Forecasting Consent Threat Level in Europe

Consent for online data collection is a squirrelly topic in Europe right now. Leaving aside for the moment whether or not consent ‘aught’ to be required, and if so, how sensitive the data and its use might need to be to warrant this abrasive step, companies are trying to understand the baseline requirements so they can plan and build around them.

Unfortunately, not only are the rules a bit unclear, but close observers also expect the rules to change substantially over the next two years.

The stakes are very high, both for companies that want to avoid disruptive consumer experiences and for those that survive as third parties embedded in websites (and are therefore reliant on other parties to interface with the consumer). The stakes are also high for consumers, who may see substantial downstream effects in the content they have access to if, for example, media monetization is impacted. Market consolidation can also cause ripples if, as a result of their advantages in consent collection, dominant first/third party hybrid companies assume greater control.

With these storms brewing, the answer to ‘will we need consent?’ is more akin to a weather report. We are tracking the threat of a slow moving, distant, but very powerful storm that is threatening landfall.

Please meet, the ‘Consent Threat Level’ report for Europe, in three stages.

NOW: tepid yellow

The ePrivacy Directive already requires consent for virtually all ‘non-essential’ data collection online. If a tag loads on a site to deliver on an action that wasn’t the specific request of the user, it probably needs consent. There are some exceptions to this general rule, such as a key difference in application to the German market, but for virtually every other European market, the rule is on the books and applicable.

So why tepid yellow?

Let us count the ways:

• Consent is loosely defined: in most EU markets, the ePrivacy Directive defines consent in open-ended terms, leaving the local DPA to effectively define the consent standard through written guidance and enforcement. In some cases, this has lead to formal acceptance of ‘implied’ consent — or consent through indirect actions following notice. Implied consent has taken the field in markets like the UK, the largest digital media market in Europe. Implied consent has lead to the ‘cookie banners’ that you see at the bottom or top of websites that collect your consent when you indicate it ‘by proceeding to browse the site.’
• Relatively low fines: fining authorities for the Directive are defined by the general fining authority that has been granted to each country Data Protection Authority (DPA) by their national governments. In many cases, this authority is not particularly impressive. In some cases, the authority is nil. In every case, the fining authority pales in comparison to what is coming with the General Data Protection Regulation (GDPR).
• Enforcement has been mixed: While we have seen occasional enforcement actions under the ePrivacy Directive, the digital media market has largely been left alone over the last five years. Few publishers or third party technology companies have been getting dinged. A rule that isn’t enforced, really isn’t a rule at all; a rule that is ‘lightly’ enforced, is a rule that will see ‘light’ compliance investments.

As a result of these factors, consent interfaces have been common in the European market for the last five years, but they have varied widely in quality and ‘seriousness.’ Technology companies that integrate with publishers have been aware of the need for consent, but they have largely pursued legal paperwork routes to manage liability for consent, rather than pursuing technical methods for coordinating or validating the parameters for any consent that may have been obtained.

May of 2018 — GDPR arrives: solid orange

The full onset of GDPR, in May of this year, is perhaps the most significant development in Data Protection in decades. While most privacy regulations remain in the remit of policy geeks and lawyers, the 2–4% of global revenue fines have made GDPR the domain of CEO’s and corporate boards.

However, GDPR’s impact on consent in digital media is a bit more subtle.

• It’s unclear that GDPR requires consent for digital media: GPDR requires a lawful basis for processing, and consent is one of six potential bases. Legitimate Interest is another, and while this path requires robust notice, the delivery of all sorts of surrounding data subject rights, and a strict behind-the-scenes balancing test, it does NOT require consent. I don’t mean to suggest that this matter is resolved … there are many advocates (and industry participants, for that matter) that feel strongly that third party technology companies and advertising platforms in particular, are not in a position to qualify for a Legitimate Interest. At the same time, many of the leading privacy attorneys in Europe feel that a strong argument within the law can be made for a Legitimate Interest, including for behavioral advertisers. At some point, this will be settled. In the meantime, no clear requirement means that companies have a valid path to experiment. And many companies are in no mood to err on the side of throwing consent interfaces in front of consumers.
• The existing ePrivacy Directive will ‘upgrade’ to GDPR consent: The wobbly definition of consent under the ePrivacy Directive will now refer to the uniform and more conservative definition of consent under GDPR. One key new term under GDPR for consent is ‘unambiguous’, another is ‘specific’. With these parameters the cookie banners that have ruled the UK to date will no longer fly, at least in their current form. Does this mean ‘explicit’ consent? We’re not entirely sure. But it clearly means more than we have now. Experiments, course corrected through regulatory action, will determine how far beyond the current state the market ends up.
• Consent will be a substantially more common consumer experience: A powerful cocktail is coming our way, made with equal parts fear, confusion, ruthless self-interest, and good faith effort. All of this will combine to create new consent experiences rolling out in May, including some of the largest technology and media companies on the internet. Consent is about to become as common as icons in ads, but a hell of a lot more in your face. While it would seem that the current state of the market should have little impact on the substance of a legal requirement, in this case it might matter a great deal. If consumers come to expect robust consent experiences — as they already do for email and SMS, and regulators can point to your peers and industry cousins, who all seem to have their consent act in order, an existing legal requirement that burned at an imperceptible simmer can be made much more serious. If it does, the risk/reward of liability pushing as a complete consent strategy begins to look much less attractive.

At the same time, if consent is only required by the ePrivacy Directive, bear in mind that GDPR fines will not apply. Fining authority remains at pre-May (relatively low) levels.

Wild card:

• If Legitimate Interest proves to be unavailable to the media and advertising ecosystem, GDPR would end up effectively requiring consent. In this case, not only must consent be obtained for a much larger set of purposes, but GDPR fines would immediately apply.

2019 — The ePrivacy Regulation arrives: Flaming Red

At some point next year, we expect the ePrivacy Directive to be replaced with a Europe-wide regulation. The regulation, as currently proposed, is very confusing. It seems to disfavor consent barrier pages and the imposition of trade-offs (data for content), while at the same time requiring strict consent requirements for virtually all data collection. It seems to beg the major platforms (browsers, OS providers) to collect consent so that consumer don’t have to manage this on a company by company basis, but it also wants consent that is specific to the company. In any event, the platforms don’t seem inclined to collect such consent.

The proposed regulation is frankly a mess, but the following seems clear, if the current proposal carries the day:

• Consent will be clearly required for virtually all non-consumer requested features. This is a hardening of the current ePrivacy Directive and the standard for consent will continue to be as defined under GDPR.
• Fining authority will jump up to GDPR levels The stakes for non-compliance officially become intolerable for companies.

Wild card:

• The proposed Regulation is currently in the midst of a Trilogue phase, where the upper legislative body has an opportunity to advocate for substantive changes in negotiations with other constituents of the process. Members of the Council (one of the three major stakeholders) have indicated openness to exploring the insertion of a Legitimate Interest into the Regulation. If they succeed, and if a Legitimate Interest survives challenges to application in the digital media space, consent as a strict requirement may disappear entirely. When I speak to smart folks following this process closely, I get anywhere from an 8–50% chance of this happening. In other words, not the expected outcome, but somewhere in the range of a 3 point shot in the NBA. We’re just not sure if the shooter is Stephen Currey (44%), Charles Barkley (27%) … or … worse (shudder).

So do we need consent?

Our threat level appears headed for code red, and smart companies will be preparing for the likely outcome. But just like predictions for a weather pattern many months out, our ability to predict with precision is limited. So all we can say with confidence is that we’re sitting, for the moment, at tepid yellow.

Stay tuned …