BY BEN SAPSFORD
The European Union’s General Data Protection Regulation has been in effect for about 6 months now and there have been a number of interesting cases and actions that have come from it’s introduction. Notably for Google, it lost a case in Finland which set a legal precedent on the “right to be forgotten” – in this case Google had unsuccessfully tried to have the Data Protection Ombudsman’s (DPO) “right to be forgotten” request rejected in Finland’s Administrative Court Finland’s – more details can be found here. This “right to be forgotten” was discussed in detail by Southpac’s Compliance Officer Andrew Tarpey, read more in his article here. Twitter has also found itself in hot water regarding non-compliance with a GDPR request, denying a request for information on what is tracked when a user clicks a shortened t.co link. This led to a complaint to the Irish Data Protection Commission (DPC), which responded in a letter saying that it would investigate Twitter. A number of data brokers and adtech companies are under investigation for breaching the GDPR ruling; we’re seeing large-scale investigations into credit rating agencies such as Experian and Equifax with their data gathering and storing process being called into question.
A major part of GDPR was to lessen and allow a user to opt-out of the various online tracking that a user is exposed to daily. In the marketing landscape, we have seen smaller advertising service providers (such as ad exchanges & publishers) dropping off, as they are unable to keep up with or prepare for the GDPR ruling. The bulk of responsibility is put on these exchanges to ensure compliance – in the legal world we are seeing something similar with AML compliance, meaning a large legal and compliance bill for these small companies. Some simply haven’t been able to meet the obligations put on them by the GDPR and have thus had to fold or significantly lessen their tracking activity – which one would hope is positive from the point of being a web user. Interestingly, though the overall number of trackers appears to have gone down, this has caused a shift in favour of Google. The web-giant has the resources to not only shape GDPR ruling but to have it’s house in order well ahead of other small companies, indeed, Google is one of the few platforms where there has been an increase in the number users tracked online.
Google’s advertising services have maintained their market share, while other advertisers across the board have lost.
Interestingly, GDPR has led to an upshift in dark pattern methods when it comes to seeking approval from potential customers. Dark pattern design is a form of advertising or website design that uses a leading or confusing user journey/language to trick the user into accepting something they might otherwise not. At a basic level, this may be an opt-in tick box that is already ticked for you, or a double negative in the language (“wouldn’t you not like to receive marketing updates”). At a more developed level we see things like hidden opt-outs, use of lighter text on a light background to conceal an opt-out, and also testing 41 options of opt-in box colours to find the most often clicked button. A number of complaints around manipulation fall into the “well you are using a free service you’ve not contributed to” but there is a website full of examples of websites and services using dark patterns to get people to sign-up or continue subscribing to service they may otherwise not want: https://darkpatterns.org/hall-of-shame
As was said in the previous article on this subject, there are a number of resources that try to make compliance with the GDPR simpler. I reiterate, the general information and codes of conduct are a good place for a small business to start.
Communicating clearly with your customer-base and making sure they’re kept up to date with any changes is also key.