Understanding the GDPR in an anonymous context
There are many websites that will explain in detail their interpretation of the full GDPR law and its implications for your website. In that, you may encounter wishful interpretation of flawed application of the text of the law. Often, the law is explained in such a way, that it may still allow you to track your visitors without consent. Or, that a permissions-wall at the beginning of your website experience is the right approach.
Sadly for data harvesters, there is little actual room in the GDPR for interpretation. And in many cases, the law can be applied successfully inside a business that deals with consumers from the EU. Cookie walls are out, tracking without consent is out and gathering consent the wrong way will eventually get you fined. The law has however not dealt clearly with the cases in which an anonymous visitor comes to your website, and you start tracking that visitors activities based on their technical data like an IPaddress.
Many parts of the law are phrased as if you will always know who your user is. For instance in the 'right to be forgotten' - you cannot forget or remove an anonymous user based on their IP address from your website logs and tracking apps unless you require them to first provide you with further proof of their identity and attachment to the IP address.
Other texts in the law have the same reference to you as a business having a known relationship with the subject of the GDPR, but in the case of the website, you do not know who these people are, despite being bound by the same laws that govern known business-consumer relationships.
So the question then becomes; What can and should you do as a website operator to be GDPR compliant to unknown visitors?
- Do not load any non-essential technology that collects personally identifiable information until consent has been given freely, well informed and in plain sight.
- The consent must be supported by statements from you about the goal of the data collection (which should be specific), the period you will retain the data, where you will store the data and exactly which data you are collecting.
- Consumers who have consented to certain data processing have the right to withdraw that consent. Your website should provide an option to manage consents. You are still allowed to keep the data on record, but no longer use it.
- Consumers have the right to consult you on which data is on record about them. This also includes technical information like IP addresses that exists in logs, marketing automation platforms of analytics information.
- Your website should provide a mechanism that allows anonymous consumers to request the removal of all information you have on record for them, or their technical data you have gathered about them.
These first five points are not very pleasant to the ears of today's online marketeers. The GDPR is considered annoying and some believe it prevents online business from understanding their customers. The GDPR law however comes after the field of online marketing has been developed over the last few years and creates a legal framework that this field never had before; It is a corrective move to regulate the excesses in the data harvesting market, personalised advertising & tracking arena and has political intrigue like the Facebook-Cambridge Analytica affair in which personal data was used to influence an election campaign in the USA.
During my daily work in a web service company I am confronted with a variety of attitudes towards the GDPR requirements. People are either confused about the rules, indifferent untill fines get handed out of just plain upset that they are not allowed to track everything anymore.
The bottom, bottom new line reality of the GDPR for online marketeers is :
It's not your data, ask nicely to use it.
So how has that gone down since the enforcement of the law in may 2018? There is a basketful of approaches to implementing GDPR for the web and its anonymous visitors. A number of these solutions are actually not GDPR compliant, but will stay in place until authorities start enforcing the law for real.
So, the following list represents the current implementations, in order of possible validity from bad to good:
- Saying you are GDPR compliant and still loading all your tracking and external services without any consent.
- Doing nothing and loading all your tracking and external services without any consent.
- Throwing up a wall where visitors must first agree to collection of personally identifiable information (pii) before seeing the site.
- Throw up a notice that states that you are going to place cookies if the visitor continues using the site.
- That notice is silly because the GDPR doesn't require you to state which technologies you are using, but where, how long and why you are storing their pii.
- The cookie notice is a requirement from laws back in 2008. It is ironic to see these notices appearing now, motivated by a want to comply to the GDPR. Although there is nothing wrong with a cookie notice, you can still not claim consent if they continue to use your website; you need an explicit agreement.
- Offering opt out consents instead of opt in consents for use of pii. Opt outs are not allowed in the GDPR, you can not assume consent to start with.
- Using externally loaded consent mechanism like Cookiebot or Trust. These services start off by loading an external script and do that.. without consent. These services are not essential technology. The website will work just fine if you did not install an external consent tracker.
- Actually asking for consent with a tick-box for individual processing of pii that is collected on forms.
- Actually asking for consent before running tracking and analytics technologies in the webpage.
- Only asking for above consents in the context where they are needed and providing a mechanism to retract given (anonymous) consents.
Online marketing can now go two ways; it can fight the GDPR, or work with it inside its boundaries. There is an opportunity here to embrace some tried and trusted marketing principles. Not only has the wild west of data usage made marketeers tech-hungry, it has also taken away the creative spirit of marketing. Anyone in online marketing today is probably looking at a Google Analytics dashboard and not dreaming up the next marketing campaign to push a product or service.
A route forward is to go back to creating and nurturing communities around a product. Do not aggresisvely track, but cordially invite visitors to become a member of your club, community or VIP lounge. Entice that community and encourage its growth with real product placement for the select few inside your community. If you are looking for product feedback later down the road, that group will be more than willing to contribute. We have just had ten years of explosive everyone-marketing online, its time to get marketeers back into inventing online Tupperwear parties where the consumer is the star again.