Will GDPR Kill the Exchange of Private Information for Valued B2B Content?

By Ann Grove, Logical's President

We can expect major shifts in the common practice of requiring potential buyers to provide personal information in exchange for access to white papers and webinars as regulators begin enforcing the EU’s General Data Protection Regulation (GDPR) which became effective in May 2018.

The GDPR decision against Google today directly relates to these lead generation practices.

The French GDPR regulator (CNIL) found that Google users were automatically opted in to have their data tracked for the purpose of delivering personalized ads because the opt-in checkbox was ticked on by default; the default should have been a clear checkbox to indicate opt out. In addition, the blanket consent should have been split into multiple checkboxes so that a user would consent separately for each use of the private information, CNIL found.

“This sanction is particularly detrimental to Google as it directly challenges its business model and will, in all likelihood, require them to deeply modify their provision of services,” Sonia Cissé, Managing Associate at Linklaters, a law firm, told Reuters (https://www.reuters.com/article/us-google-privacy-france/france-fines-google-57-million-for-european-privacy-rule-breach-idUSKCN1PF208).

Many Business-to-Business marketers employ practices similar to Google for “gating” content and so may likewise soon find themselves reworking their business models. Gating is the process of requiring users to submit private contact information in order to gain access to high-value content such as white papers and webinars.
​
Potential GDPR problems with gating include:

• A registration form should not require the user to enter contact information without informing the user how that information will be used.
• A registration form should not feature a locked opt-in checkbox that is ticked on by default -OR- feature an opt-in checkbox that is ticked on by default that may be deselected. The default should be a clear checkbox indicating opt out, according to the Google decision.
• A registration form should not contain a single opt-in checkbox when the user is consenting to multiple uses of the information and/or different types of processing. For instance, some GDPR advocates theorize that at least two checkboxes would be required if the user agrees to receive requested content by email and receive future marketing emails. Checkboxes should be granular. Vague or blanket consent is not adequate, according to the Google decision.

In addition, certain conditions render consent invalid under GDPR. For instance, consent is invalid when private information is not realistically needed to deliver a service. This seems this would directly apply to gating. The UK Information Commissioner’s Office’s Guide to GDPR explains that organizations should “avoid making consent to processing a precondition of a service.”

Since GDPR enforcement is relatively new, the exact impact on gating is unclear. However, it is clear that by focusing on the collection and use of private information, GDPR regulators are taking a markedly different approach from US privacy regulators who focus fines almost exclusively on breaches.

In part to avoid GDPR risk, some organizations such as ChartMogul have discontinued using gating for now (https://blog.chartmogul.com/gated-content/).

About Ann
Ann Grove, a Certified Information Privacy Professional, writes about security and privacy for vendors and consultancies. She also helps enterprises develop policies and procedures and documents workflows for security and compliance. Please ask Ann if you would like to republish this article.
​​