – Mythbusting marketing obligations in a GDPR and CCPA era

May 5, 2020byYannig Roth

Any marketer even remotely interested in the legal landscape around 2016 heard all sorts of discourses about GDPR. The regulation would be the end of newsletters, of solicitations, of targeted advertising. Companies would face tremendous fines if they failed to become compliant within a year. Two years after GDPR came into effect, marketing still exists and internet users only see two differences with how it was before: fewer pre-ticked boxes in registration forms, and more cookies consent notices every time they visit a website. Customer experience has increasingly become more tedious, while marketing departments are still unclear how to handle data collection and processing in a compliant way.

Why are marketers so concerned with GDPR?

Following the digital transformation trends, most marketing departments have been relying on data collection to follow prospects, create campaigns, feed their CRM and target their visitors with massive campaigns of emailing. The arrival of GDPR changed the trend and set new rules, particularly in regards to the collection and use of personal data. For marketing departments, frantic data collection as a whole is now called into question, with two main concerns:

  • what are marketing departments allowed to collect?
  • when should marketers ask permission to their prospects, and what for?

While hundreds of blogs and whitepapers have been written about these questions, the answer is simple: you can collect anything, as long as you have good reasons to do so. And a good reason, in GDPR language, is called a legal basis.

What is a legal basis?

The legal basis is the legal ground that allows a company to carry any data processing. Article 6 of GDPR lists the 6 possible legal basis but companies usually operate within of of the following:

  • Performance of a contract to which the data subject is party
  • Legitimate interest of the data controller
  • Consent

This is why the department of operations at an insurer can collect so much personal data about their customers: they are performing a contract with the data subject. 

On the other side, marketing carries more complexity when it comes to picking a legitimate basis for personal data, because most marketing interactions happens before a contract is set between the company and the customer. In most cases, the data processing carried out by the marketing team relies either on (1) the “legitimate interest” of the company, or on (2) explicit user consent.

Legitimate interest means that the company collects and use data to perform a definite action that benefits them, like prospecting, or raising awareness, or improving their service. Legitimate interested is then the most flexible legal basis: the company can carry a data processing as long as it has a definite purpose in mind, and that this purpose is not overridden by the individual’s interests, rights, or freedom. 

But then comes the next question: how to translate this into an actual way of doing marketing? Who sets the limit? Legal questions like this one are all but common sense for most professionals.

It is often a gray area: the company has a legitimate interest in raising awareness about its products, but this interest is not important enough that it can collect all the lifestyle and habits data of their customers. Yet, determining the right amount of data and collection methods that fit this balance is complex. Thus marketers usually decide to rely on consent to carry their data processing activities.

It comes with other concerns: Do customers have to consent to receive each new campaign? Is consent valid for all types of processing? Should marketers ask for the same consent periodically?

Validity of consent

While GDPR sets a limited number of principles with regards to the validity of consent, operational staff have a hard time translating it into actual marketing elements. Section 4 of GDPR sets out the following principles:

Consent should be freely given

The data subject must be able to say no. They can choose to consent or not to consent without suffering degradation of service or other negative consequences if they refuse. For example, when downloading a whitepaper that will be communicated by e-mail, making the receipt of the e-mail conditional on the provision of other personal data (surname, first name, position, company, etc.) does not allow the data subject to consent freely. This is precisely why – to download our whitepaper – we only ask for your email address!

Twitter became famous for their “worst practice” of free consent, by offering its users to unsubscribe if they refused the Terms and Conditions. Those terms and conditions contained the principles of data collection and use, which cornered user in consenting to everything is they wanted to use the service at all.

Consent should be specific

The data subjects consents to the processing of a specific type of personal data for a clearly defined purpose (a single purpose, for a single processing operation, in the GDPR words). It should be clear which processing you intend to carry out and are asking consent for. Each purpose thus requires to collect a specific consent: if a company wishes to use a prospect’s e-mail address to send them other relevant whitepapers, and to communicate this address to a partner who would also like to send promotional content, the two consents must be requested separately, with a clear distinction between the purposes. The data subject must be able to say yes to the first, and no to the second.

Consent should be informed

Informed consent means that the data subject knows who is processing the data, what will happen to the data, the purpose of the processing and how they can change their mind and withdraw their consent. Sadly, this is where we see the worst implementations: instead of improving transparency, it results in a list of bullet points with generic information that checks the boxes of GDPR without respecting the spirit of the law. If you want to collect consent according to the rules of GDPR, you should clearly state who handles the processing, who decides what the data will be used for, why this or that type of data is collected, and how the data subject can withdraw their consent if they change their mind about the processing. And anyone should be able to understand those information without reading a 2-pages long pop-up.

