Since November 2017, iWelcome has been researching the adoption of the main GDPR requirements from a customer’s perspective. We have tested the online services provided by 89 European organisations in 7 countries and 6 industries.
The State of Adoption: is Law really Law?
In our latest research we concluded that the basic GDPR requirements are in-place. ‘Right of access’, ‘right of rectification’ and ‘right to withdraw’ have been implemented 92-96%.
More advanced GDPR requirements, on the contrary, have hardly been implemented yet. ‘Data retention’ (43%), ‘Privacy by default’ (59%) and especially ‘Consent’ (12%) have not been implemented according to the requirements set by the law. Looking at the pace of adoption, these requirements seem to be treated as ‘nice-to-haves’. While in fact, they are part of law and should be treated as such!
The ePrivacy directive, that will soon turn into law, puts even more emphasis on Consent. Where under GDPR, there can be various grounds for the processing of personal data (‘law’, ‘contracts’, ‘legitimate interest’ and ‘consent’), under ePrivacy collecting personal data can only be done with Consent. Without exception.
Even more so, some organisations are actively circumventing the intentions of the law. In a recent research conducted by the Consumer Council in Norway ‘Deceived by design’ the consent settings of prominent digital giants as Google, Microsoft Windows 10 and Facebook have been examined. The results are rather shocking: it turns out these sites use dark patterns, techniques and features designed to nudge users towards privacy-intrusive options. This is both fully unethical and not in accordance with GDPR. And legal cases against these digital services are being prepared.
Four reasons why Consent implementation has not yet taken off
Yes, there is tension between the short term interest of digital marketeers and privacy regulation. But what are the main reasons why consent implementation has not taken off? We believe there are 4 root causes in play:
1. Lack of architectural view for digital consumer-facing services
Digital departments have always been relatively independent as they are responsible for top-line business. With the privacy laws, proper governance over customer identity data and especially consent requires an architectural view in a scattered landscape of front-office and back-office applications. Like for internal IT, there is a demand for a Single-Source-of-Truth for identity data.
2. It’s a multi-disciplinary game which makes things complex
Implementing privacy and consent is a multi-disciplinary approach with various personas involved: Head of Digital – responsible for business –, Data Privacy Officer – responsible for compliancy to the privacy laws –, Chief Information Officer – responsible for the IT landscape – and the Board – responsible for the business as well as reputational risks. Getting these disciplines together is not easy. If handled well though, it will give you a competitive edge.
3. The right technology is missing to handle consent
The architectural approach hinted at earlier should be combined with new technology to handle consent. Consent needs to be specific and per user ‘attribute’, there can be multiple processing purposes which can be valid for certain periods of time. This requires a datamodel with meta-data per attribute. A strong foundational concept is the NIST 8112 standard for meta-data. As consent can be registered at various touch points during the customer journey, and it is needed in various back-office applications interfacing technology need to be implemented as well, so we need ‘Consent-API’ and preferably a standard. The latter is currently under development in the Kantara workgroup for Consent Management.
4. ‘Legitimate interest’ as excuse for not having to ask for consent
Digital marketing shied away from implementing consent in digital services, hiding behind ‘Legitimate interest’. In real live there are all kinds of great examples of consent interaction. Together with UI/UX designers we see very user-friendly examples, typically cultural- and industry specific. Two best practice concepts are being applied. The first is the concept of Just-in-Time consent. This is about asking consent at the right moment in the customer journey, in the right way, with a clear value for the consumer: “Can we have your <>, so we can <>?”. Secondly and as important is to build Consent interaction along ‘fail early, learn quickly’, commonly based on A/B-testing with initially test groups that are expanded by larger groups.
Don’t worry: Consent is here to stay!
For everybody doubting about Consent, it is here to stay! For everybody who tries to get away with legitimate interest or by designing misleading patterns for consumers: watch out for the authorities and activist consumers!
For the brave ones, who want to work for their customers, who want to build trusted relationship and want to offer marketeers ‘actionable consumer data’, there is good news. The industry is learning fast and tools are improving… And this means lots of new opportunities to beat competition with mature customer journeys and safe and convenient consent management!
VP Alliances and Corporate Development at iWelcome
Maarten brings more than twenty years of experience in Identity & Access Management. Before joining iWelcome, Maarten was co-founder and owner of BHOLD, the world’s leading role-based access control software (acquired by Microsoft in 2011).
Feel free to repost this blog on your website or social channels! But when you do so, please be so kind to mention the source and give us a notice via firstname.lastname@example.org.