Pop-ups asking us for our consent to website cookies have increased since GDPR came into force. However, a new study shows that many of these pop-ups could actually still be in breach of GDPR.
The study, titled: “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence”, focuses on the requirement for informed consent. According to an article from Telecoms.com:
The issue this study seems to have been conducted to address concerns how much information people are supplied with when asked for their consent, as well as the matter of presumed consent – i.e. opt-out as opposed to opt-in. In many cases this process is managed by third party consent management platforms (CMP), and that’s what the study focused on.
We scraped the designs of the five most popular CMPs on the top 10,000 websites in the UK,” says the abstract to the report. We found that dark patterns and implied consent are ubiquitous; only 11.8% meet the minimal requirements that we set based on European law. Second, we conducted a field experiment with 40 participants to investigate how the eight most common designs affect consent choices.
“We found that notification style (banner or barrier) has no effect; removing the opt-out button from the first page increases consent by 22–23 percentage points; and providing more granular controls on the first page decreases consent by 8–20 percentage points. This study provides an empirical basis for the necessary regulatory action to enforce the GDPR, in particular the possibility of focusing on the centralised, third-party CMP services as an effective way to increase compliance.
You can read the full article from Telecoms.com by clicking here.
The study has basically found that people are not being supplied with enough information to give their consent in the majority of cases. If consent is not sufficiently informed, then it is not up to the standards of GDPR.
In fact, GDPR defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Because pop-ups relating to website cookies and other elements do not meet these criteria, they are not GDPR compliant – putting these websites and companies at risk of being penalised.
Unsure of how consent or other lawful bases for storing and processing data under GDPR work? Want to improve your compliance programme? Contact us today; our GDPR consultants can provide expert advice.
France’s data regulator, CNIL, has fined Google £44 million (50 million euros) for a lack of transparency over collecting data to personalise ads for users. This is a record fine resulting from complaints brought by two privacy rights groups, noyb and La Quadrature du Net. So what else do we know about this Google GDPR fine?
- The official reason given by CNIL for the fine was a “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”. In short, people were “not sufficiently informed” about how their data was being collected.
- The key thing here is that Google was not obtaining clear consent for the gathering of this data. “The relevant information is accessible after several steps only,” stated CNIL. “Users are not able to fully understand the extent of the processing operations carried out by Google.”
- In addition to this, Google did not have a valid legal basis for gathering this data. In effect, not only was the process by which they were collecting users data insufficiently clear, they were also unjustified in doing so.
- The first complaint was filed as soon as GDPR came into effect on 25 May 2018. Google’s preparations for the new data protection laws were clearly insufficient as they were found to be in breach of them.
- Google is now considering its next steps after the decision from CNIL. However, it’s likely that any actions taken now will be too late – measures should have been taken before GDPR came into effect, not after.
This Google GDPR fine ought to be a big wake-up call to corporations that handle user data. As we’re reported, Facebook has suffered numerous data breaches both before and after GDPR was brought into force; what penalties it might suffer have yet to be seen.
For more information on the Google GDPR fine and its ramifications, see the full story by clicking here.
If you’d like to ensure that your business or organisation is GDPR compliant, contact Activa Consulting today. Our GDPR Gap Analysis will help you to prevent data breaches, and therefore avoid costly fines and penalties.
GDPR represents many changes, opportunities, and difficulties for all organisations, whether based in the EU, or not. What all organisations must have in common, though, is the need to be active in implementing GDPR, especially when it comes to consent. GDPR and consent go hand in hand…
An organisation cannot claim that a consent that has previously been given is still valid under GDPR, but that does not mean an organisation has to get totally new consents based on this alone. Consent cannot be acquired or assumed from inactivity, silence, a lack of response, or pre-ticked boxes (i.e. a tick box they have to un-tick – the must be given the option to tick the box themselves not the other way around).
Acceptable forms of consent must be provided by the individual knowingly, actively, and explicitly. No ambiguity can be involved, the wording of what one is signing up for must be precise. This makes things slightly difficult for organisations, but not in a huge way. As with most of the regulations with GDPR, the power is with the data subject. Organisations must provide the individuals the tools to make their choices with sign-up forms, tick boxes, etc. This cannot be ignored.
Acquiring consent, or providing the means for data subjects to give consent is not the biggest challenge. That is the need to have evidence of consent. Once an individual provides some form of consent, you must maintain the evidence of that consent.
