Skip to main content

White Paper Data Governance - Download our White Paper to manage your data assets and activate your audiences.

Month: February 2020

Digital marketing in the age of GDPR and ePrivacy

The latest court ruling issued by the Court of Justice of the European Union (CJEU) on 1 October 2019 is loud and clear. It stipulates that an active, explicit and informed opt-in is required before setting cookies or collecting other personal data. Tacit consent is no longer valid. This means that the popular phrase “If you continue surfing now, you agree to your data being processed”, which still appears, can no longer be used.

Until now, many online marketing operators have taken advantage in a cavalier fashion of the lack of any clear regulation. Incredible amounts of data have been collected in an effort to keep an ever closer eye on website visitors. This triggered a situation where digital channels have been littered with ads, spam, bots and cookies. Therefore in 2016, the European Union imposed the General Data Protection Regulation (GDPR) as an attempt to curb this activity. This stipulates that companies must list all files containing personal data. But it was only scandals such as those involving the company Cambridge Analytica, which was supposed to have influenced the US presidential election using Facebook data, that made a wider public aware of the careless or even criminal manner in which data is often handled.

In many places, there was great dismay after the verdict, because warnings are now possible in the opinion of some courts and will increase as a result of this clear verdict. For this reason, every website operator should immediately address this issue and, as a first step, acquire a suitable consent management platform (CMP) which prevents cookies being set before user consent is given and clearly documents opt-ins.

Until now, there were three different ways to obtain consent from website visitors:

  • Direct, explicit consent: This method involves explicit consent being given by the user – usually by clicking on an “Agreed” button.
  • Implicit consent: In this case, consent is given if the user scrolls down the landing page or clicks another button on the landing page.
  • Indirect consent: In this case, consent is considered to have been granted at the moment when the user accesses another page on the same website.

These various methods have a major influence on the respective opt-in rates. Since the GDPR was published, website operators have had plenty of time to try out the methods. However, the years since 2016 have largely passed without any action being taken. In most cases, people have hidden behind dubious legal opinions, looked for loopholes in the law and left users with very limited options to choose from.

The game of legal hide-and-seek is moving to the next stage for many companies, but the CJEU ruling leaves some issues unresolved:

  • Could the setting of cookies be justified on other legal grounds, for example, based on legitimate interests (Article 6(1)(f) of the GDPR)?
  • Who is responsible for setting third-party cookies under data protection law?
  • When are so-called “necessary” cookies available which do not require separate consent (Article 5(3) of the ePrivacy Directive)?
  • Do users have to actively agree to individual online marketing service providers or at least service provider groups (categories, for example, “analysis”)? This question is of paramount importance. Naming all the service providers involved in the online marketing ecosystem would be a virtually unachievable task.

Does this mean that we can quietly wait until the company’s lawyer or the external data protection consultant has been turned down by a warning or a new court ruling on these matters?

Impact of the CJEU judgment on online marketing

Contrary to what usually happens, marketing managers must act now! Carrying out marketing activities with traditional, cookie-based methods is now very difficult. Anyone implementing the CJEU’s cookie ruling needs to keep their eye on more things than before. Cookies requiring consent must no longer be set before consent is given. According to the law, consent must be active, informed, explicit, specific, voluntary and documented. The process for amending and deleting given consent must also be as simple for the user as that for giving consent.

The impact of the ruling will soon become apparent to many marketing managers, who are now trying to switch from implicit to explicit consent. Commanders Act found in a study that implicit consent has so far reached up to 95% approval, while explicit consent has reached only 37%. In other words, anyone who relies on tracking cookies and is only now switching to explicit consent may lose quite a considerable proportion of their online marketing data unless this activity is professionally supported.

Do Not Track features in the browser and ad blockers make life even more difficult for online advertisers. Google wants to equip the new version of its Chrome browser with special features to protect against cookies and trackers. The browser already has an extension which allows users to set an expiry date for their personal data.

With “Intelligent Tracking Prevention” (ITP), for example, Apple has implemented an anti-cookie strategy in its Safari browser which near enough nips targeted advertising in the bud.
Version 2.2 of its ITP feature reduces the duration of tracking cookies from 30 days to 24 hours. ITP is a program which is integrated into the Safari browser to protect against user tracking. Many CMP providers still rely on local storage, i.e. the option to store data on the user’s computer. But from ITP version 2.3 onwards, this should also be prevented, according to Apple.

