GDPR has been live for over a year now. After the rush last May to ensure that businesses were going to be compliant when it came to storing and using (or selling!) the private personal information (PII) data they store about individuals, we thought we would take a look at the post-GDPR landscape. How has this regulation affected businesses, both within and outside the EU? The law affects any websites in EU countries, regardless of the location of the company. Many American websites, such as a thousand local news sites, have blocked users from EU countries from accessing their websites, thus ensuring they store nothing about people within the EU, including their IP addresses. The blinding identity taxonomy initiative has identified 46 different elements, including IP addresses, as needing privacy protection. However, the majority of websites worldwide continue to have a presence within the EU, which means they have had to focus on ensuring the privacy of whichever of the 46 BIT elements they store about their users based in the EU.
One of the impacts which interest us is that the number of 3rd-party cookies on news websites within the EU has fallen by 22% since GDPR came into force; these might be cookies used by advertisers who have a banner or an ad on a news site. This drop was measured between April 2018, before GDPR became law, and July of the same year and focussed on seven EU countries: the U.K., Germany, France, Italy, Spain, Finland, and Poland. Interestingly this percentage varies between these seven countries, with Germany having a low drop of 6% and the UK a high rate of 45%. It appears that these news organizations are banning tracking cookies from 3rd parties until a user gives their permission to the terms and conditions of the website. However, many sites have also been thoroughly reviewed by their owners with unnecessary coding and features removed, which itself will have contributed to the reduction in 3rd party cookies. Interestingly, tests done since GDPR have shown that the news website USA Today takes nearly ten seconds to load with a fast Internet connection in the US and less than half a second in the UK under the same conditions. This variation in speeds leads to the conclusion that there have been considerable falls in 3rd party cookies and other web site elements that will slow down the loading of a page.
GDPR has powers to impose fines on companies up to 20 million euros or 4% of annual world turnover if the latter figure is higher than 20 million, and while we still haven't heard of significant cases of GDPR in the news, there have till now been 56 million euros worth of fines imposed. Extreme cases take a long time to prepare, and both the UK and Irish governments claim there will be significant cases, which will hit the news, developing over the summer. However, 41% of UK citizens in a recent survey expressed dissatisfaction with the way companies look after their PII data, with 12% shutting down a social media account due to data breach news stories.
One of the phenomena we saw in the weeks leading up to GDPR is what we would call "pass the liability" activities, also described as "hot potato" where everyone tries to ensure that someone else is liable under GDPR and not them. Lawyers have made much hay encouraging the re-writing of contracts in the case of problems with the authorities re GDPR. For instance, publishers who sell ad space are producing deals that make those whose ads they display responsible for paying any fine imposed under GDPR while agencies are tweaking their contracts with those they buy data from to ensure that those who provided the data hold the responsibility. Should any GDPR cases reach the courts, the number of parties involved will be astronomical.
Consumers are also experiencing opt-in fatigue. With the spread of social media, it is easy for even a casual user to access 50 or 100 different websites in a week. Paradoxically, those who are most suspicious of privacy abuses are those who are also most likely to flush out their cookies. Either after every session or say weekly, and yet this unquestionably increases the fatigue as each website asks the user to sign their consent to use the site once again every time it installs one or more new cookies in the browser. Those who refuse may still be able to access the website, but refusing to consent will increase the fatigue as every page now requests that the user opts-in. The best way to combat opt-in fatigue is not to remove any cookies from the web browser and not to read the terms and conditions but to tick the box instead. Even so, a typical user will spend more time than they want ticking boxes. This box-ticking is not what the EU intended.
Opt-in fatigue is also a big issue in marketing, because, as with web sites, marketing communications require consent. So if I enjoyed having products marketed to me via email and often signed up to such schemes, when available, I would almost certainly have been inundated with requests to confirm my consent to receiving these emails and allowing these companies to store my PII data. I signed up for marketing information and, as an average user, am likely to be irritated and exhausted by all this "junk mail" which I describe as such because it isn't the marketing info I want. Moreover, yet if companies fail to send me these emails asking for consent and opt-in, they are placing themselves in a very vulnerable situation as it only takes one complaint, perhaps from an atypical user, to see a company in court, facing the possibility of a hefty fine and damage to their brand reputation.