'The Path to Compliance: Navigating General Data Protection Regulation', by Damian Scragg, MD EMEA, Evidon

“17 years ago, less than 1% of Europeans used the internet,” noted EU Justice Commission Vice President Viviane Reding. “Today, vast amounts of personal data are transferred and exchanged.” These comments were made in January 2012 and they introduced the Commission’s intention to reform the EU Data Protection Rules. In the time since those comments, the Commission has been working diligently to move forward with its General Data Protection Regulation. This vocal regulatory attention has kept online privacy squarely in the public eye and reason would suggest that such a close watch on the data collection industry would not make a fertile landscape for that industry’s growth.

However, despite impending legislation and public attention, the number of unique technologies encountered by individuals in the EU grew by over 40% in 2012. Even as increased requirements for disclosure and user control seem to be closing in, the data collection industry grows more complex, both through introduction of new companies and by the actions of the industry’s giants.

Big Moves from Big Players
For an early indication of how the legislation might impact online businesses, one could look at large companies like Google and Facebook, who are in the best position to afford a cautious, measured approach should they find it necessary. In March of 2012, however, Google put into effect a new privacy policy, essentially unifying the data it collects from all of its services – including web tracking scripts like its Doubleclick and AdSense products, as well as its nearly ubiquitous analytics pixel. While this doesn’t increase the amount of data the search giant collects (that was massive and stays massive) – it allows for new uses of more data about individuals. Google’s reaction wasn’t completely dismissive of coming requirements, however. As recently as April, cookie consent notices began appearing to EU users of Google’s search pages, with a link to a video explaining how the company uses cookies in the course of its wide variety of web services.

Facebook, for its part, was also bullish on expanding its use of data, launching the Facebook Exchange (FBX) – a real-time, cookie-based bidding platform for advertisers to compete with each other based on a user’s interests. Those interests are collected from activity on Facebook and around the web, as discovered by the use of Facebook ‘Like’ buttons, the Facebook connect login service, and new FBX pixels that the social network has begun to spread across the internet at large. Facebook has also been looking to actively influence the process, particularly around the proposed ‘Right to be Forgotten’ clause, which will allow users to totally remove their online data. Facebook has said that this rule, “raises many concerns with regard to the right of others to remember and to freedom of expression”, and suggested that if the rule includes responsibility that extends beyond Facebook’s site itself, it may have to increase tracking in order to comply.

Niches Upon Niches, All Filled Immediately
Smaller companies in the data collection industry are not to be outdone by the biggest of their ilk. New technology companies enter the space all the time, introducing new, focused ways of collecting, compiling, or applying user data. Acquisitions and mergers also mean more unified, monolithic data sets that, when taken together, can reveal more about users and be used in direct ways. This elaborate innovation may help the advertising bottom line, but it can also work against compliance with legislation. Evidon studies show that 55% of tracking scripts that appear on a site are placed there by someone other than the site owner – usually as a ‘guest’ of other scripts. Site owners very rarely have visibility into these companies and may be completely unfamiliar with their practices. Web users (and perhaps more importantly, privacy-focused regulators) do not take ignorance as a valid excuse. A web page is the user-facing portal to the internet and, if data is collected, then the responsibility for that collection is laid almost exclusively at the feet of the publisher of the site itself.

Clarifying the Grey Areas
At Evidon, we frequently hear site owners ask which companies have acceptable practices and which are doing something underhanded or shady. That’s always a difficult question to answer because each organisation has different levels of sensitivity about its user data, and the line between acceptable and unacceptable practices can vary. What’s important to understand, however, is that the General Data Protection Regulation is meant to address above-board industry practices, not criminal computer activity. In terms of compliance, site owners should think less about what is good data collection and what is bad data collection, instead focusing on transparent methods of doing business while giving consumers clear and meaningful choice. It’s not enough to count cookies or put up a consent message and hope for the best. Effective privacy-sensitive operations require a working knowledge of the data collection industry, a clear understanding of how to apply that technology and concise disclosure along every step of the process.

The Economics of Compliance
Dissenters often invoke the economic impact of legislation when advocating for caution. But in the case of the GDPR, following the general procedures required by the legislation can also bolster the bottom line. The kind of auditing that can lead to proper disclosure also reveals areas where a site is at risk for leaking data to otherwise undetected tracking companies. Slow load time is a leading factor for loss of audience on a website – and these scripts also frequently add unwanted latency. The worst offenders added, on average, 1.7 seconds of additional load time on the sites where they appeared. Even when considering the best performers, scripts that are typically added without the consent of publishers bring 518ms of latency, on average. By carefully examining the trackers that appear on the site, and the path by which they arrived, site publishers not only put themselves into position for compliance, but they can also increase efficiency and data sharing revenue.

Forward-thinking business are not waiting to quibble over the definition of user data or cookie consent pixel sizes. Instead, sites all over Europe are seeking to answer the cultural demand for transparency that the Justice Commission seeks to codify into rules. Actionable intelligence about the activity on their sites is leading to definitive disclosure of that activity, and web operators are able to smile across the conference room at their legal teams and confidently suggest that whatever the rules look like, they’re on the right path to compliance.