Consent should be unambiguous

In a word, there should be no doubt that the data subject has given their consent. Pre-ticked checkboxes, dark patterns, passive consent “by continuing to browse this website, you accept..”, or any other design that discourages or prevents the person from making a positive act of consent will invalidate consent. According to GDPR Recital 32, “Silence, pre-ticked boxes or inactivity should not therefore constitute consent.

How to create a seamless GDPR-compliant user experience

This is theory. In practice, most companies are struggling to integrate compliance to their user experience. They try to be serious about consent, and add pop-ups to their website, send periodic emails or push notifications. As customer journeys have grown increasingly complex, they end up asking for the same consent three times on three different channels.

CRM software and GDPR: a failed match

Usual marketing tools like CRM software have not been designed to take into account consent and privacy issues. Their monolithic nature incentivizes marketing teams to ask for the same consents again and again, to fail to respect customer choices from one device to another, and to create discontinuity between the Web, mobile and offline experience. Best case scenario? Creating segments, tags and custom emailing campaigns to deal with consent issues.

Marketers juggle with emails and forms to deal with consent issues, even though these means are detrimental to the seamlessness of the customer experience as a whole. It also adds complexity when a customer requires erasure of their data: the marketing team will have to dig CRM notes, segments or attachments and manually make changes, hoping no mistake will be made in the process.

While marketing teams understand the need to streamline data collection, it is perceived as additional and unfair complexity that does not benefit them.

Ensure GDPR compliance with a Preference Center

Best practice to ease consent collection and respect GDPR obligations is to put a Preference Center in place, in addition to the traditional CRM. Brands are increasingly adopting Preference Centers, as we describe in our Preference Center Barometer. Besides plain GDPR compliance, it helps centralizing information about customer preference and data collection in one place, acting like a Single Point of Truth for marketing teams. Integration with other marketing tools like CRM software is seamless, ensuring accuracy and real-time updates of customer data.

The team has an overview of permissions, consents and preferences for every prospect in the database. This information is also made available to the customers, giving them control over what they want to share and under which conditions. From a transparency point of view, gains are tremendous. From the marketing point of view, it also ensures a better data quality: customers can withdraw consent if they deem necessary, they can correct wrong or outdated information, and indicate the channels of communication they prefer.

For French-speaking visitors:

We are hosting a webinar about Preference Centers on May 13th.

Related articles

April 15, 2020byYannig Roth

Why CRMs failed to deliver customer-centric marketing, and how Preference Centers can help

Five years ago, most marketers still believed that understanding customer behavior was about collecting massive amounts of data about them. They quickly realized it was not. The key of marketing success has not changed: delivering the right information at the right time to the right person – only means vary over time.

Read more

CRM

Preference Center

Preference Management

May 15, 2020byJawad Stouli

Get CCPA ready with the Didomi consent management platform (CMP)

The California Consumer Privacy Act (CCPA) was enacted to provide California consumers with greater transparency and control over their personal information. The CCPA was created in response to changing public perceptions. Users, rightfully, want to understand and have the option to exercise control over their own data. Therefore, companies in the ad tech ecosystem need…

Read more

ccpa

CMP

Consent

April 16, 2020byRomain Gauthier

My take on the CNIL’s new guidelines on cookies: 4 key ideas to remember

The new CNIL (France’s privacy watchdog) guidelines released in the summer of 2019 have turned the advertising industry upside down and are prompting us to rethink how we monetize information and innovate in programmatic. On June 28th, the CNIL (which means National Commission for Information Technology and Civil Liberties) published its action plan on advertising targeting, one…

Read more

CMP

Consent

Cookies

November 22, 2018byJawad Stouli

What CMPs can learn from the French data protection authority

On 30 October 2018, the French Data Protection Authority (the “CNIL”) issued a warning against a small company called Vectaury in relation to how this Ad Tech actor was collecting consent for geolocation-based advertising campaigns. On 8 November 2018, it decided to make this decision public notably because it is necessary to “raise awareness among…

Read more

CMP

CNIL

Consent

Cookies

France

GDPR

IAB

Sanction

Vectaury

Warning

May 25, 2018byJawad Stouli

A potential future for the Ad Tech industry: consent without tracking walls

Publishers and actors of the Ad Tech sector targeting the EU currently face one of the biggest challenges they have ever encountered, one that may require them to change profoundly their model. Namely? Unambiguous positive consent. Some background Publishers (both online and offline) have traditionally been able to provide their readers with free contents by…

Read more

Ad Tech

Consent

ePrivacy

GDPR

Publishers