Things have changed, but not changed.
The latest draft of the EU’s E Privacy Regulations was published last month, ahead of a planned discussion to ratify it. Planned here is the operative word, as it’s likely the discussion will be delayed due to coronavirus.
Ironically, coronavirus is also probably the reason why few people have reviewed the draft as on the face of it there appears to have been a major concession to business within its pages. If you read the detail though, it hasn’t altered significantly.
Practically speaking, this latest draft is still a fairly sensible and pragmatic balance between the rights of the individual on the one hand, and the reasonable needs of businesses on the other.
Gaining consent for data use
Gaining consent is regarded as the gold standard in terms of legal bases to process personal data. But it’s also the one that has scared the largest number of marketers. Many have perhaps been hoping that the less scary “legitimate interest” bases might be given greater prominence for some types of processing.
And so, there was (perhaps) feverish excitement in marketing departments across Europe when they perused the much-anticipated text.
In my imaginary marketing office, the Junior Marketing Exec (because it’s always him that gets to read the “boring” stuff, like legal requirements) does a double-take on reaching page 35 of the dense legalese.
Then a light-bulb moment, picturing the elation on the Marketing Director’s face when he can tell her; she will definitely crack open the Champagne/Prosecco/generic grape juice/Vimto concoction* and probably promote him to Marketing Manager (Admin) with immediate effect.
(*delete as appropriate according to the extravagance of the Marketing budgets.)
What seems to have changed in the EU E-Privacy Regulations?
The EU Council, whose draft it was, proposed a change so that the processing of metadata (like location data and associated setting of cookies on devices) could rely on ‘legitimate interest’.
Yes, ‘legitimate interest’, rather than consent.
On that basis, a company can decide whether it has a legitimate interest in processing the data and does not have to ask for permission from the individual to do this. Previously, the setting of all cookies was strictly under consent only.
This sounds like a huge change. (Junior Marketing Exec reaches for the Bollinger.)
Until you read on…
(Junior Marketing Exec puts Bollinger back, reaches for the Capri Sun!)
There are conditions attached to this processing loophole, making it nearly as tight as the rest of the document.
What does legally using data for ‘legitimate interest’ mean in practice?
There are several important criteria attached to ‘legitimate interest’. The first few seem fair enough, and eminently achievable:
- You need to conduct a Data Protection Impact Assessment (DPIA) and inform the relevant supervisory authority.
- You need to implement appropriate security measures, such as encryption, to guarantee the privacy of the end users’ data.
- You also can’t share this metadata with additional third parties; again, this is probably fairly straight-forward for most scenarios, although it means you have to make sure you can split data you might be able to share (based on consent) and those that you can’t. But you could probably sort that out.
However, you would also need to explain to the end users what you are doing with the data. This is where things start to get a bit trickier.
You already need to explain what you are doing with the rest of the data (to gain consent). Now, you also need to explain what you are going to do with the information that you have decided you don’t need consent for, which you would almost certainly have to do at the same time from a customer experience point of view.
This means you will have a curious scenario where you are compelled to explain why you are asking for permission for some data and not others.
Consumers are already very sensitive to misuse of personal data, and less trusting of organisations generally.
So you now run the risk of immediately raising suspicions in users’ eyes, with them thinking “what are you really using the data for?”
Furthermore, you also need to give the end user the right to object to such processing. This would complicate your processes, because having got people to opt-in (via consent) for most things, you now have to set up an opt-out process for another data set.
That’s not the end of it.
What can (and can’t) you do with data obtained under ‘legitimate interest’?
The biggest challenge is what you can do with the data once you’ve (legally) obtained it.
The EU E-Privacy Regulations amendments are clearly designed to accommodate the types of actions where the exact identity of the customer or user is not of paramount significance – information on software fixes that might help improve the security of the software service provided to customers is one example.
Or information that could help to prevent fraud is another.
Both of these specific examples seem reasonable to process without relying on consent and where there is a genuinely legitimate interest.
Another interesting one is where content is provided without payment by the end user, so that freedom of expression and the press can be protected.
But as soon as you want to amend something for the end user or target them in any way, you explicitly can no longer rely on legitimate interest.
The new clause specifically states you can’t “build an individual profile” based on this, nor more widely to “determine the nature or characteristics” of an individual.
This means as soon as you try and use the information for the profiling/targeting/segmenting of customers, you have to have consent.
The crucial question in relation to the processing of personal data is still how you, as an entire organisation, intend to use the information. If you are happy using it solely to measure your audiences, with no direct action on the back of that, then there may be ways in which the new draft gives you greater resource to have “legitimate interest” as a basis for processing than previously.
However, if you wish to take any form of action on the back of that, whether that’s to target explicitly or to build any sort of profile based on an individual’s personal information, then you will need to get consent from the individual.
The two main post lockdown trends affecting business data needs
All of this already made a lot of sense on March 6, when this draft was published, and when we might now class as ‘pre-lockdown’. Since March 6, the world has changed. In this ‘brave new world’ (a quote from Shakespeare’s Tempest, which suddenly seems extremely relevant and contemporary), we are likely to see two trends which will make this even more crucial.
1. Everyone is now an online consumer.
For example, my parents, who are over 70, are now consistently shopping online for the first time. The Internet has, to paraphrase an advertising slogan from the decade when the last pandemic (AIDS) hit, reached the parts of society other channels cannot reach.
Just when we had assumed that internet penetration had reached saturation point, we now have additional consumers finding new digital experiences. And this group, who might tend to be more elderly, infirm, or perhaps more at risk in society, will want to know that their rights are not being infringed.
2. Consumers demand more, but trust less
Secondly, more generally, consumers are getting more demanding, but also less trusting. Having been ground down by years of exploitation, as demonstrated by the Cambridge Analytica scandal, there is now a new threat by which to evaluate the trade-off between giving data and receiving value in return.
With some governments looking to use location data to understand how many citizens are breaking lockdown requests, including stories of French police using the fitness app Strava to capture those who are breaching the ‘one exercise trip a day’ rule, this debate is on the cusp of reopening.
With consumers trusting less, and the profile of data usage by the authorities (whilst entirely legitimate) getting higher, the risk for organisations to be seen as anything less than transparent and honest about data usage is greater than ever.
Gaining consent and treating digital consumers with respect in order to win trust will be vital (and, for once, that’s exactly the right word) in the post-Covid world.
This draft legislation just happened to have the foresight to get the balance right before Coronavirus struck in earnest.
Let’s hope we all continue to get the balance right over the next few months as we help defeat the virus and return to the (new) normality.