Consequences

This situation has many different consequences for online marketing managers. It will make performance tracking more difficult unless it is considered a legitimate interest (Article 6 GDPR). In addition, it makes recognizing users of certain browsers (Safari, Firefox) more difficult, as it does web analysis, which lacks precision. More than this, some forms of online marketing (retargeting, real-time bidding, affiliate marketing) are not only made complicated, but even impossible. This significantly reduces the data advantages which the online channel has over offline channels.

According to a recent study by the World Advertising Research Center (WARC), 61.4% of the global digital advertising budget will go to Google and Facebook alone. This leaves online marketing managers with only few options for action in terms of using audiences in a different way. At the same time, the younger age group of 12- to 17-year-olds is turning away from Facebook, as the analysis company eMarketer has confirmed. Their number will decrease by 9.1% year-on-year, resulting in a loss of around 170,600 users. This age group’s refusal to use Facebook is expected to continue in the coming years.

Conversely, this means that the shortage of stock at Google and Facebook, as well as more providers bidding for this stock, with fewer alternatives available, will dramatically increase the costs of reach marketing and performance marketing.

Consequences for the digital economy

These developments entail the following consequences. EU operators are losing touch with the US and China – which is also due to a lack of growth prospects and privacy issues they are facing (no more API access for EU operators to data from the Big Tech companies). The only option still left to them is to sue Google, Amazon, Facebook, Apple and Microsoft (under antitrust law), but this involves lengthy litigation and meagre prospects of success.

When it comes to ePrivacy, politicians are still reluctant to make clear rules and statements – especially when it comes to the EU-US Privacy Shield. The EU-US Privacy Shield Framework provides companies with a tool for transferring personal data from the European Union to the United States in a way that is compatible with EU law.

As early as autumn 2018, the European Parliament called on the European Commission to review the agreement. In this regard, EU companies may soon face high risks if they still rely on SaaS providers whose servers are located in the US.

 

Tips and tricks for achieving the best opt-in solution

Tip 1: Think big!

Think big when it comes to the consent banner. The average consent rate is 65% (across all consent types), but there are variations both up and down. The differences between desktops, smartphones and tablets can be explained primarily by the size of the banner. This automatically takes up more space on smartphone and tablet screens. Thirty-seven per cent of all opt-in banners were displayed on a desktop computer, 51% on smartphones and 12% on tablets. As a result, the approval rate for smartphones is 76%, while the rates for tablet and desktop computers only reach 59% and 56% respectively.

Tip 2: Don’t hide your content

The correlation between banner size and opt-in rate is, of course, limited. As soon as the page content is no longer visible behind or under the banner, users tend to cancel their visit instead of giving their consent. This behaviour is particularly pronounced when the banner in the form of a pop-up greys out and covers the entire background, i.e. the contents of the page.

Tip 3: Nobody cares about privacy statements and cookies

Website visitors see the message requesting consent on average 1.8 times before making a decision. This average rate always remains the same, regardless of the final decision (opt-in or opt-out) or the consent method used (direct, indirect or implicit). In other words, users halt their decision-making process the first time they see the banner or pop-up. Just 0.1% of visitors – yes, you have read the figure correctly! – go one step further in a two-step process and look at the privacy statement or more detailed information about the cookies used. However, this percentage is expected to increase in the coming months as more users deal with the issue of data protection.

Tip 4: Keep a close eye on your visitors and industry

Every industry has its own methods of obtaining consent. Legislation (the ePrivacy Regulation is currently under negotiation), technology (e.g. browsers deployed) and user behaviour are in a constant state of flux. They can contribute to design decisions previously made being reconsidered and possibly adapted in the coming months.

Tip 5: Carry out a test!

Carry out an A/B test with the consent banner, with slightly amended functionalities or text each time. Don’t change too much at once in the two variants so as not to make it difficult to measure the effectiveness of individual metrics in a clear way. The A/B test will enable you to find out how to achieve the highest possible opt-in rates.