This is vital if a data subject questions why they are receiving something – you can provide them with proof of their consent to defuse any quandaries. The data subject can then request data be changed, or that they would like their data to be deleted. (This is also an example of how Data Subject Access Requests can lead into one another – 1. The right of access 2. The right to rectification or the right to be forgotten – and of course, an employee must be able to instantly recognise these requests and act on them. (There will be a further step for those working outside the EU – they must also identify if the customer is part of the EU, also))
There are various exceptions to the rule – as always. If data is legally required by an organisation, consent is not required for the processing to be completed. There must be a mutual interest or benefit to both organisation and data subject if this is the case. Compiling a financial report is one example of an exception – a financial report requires data provided by data subjects (location, amount spent on a product) and this analysis ultimately leads to mutually benefiting both the organisation and data subject, even if it is potentially beneficiary in different ways.
The way consent works with GDPR is changing, not hugely, but it could become confusing. We at Activa can provide the support you need for helping to implement GDPR compliant measures in terms of consent, or anything else. Get in contact with us now for a quote using the form on the right! View more info here…
For more reading on this subject, check out this link: https://dma.org.uk/article/innovative-approach-to-refreshing-consent-ready-for-gdpr
With GDPR coming into action May 2018, you’ll be asking yourself “how does this affect me?”, and “how will I need to implement GDPR into my business?”. Here is the process of how to implement GDPR into a large organisation, a process that you will need to undertake.
Here’s how you start.
- Find out what personal data your organisation holds – every type, every place, every database, every filing cabinet, every back-of-envelope-with-a-phone-number-scribbled-on-it.
- Determine what, out of all this information, is PII – Personally Identifiable Information. That is, information that could be used to identify a real individual human being.
Next, make use of your organisation’s internal resources – first of all by talking to their lawyers. This is to try to establish a legal basis for whatever data you process. There must also be some form of “data mapping” (to identify exactly what information is stored where and how it’s processed and transferred and secured), a Privacy Impact Assessment about the risks around that data and responsibilities in the event of a breach, and a form of steering group for ensuring that the whole organisation will play its part in this transition process. After this, we need to know who in the business we need to talk to exactly. Do we need to get our different related companies or other legal entities together? Which countries are they based in and/or operating in (the process is different in each country)? And so on.
Here is a brief list of departments we want/need to talk to early on in the GDPR implementation process:
- Legal/Lawyers – You’ll have to talk to lawyers early on to set a clear scope for the project, what’s in, what’s out, and why.
- Human Resources
- Support/customer services
- Internal audit
With regards to people’s concerns and reliance on consent to process PII (https://activaconsulting.co.uk/testimonial/pii-personally-identifiable-information/). Explicit consent is needed for anything related to health, medical data, and child data, for example. This is to avoid circumstances when data subjects are unable to provide. This avoids any issue of a service provider relying on data subjects for consent.
Once a legal basis has been established for processing the data, we can then take a look at the data. Here’s what we need to ask ourselves when processing the data…
- What data have we got?
- Where does this data contain PII?
- How do we collect it?
- What do we need to collect?
GDPR does not allow one consensus to cover everything. We are looking for granularity to consent. This rolls into privacy notices:
DATA PRIVACY NOTICES (DPNs) AKA FAIR PROCESSING NOTICES – https://activaconsulting.co.uk/testimonial/dpns-data-privacy-notices/
We need Privacy Notices at every point of contact we get with the customer. Privacy Notices need to document:
- What it is we’re collecting
- Why we’re collecting it
- Who’s the controller of the data
- And who’s the processor (irrespective of whether this is an internal or external resource – this could be one via a third-party contract, for example.)
We must also conduct Privacy Impact Assessments (https://activaconsulting.co.uk/testimonial/pia-privacy-impact-assessment/) to apply to all the data maps we created during the early steps of this implementation process. These assessments will tell us:
- If we hold any PII
- Whether it’s financial data
- How sophisticated the data is (whether it’s encrypted, for example)
- And if the data is anonymised or pseudonymised.
Again, this can and will be different for other countries, just like the initial process of processing data. It will depend on the country which the organisation sits within. Some countries will even have some more relaxing ruling regarding data protection, while others will be much stricter.
Once this is complete, we know:
- Where the data is.
- Who has it and who has access to it.
- And how safe the data is.
This then gives us a good indication of where we need to start our work on. Knowing those three things mentioned above means we can move on to the next step.
And that next step is to undertake a “Gap Analysis” …
At Activa we’ve delivered GDPR compliance projects for large organisations including Munich Re and Cigna. Contact us now using the form on the right to bring our expertise into your organisation.
Next article: Making a Gap Analysis for Implementing GDPR Compliance in a Large Organisation.