Don’t Shoot The Messenger: GDPR, “Prior Blocking”, And The €20 Million Liability Risk Your Website (Probably) Carries

Hey, does anybody else remember Freakazoid!?

Originally airing as part of the Kids’ WB programming block, Freakazoid! was a co-production by Steven Spielberg’s Amblin Entertainment and Warner Bros. Animation, the same partnership behind other animated Saturday-morning fare like Animaniacs, Tiny Toon Adventures, and Pinky & The Brain.

The show follows the adventures of one Dexter Douglas, a teenager who inadvertently “downloads” the entirety of the Internet into his brain, becoming the titular (and profoundly insane) protagonist. Freakazoid! has been described as “the first true superhero of the Internet age“, and it was one of my absolute favourite cartoons growing up. To this day, I still think it’s one of the funniest shows – animated or otherwise – to come out of the 1990s.

One of Freakazoid!‘s (many, many) one-off characters was “Arms Akimbo”, a criminal racketeer who – being the son of two print catalogue models – had spent his childhood in “years of forced modeling, which left his arms frozen in a jaunty pose”.

Arms Akimbo
Arms Akimbo: the true face of menace.

The show introduces us to Arms as he enters a local cafe, to intimidate the clerk working behind the counter.

“Now listen, Coffee Boy,” he sneers, “I’m here to sell ya ‘Oops Insurance’!”

“Wh-what’s that?,” the clerk asks nervously. Akimbo elbows a glass jar of coffee beans off the counter, which shatters as it hits the ground.

“Ooooops,” he smirks.

I find myself reminded of this scene in recent weeks, as I conduct basic sales research on various local businesses and organizations. In my most recent post for this blog, I talked about my sales prospecting process, and a few of the things I’ll look for which indicate that a business could benefit from my services and expertise.

My research often yields enough information that I’m able to begin a sales conversation with a prospect, while having a specific and compelling value proposition already in mind for their organization. That’s the upside of a “solution selling” approach.

One downside to this approach – I hesitate to call it a disadvantage – is that my sales research sometimes yields evidence of issues which go beyond simple “underperformance”, and into the realm of active legal and financial liability. And because the business owners and/or marketing managers responsible are often completely unaware of those issues, I find myself in the awkward position of having to both inform them of an existing financial risk to their business, while also seeking to land a contract to help them mitigate that risk.

In other words, some days it can feel like I’m going around selling Oops Insurance.

Granted, in my case it’s perfectly legal Oops Insurance – there’s no element of coercion or extortion – but it’s probably about as pleasant an experience for the prospects that I’m reaching out to.

The emails I’ve gotten back so far have actually been pretty nice.

Still, the risks I’m identifying are real, and these conversations need to be had eventually. And since I’ve found myself writing a few very long, very similar-sounding emails lately, I figured now would be a good time to write my first post about a subject that’s often neglected by online marketers:

Data rights.

(…You know, I’m realizing now that I probably should have spent this intro talking about The Great Hack instead. Netflix’s new doc on the Cambridge Analytica scandal is relevant, it’s popular, it’s really quite good [though I have my gripes], and it probably would have been a better SEO play than having spent my first 250 words talking about a one-off character from an obscure mid-90s children’s cartoon.)

I call this one “Foreshadowing: the GIF”.

Like Having Privacy Rights? Thank a European.

Let’s start with some history. In 1995, the recently-formed European Union adopted the Data Protection Directive, to regulate the processing of personal data within and across the EU (incidentally, 1995 was also the same year that Freakazoid! premiered. Coincidence? Yes).

In EU law, a “directive” is a legal act which obligates all member states to achieve a particular result, while leaving each member to implement this result through their own legislative bodies. In the case of the Data Protection Directive, all member states were given until October 24, 1998 to “transpose” its contents into their internal laws, which everybody did.

Now, why am I talking about a 24-year-old legal text from halfway around the world? Well, because it’s pretty much the only reason that most Canadians enjoy any form of data rights in their day-to-day lives here at home.

You see, Chapter IV of the Data Protection Directive (you can read the full text here) effectively prohibited the transfer of any EU resident’s personal data outside of the European Union unless “the third country in question ensures an adequate level of protection.” And since virtually all of Canada’s privacy laws at the time had been written to apply solely to the public sector (Quebec being the only province to have passed a law governing the private sector’s usage of personal information), Canada absolutely did not fit that bill.

This is basically how every Canadian boardroom reacted to the news. I assume.

Fearing that Canadian businesses and institutions would soon lose access to European markets entirely, the Chrétien government introduced the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs the collection, usage, and disclosure of personal information during the course of commercial activities in Canada.

PIPEDA was first introduced as Bill C-54 in 1998, but it died on the order paper when the legislative session ended. It got reintroduced as Bill C-6 in 1999, and received Royal Assent on April 13, 2000. One year later, the European Commission released a decision confirming that “Canada is considered as having an adequate level of protection for personal data transferred from the Community to recipients subject to [PIPEDA]”.