Tips for selecting providers on consent management platforms (CMPs)

There are different CMPs and procedures for obtaining consent.

In the technological approach, cookies are usually suppressed retrospectively, while tags are suppressed in advance. Consent is stored via cookies (first- or third-party), local storage, data layer and server. Consent can be obtained through various ways: explicit or implicit, direct or indirect, and before or after the pageload. The conceivable button options are opt-in, opt-out and a neutral approach.

The Consent Management Platform should meet some basic criteria. It must enable privacy banners, privacy centres and provider and cookie categories to be created, managed and adapted. In addition, user consent and consent types must be documented in detail. Not to mention that the system should be able to meet the following criteria:

Checklists before purchasing a CMP:

  • Adjustments to banner designs, texts and buttons (WYSIWYG editor)
  • Control by country and language settings
  • Consent metrics (details, KPIs, comparison of different banner variants)
  • A/B tests to optimise consent banners
  • Consent at different levels (provider, cookie)
  • Cookie crawler (detection of piggybacking)
  • White- and blacklisting of cookies/providers
  • Deleting/renewing consent after a certain period of time

Technical requirements:

  • Secure suppression of unauthorised cookies before consent (TAG-based)
  • Multi-CDN or self-hosting for displaying banners
  • Export function or API for transferring consent to third-party systems
  • Plug-in or native integration with tag management systems
  • Privacy Centre integration into privacy statements
  • IAB compliance (for advertising on publisher pages and Google)
  • Support and technical documentation

The legal requirements must ensure that storage takes place on ISO-certified EU servers. There should also be ePrivacy certification (or a similar scheme). In the case of security processes, managers must focus on incident management and disaster recovery, while in the case of contractual components, the focus is on a service level agreement (SLA), data protection based on technical and organisational measures (TOM), order data processing (ODP) and privacy by design.

Furthermore, CMPs must be combined with tag management systems. This is the only way to set cookies after the opt-in process and to categorise them clearly.

Quelles stratégies pour obtenir un bon taux de consentement ?

What strategies are available to improve the opt-in rate?

The consent issue will long be a fixture on the to-do list for marketing directors. What is the course of action? Although some professionals are tempted to use tactics to bypass the issue, others are taking a more strategic approach.

On the ground level

The short-term reflex: the temptation to circumvent

Although the opt-in is valid for 13 months (in other words, a legitimately accepted cookie may have such a lifecycle), legislation currently fails to mention anything about the opt-out validity period. That is all it took for organisations to see an opportunity, namely to ask for consent from visitors who have already opted out whenever they visit the site. Or how to invent the digital era’s very own version of nuisance calling…

This is not the only tactic that bypass fans are resorting to. For example, they can opt for a paginated display of the different cookie categories in an attempt to bore visitors and encourage them to accept everything as quickly as possible. In our eyes, this behaviour is akin to a headlong rush that is not only ineffective but capable of harming the company’s brand image. Consent collection practices are evidently one of the criteria for assessing how much (or how little) trust can be placed in a brand. There is also the danger of underestimating the “consent culture” that will progressively spread among the community of web users. Users will not be fooled by these tactics for long.

The long-term investment: the return of the login and authentication method

Many brands are shying away from such circumvention tactics and have instead opted to overhaul their digital strategy by incorporating consent collection and management. That explains why login screens are popping back up on websites, even those without a transaction space (an e-commerce account, for example). Better still, alliances are being forged in various sectors of activity to give users a single login for several different brands and websites. Media groups in particular are at the leading edge of this movement. For instance, Le Geste, a French association of online editors, is working with a dozen media outlets to roll out a single login system. Login and privacy initiatives are also cropping up in Germany (where Axel Springer is fiercely against the platforms) and Portugal.

In fact, letting users sign in and access content and services offers a number of advantages. Although the login method does not eliminate the need to obtain consent when using cookies for guest users, it allows for a two-speed system, such as by using few cookies for anonymous visitors (which simplifies the opt-in screen) and taking a more detailed approach for authenticated visitors. Logging in gives identified users the opportunity to fine-tune the terms of the “contract” and how their data are used.

