By Ann Grove, Logical's President
We can expect major shifts in the common practice of requiring potential buyers to provide personal information in exchange for access to white papers and webinars as regulators begin enforcing the EU’s General Data Protection Regulation (GDPR) which became effective in May 2018.
The GDPR decision against Google today directly relates to these lead generation practices.
The French GDPR regulator (CNIL) found that Google users were automatically opted in to have their data tracked for the purpose of delivering personalized ads because the opt-in checkbox was ticked on by default; the default should have been a clear checkbox to indicate opt out. In addition, the blanket consent should have been split into multiple checkboxes so that a user would consent separately for each use of the private information, CNIL found.
“This sanction is particularly detrimental to Google as it directly challenges its business model and will, in all likelihood, require them to deeply modify their provision of services,” Sonia Cissé, Managing Associate at Linklaters, a law firm, told Reuters (https://www.reuters.com/article/us-google-privacy-france/france-fines-google-57-million-for-european-privacy-rule-breach-idUSKCN1PF208).
Many Business-to-Business marketers employ practices similar to Google for “gating” content and so may likewise soon find themselves reworking their business models. Gating is the process of requiring users to submit private contact information in order to gain access to high-value content such as white papers and webinars.
Potential GDPR problems with gating include:
In addition, certain conditions render consent invalid under GDPR. For instance, consent is invalid when private information is not realistically needed to deliver a service. This seems this would directly apply to gating. The UK Information Commissioner’s Office’s Guide to GDPR explains that organizations should “avoid making consent to processing a precondition of a service.”
Since GDPR enforcement is relatively new, the exact impact on gating is unclear. However, it is clear that by focusing on the collection and use of private information, GDPR regulators are taking a markedly different approach from US privacy regulators who focus fines almost exclusively on breaches.
In part to avoid GDPR risk, some organizations such as ChartMogul have discontinued using gating for now (https://blog.chartmogul.com/gated-content/).
Ann Grove, a Certified Information Privacy Professional, writes about security and privacy for vendors and consultancies. She also helps enterprises develop policies and procedures and documents workflows for security and compliance. Please ask Ann if you would like to republish this article.