One of these days, I’ll probably write a separate post about the obligations of Canadian businesses under PIPEDA, and the data protections the Act affords to Canadians (spoiler alert: they’re both piss-weak). For right now, though, the key takeaway is that Canada’s privacy laws have largely been written and enacted as a reaction to the stronger data protections enjoyed by residents of the EU member states. And for the past couple decades, that’s been good enough.

…but “piss-weak” is about the long and short of it.

GDPR: Once More, but With Feeling

While the Data Protection Directive was largely successful in achieving its intended goals, it was not without its problems.

For one thing, because the Directive left each member state to implement its own data protection laws, some EU nations chose to adopt stronger privacy regimes than was expressly required. This led to legislative divergence between member states, which could make privacy compliance somewhat challenging (and costly) for businesses and organizations operating across Europe.

For another, the Data Protection Directive had been written and adopted during the very infancy of the commercial Internet. To offer some context here, 1995 was the same year that Amazon.com first went live (branding itself as “Earth’s Biggest Bookstore”), alongside other scrappy little web start-ups like eBay, Craigslist, and Match.com. Netscape Navigator was the most popular web browser on the planet, although the release of Internet Explorer 1.0 that year signaled the beginning of the First Browser War. Meanwhile, a 1995 Pew Research Center study found that only 3% of Americans had ever used the World Wide Web.

By the early 2010s, many had begun to recognize that the Data Protection Directive was no longer fit for purpose. In 2012, the European Commission proposed comprehensive reforms to the EU’s data protection laws. Years of debate, negotiations, comments and revisions followed, all of which resulted in the final text of the General Data Protection Regulation (GDPR), which was formally adopted on April 14, 2016.

The key difference between a “directive” and a “regulation” in EU law is that a regulation is self-executing; it doesn’t require member states to pass any enabling legislation. Upon its “implementation date”, an EU regulation becomes directly applicable – and equally enforceable – across all member states simultaneously.

The GDPR’s implementation date was scheduled for May 25, 2018. As of that day (about fifteen months ago, at time of writing), the GDPR officially superseded the Data Protection Directive as the primary data protection legislation governing all EU member states, and the data rights of all EU residents.

Robert J. Holt: (Not an) Attorney-at-Law

Full disclosure here: I am not a lawyer, nor have I played one on TV. But in order to explore this topic any further, I’m going to have to delve into some of the legal concepts contained in the GDPR.

So consider this my disclaimer: the following is general information, based on my personal understanding, and grounded in my experience as a digital marketer. It should not be construed as legal advice, or as a replacement for same. If you want legal advice, you should talk to a lawyer. I don’t know which one. Maybe try and corner the mayor at a media event; I hear he’s pretty good at this privacy stuff.

Who ya gonna call?

Everybody with me? Great. Now, the GDPR focuses on three main parties to any exchange of personal data:

  • The data subject, which is “an identified or identifiable natural person”. This definition is purposefully broad, and probably best interpreted as referring to any resident of the European Union;
  • The data controller, which “alone or jointly with others, determines the purposes and means of the processing of personal data”. Most businesses which collect any form of data on their customers/prospects/marketing audience would fit this description; and
  • The data processor, “which processes personal data on behalf of the controller”. When you install Google Analytics on your website, for example, Google is acting as a data processor on your behalf.

The rights afforded to data subjects under the GDPR apply not only within the borders of the European Union, but also beyond them. Article 3 (“Territorial Scope“) states that the Regulation shall apply to any data controller/processor outside of the Union that processes the personal data of data subjects within the Union in order to offer goods or services, or to monitor the behaviour of EU data subjects.

(If, at this point, you’re asking yourself whether it’s even possible for the European Union to impose legal obligations and responsibilities onto a business based in Canada, the general consensus of the legal community seems to be “you bet your ass they can“. Moving right along…)

“Can you believe it? It all comes with the room!”

Article 6 of the GDPR (“Lawfulness of Processing“) outlines six legal bases by which controllers/processors are permitted to process the “personal data” of an EU data subject. Of these six, only one is really applicable in the majority of commercial contexts, such as marketing or advertising activities: the consent of the data subject.

This section of the Regulation is pretty much a straight cut-and-paste from “Article 7” of the Data Protection Directive – really, nothing new. However, the GDPR establishes a much broader definition of “personal data” than was found in the Directive, as well as a much higher standard for what constitutes valid “consent”.

The meanings of these terms under the GDPR is established in Article 4 (“Definitions“):

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; [emphasis mine]

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. [emphasis mine]

Recital 32 further clarifies the conditions of consent:

…This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. [emphasis mine]

Putting A Price Tag On Privacy Violations

There’s one more aspect of the GDPR that I want to address here, and it’s the one that I included as a bit of click-bait in this post’s title.

Unlike the Data Protection Directive which preceded it (or PIPEDA in its current form), the GDPR establishes financial penalties for data controllers/processors found to have infringed upon the rights of EU data subjects.

Article 83 (“General conditions for imposing administrative fines“) sets out two tiers of fines which may be levied by the Data Protection Authority of an EU member state (DPAs are analogous to the Office of the Privacy Commissioner here in Canada):

  • “Lesser” infringements are subject to fines of up to €10,000,000 or 2% of total worldwide annual turnover;
  • More serious infringements are subject to fines of up to €20,000,000 or 4% of total worldwide annual turnover.