Another upside to the login system is that by maintaining a user session, it can compensate for the mechanisms that reduce the cookies’ scope of action, as we saw earlier. In addition, a direct connection with the audience is an effective way of fleshing out the company’s first-party data. This concern is clearly a trending issue…

The essentials

Work on how consent is worded

Or how to restore collaboration between marketing and legal departments

Whether or not opting for a login system, a new form of collaboration would be desirable between the marketing and legal teams. As it currently stands, the legal team has too often been lumbered with the job of wording consent, probably based on the idea that just like the standard terms and conditions of sale, nobody will bother spending too much time poring over these few lines.

This attitude is easily understandable, given that consent rates hover around the 90% mark when organisations go for the soft opt-in approach. But as we have seen, the situation will have changed by July 2020, insofar as users will need to take an affirmative action to give their consent. It will take more than a purely legal text to motivate users to do so. The contract formed when collecting consent must now be developed by both the legal and marketing teams to garner support from users. The aim is to use the clearest possible language to describe the value of their consent and the brand’s commitments. Each organisation needs to find its own wording…

Migrating from consent management to preference management

Or how to turn consent into a user experience

Since consent is no longer a matter of asking web users to nod their head in front of a screen of pre-ticked boxes, it would seem logical to look at the collection process as an integral part of the user experience, not something that should merely be used to obtain consent, but also to give visitors the possibility of defining all their preferences. Do they agree to receive web push notifications? Do they want to see ads on social networks? Do they want to receive an email summarising the latest news? How often?

It can be seen with these examples that managing preferences can be especially exhaustive and “useful” if users are logged in. In any case, the way ahead seems to be all mapped out with privacy centres (the page where users can see their consents) turning into preference centres. A preference centre is a place where all visitors have an insight into their touchpoints and the information that they have agreed or refused to share. It is also a place where users do not typically venture, but merely to control their relationship with the brand.

Create a consent scenario

Or how to boost collaboration between marketing and martech

Since soft consent is a thing of the past, each organisation needs to get ready to offer a much more explicit form of consent collection, while bracing itself for a significant fall in the opt-in rate. But to what extent? The latest edition of the Commanders Act Privacy Barometer offers a number of clues.

Close to 32% of the sites in the study cling to a super-soft form of opt-in (consent is validated as soon as users scroll or click on an element) and 31% maintain a soft opt-in approach (consent is validated when users visit a second page). That is why the consent rate in such industries as “Fashion & Retail” and “Travel” fluctuate between 66% and 91%! These rates are in strong contrast to the finance sector, which tends to follow a strict consent approach (explicitly clicking on an Agree button) and which has an average opt-in rate of… 29%. That figure provides a glimpse of what website editors can expect with the end of the soft consent tactic.

With opt-in rates reduced by a third or half, creating consent scenarios is becoming a real issue. There are no taboo questions. Should we ask for consent on the first page visited? If users opt out, should we ask them the same question each time they visit the site? If they give partial consent, can we really chase them up? In practice, there is every likelihood that the process of collecting and completing consent will gradually gravitate towards marketing automation with conditioned scenarios and testing. A fully-fledged discipline? In any case, it is an area where each organisation will need to develop its experience.

Supervise consent

Or how to get equipped for taking action

Because it is part of the user experience and because it determines the ability to build customer intimacy and activate digital strategies, the consent collection process requires accurate tracking with dedicated KPIs (Key Performance Indicators), and rightly so, since plenty of questions marks are raised:

  • What is the global opt-in rate?
  • How are opt-ins divided between categories (analytics, retargeting, emailing, etc.)?
  • What about between the different screens and messages proposed? Which ones are the best at converting?
  • How much traffic is flowing to the Privacy Centre?

These invaluable data can be leveraged to continually improve the consent process and fine-tune the contract of trust with the audience.

 


Find out more about our CMP – TrustCommander


Takeaway

Since consent is going to be around for a long time, circumvention attempts are doomed to failure. It is in brands’ best interests to transform consent into an integral part of the user experience. For a successful consent process, close collaboration is required between the legal, technical and marketing teams.

To not miss any of the latest news from Commanders Act, subscribe to our newsletter!  

© Commanders Act. All rights reserved 
Powered by CREAATION.