How to deal with consent under ePrivacy regulations?

Victoria Gardin, Offering Manager at OneTrust, intervened during this One to One Biarritz conference to address the issue of consent and ePrivacy regulations on privacy and personal data protection.

The definition of the ePrivacy regulation

ePrivacy is a European directive focusing on the confidentiality of electronic communications, unlike the GDPR which takes into account all personal data, regardless of the means of transmission. The GDPR will therefore promote the right to the protection of personal data; the ePrivacy is responsible for the right to privacy and the protection of communications.

In 2017, the idea was to move ePrivacy from directive status to regulation, more stringent in its application, not interpreted by the Member States. This highlights the technical requirements and the need to adapt ePrivacy to the GDPR. Harmonisation should take place at European level and a Law 2.0 on cookies should also be introduced.

The ePrivacy also puts on the agenda the need for consent, as well as the injunctions made to browsers regarding the cookie policy. Protection also applies to signal processing Wi-Fi issued during communications to ensure that they are not diverted from their role and used for other purposes.

ePrivacy is important for digital marketing as it introduces new consent rules (opt-in or opt-out strategies). Some points require contentment on the part of users, others do not, still others require implied consent.

It is the responsibility of the website editor to delete tracers and cookies and obtain consent. Some more general derogations, however, relate to analytics or updates. The CNIL has long tolerated the soft opt-in, namely the implied consent of the user from the moment he continues browsing the site in question, although they were informed of the presence of cookies. Today the CNIL no longer allows it.

ePrivacy and GDPR

The GDPR and ePrivacy have had significant impacts in the industry, particularly in terms of customer relationships. Among these major changes: the possibility to use wall cookies, these pop-ins that appear on the screen, preventing the user from browsing, but also the possibility of relying on other purposes (performance cookies, etc.) than the only consent.

This is the idea of “legitimate interest”: according to the GDPR, processing personal data involves choosing one of the seven legal frameworks available. Consent is one of these frameworks, but it is also a legitimate interest, that is to say all the treatments necessary for the pursuit of a professional activity.

Another way is to ask the browser directly to manage, not blocking without contentment, but user preferences. It is noted that more than a third of American companies have preferred to block their website to European Internet users rather than to put themselves in line with the GDPR and the protection of personal data.

What is the IAB role?

The IAB (Interactive Advertising Bureau) has set up a framework for publishers to obtain consent. They will therefore pay for advertising inserts and then post targeted advertisements on their website.

The IAB’s recommendations also concern the introduction of the legitimate interest. They advise against using consent via browsers. The IAB acts in full transparency; there is a clear will on its part to quickly standardise the model.

Some good practices in consent

“The goal is to think of consent in a more innovative way, not only in terms of computers but also in marketing,” says Gardin. The tendency is to allow the user to give consents in a slightly more subtle way.

For example, instead of limiting the consent to marketing communication, we will allow it on the «newsletter» theme, and more specifically on «new product newsletter», which will allow the user an ‘à la carte’ choice. A higher retention rate was then observed as a result.

In addition, all these consent options must be well integrated on the website and accessible at the appropriate time. Everything must be clearly expressed, it is ultimately necessary to train the user in this practice, the reflex of consent, in order to comply with the protection of personal data.

The opt-out method will consist in dropping cookies on the user’s machine. Implied consent will only involve cookies strictly necessary for the proper functioning of the site (information kept in the shopping cart). Opt-in remains the strictest method: it is a matter of displaying the banner with inactive cookies, then waiting for the user to accept them.

For information, the CNIL also intervened on smartphones, where cookies are replaced by SDKs, which are also trackers whose use must be regulated. Strategies also exist here to collect user consent.

Speaker:

Victoria Gardin, Offering Manager France - OneTrust