For both tiers, the maximum administrative fine is determined based on whichever of those two figures – the flat sum or the percentage of an organization’s annual global revenues – is higher.

I, too, am here on a mission of mercy.

These are, of course, the maximum penalties; not every case merits such an eye-watering fine. The first GDPR penalty issued by Austria’s DPA, for example, was just €4,800. However, the Regulation does state that “the imposition of administrative fines… shall in each individual case be effective, proportionate and dissuasive”.

To go back to the Austrian case, that €4,800 fine was levied against a small business owner who had installed a CCTV camera in front of their shop; the camera had been positioned so as to record a large portion of the public sidewalk outside, and proper notice of this surveillance had not been given. So, not a €20 million fine, but probably enough that they’d think about tilting their security camera down a bit.

Your “We Use Cookies” Banner Is Bad And You Should Feel Bad

If all of this is sounding like it could cause massive headaches when it comes to executing your online marketing strategy, then welcome to the world I’ve been living in for the past three years now. Grab yourself a chair; we’re all gonna be here for a while.

While businesses across Europe scrambled to achieve compliance with these new privacy standards in time for their implementation date (or “GDPRmageddon“, as it came to be known), most Canadian organizations seem to have taken a more… let’s say, laissez-faire approach.

The only widespread evidence I’ve seen of efforts aimed at GDPR compliance locally has been the recent trend of adding “cookie consent” banners to some organizations’ websites, where none had been before.

When I say “cookie consent” banners, you know the kind I mean. This trash:

I have *plenty* of real-world examples, but I’m not out here tryna get sued.

To be honest, I’m genuinely baffled whenever I spot one of these single-sentence, single-button “we use cookies” banners peering out from the edge of my browser window. It would be one thing if they actually satisfied the criteria of “informed consent” under the GDPR (they don’t). But in nearly every case that I’ve ever seen, all they are is meaningless UX clutter, serving no other purpose than to make the website owner’s risk liability even greater.

Remember, the GDPR requires a clear, affirmative action indicating consent by the data subject before their consent may be used as a lawful basis for data processing. If a website begins collecting “personal data” prior to consent (say, by firing a remarketing pixel for building audience lists, or sending a hit to a Google Analytics property with Demographics and Interests reporting enabled), this constitutes a “major” GDPR infringement, liable for the highest tier of administrative penalties.

In order to comply with the “informed consent” and “clear affirmative action” provisions of the GDPR, any form of data collection reliant upon consent must be prevented until after the user has indicated their consent. This is often referred to as “prior blocking”, and is not especially difficult to implement.

Which begs the question: how many local organizations are adding these “we use cookies” banners to their sites, without having set up prior blocking, so that their cookie consent banner is functionally meaningless?

Well, over the past few weeks conducting sales research, I’ve put together a pretty detailed list, and I’d like to invite my good friend Gary Oldman out here to read it for you. Gary?

Thanks, Gary. Literally never change.

I’ve looked into the websites of dozens of other local businesses in recent weeks – law firms, tech firms, Crown corporations, post-secondary institutions, agri-businesses, e-commerce retailers, tourist attractions – and I have yet to find a single “cookie consent” banner that’s been configured to prevent data collection prior to user consent. I’ve even tried using a VPN to connect through EU-based servers, just to see if maybe they’d set up different business logic depending on where in the world a visitor accesses their website from.

The results of my testing were always the same: most “cookie consent” banners aren’t worth the time it took for a developer to add them to the website. Hell, they’re not even worth the bandwidth your web browser uses to load them.

This is particularly galling for those businesses which have significant European audiences and operations – whether as a client base, or an export market, or as the target of their recruitment efforts. Their attempts at GDPR compliance all stumble at the very first hurdle, in a manner that’s trivially simple to detect and verify.

It’s a legal troll‘s Paradise out here right now.

Am I leaning too hard on the Steve Carell GIFs in this post? No… no, there’s no such thing.

“Omar Comin’, Yo!”

Businesses operating in Canada have generally treated respect for their customer’s data rights as more of a “nice-to-have” than as an actual legal (or ethical) obligation. The reason for this is fairly obvious; while PIPEDA introduced new data protection rules for Canada’s private sector, it did not give the Office of the Privacy Commissioner any powers to impose fines for non-compliance.

Given the EU’s implementation of the GDPR (and public reaction to the Cambridge Analytica scandal), at this point it’s really a question of when – not if – Canada’s privacy laws will be amended to grant the OPC greater enforcement powers. And with an election coming up this fall, I’ll be surprised if the phrase “data rights” doesn’t make its way into the platforms of every single federal party (hint: they’ll have to adopt GDPR-like protections once in office anyway, if they want Canadian businesses to retain EU market access).

While it might be tempting in this environment to adopt a “wait-and-see” approach to privacy compliance, fact is, the GDPR’s enhanced protections, extraterritorial reach, and substantial non-compliance penalties mean that for many online marketers here in Winnipeg (and across Canada), inaction is simply not an option.

The sassy GIFs will continue until the situation improves.
—Management

Omar comin’. You can’t say nobody warned you.

Comments are closed.