GDPR: Understanding the Legal Framework
We all want our business to thrive. We all want to know our customers. And in our digital society, there are great tools available to achieve that.
The past decade has seen a proliferation of new marketing technologies (+5.000% growth since 2011). Whereby the focus has mainly been on ever more far-reaching ways of data collection and consumer profiling. This testifies to the two major trends within the marketing landscape:
- On the one hand, companies are increasingly competing in terms of customer experience and are continuously looking for tooling that will enable them to offer relevant customer experiences.
- On the other hand, FAANG (Facebook, Apple, Amazon, Netflix & Google) have made it clear that data brings power. The one who manages to collect the most consumer data puts competitors out of the game.
Today, we see that the MarTech industry is being forced to become more responsible quickly. It is therefore frustrating when there are important limitations set to our ability to deploy such tools. And yet, this is the case for US-based Martech tools used by European entrepreneurs. Our GDPR (privacy) regulation sets requirements that are hard to meet.
So, starting from that frustration, the good intentions to offer value to the customers, and the obscurity of GDPR: why not be creatively pragmatic?
In this guide, we explain our interpretation of the recent court decisions on the use of marketing technologies. What is the impact of these judgments? And how can organizations deal with them?
Key elements of the GDPR
The complexity and uncertainty surrounding the use of marketing technology can be reduced to 3 key elements within the GDPR legislation. It is important to understand these elements properly before looking for solutions.
Definition of personal data
The GDPR applies when personal data is processed. Personal data is very broadly interpreted (Article 4 GDPR). In simple terms, it refers to every piece of information, that can be linked to an individual person. This can be direct or indirect.
The existence of a direct link refers to data that can in itself identify an individual. Data with an indirect link refers to data that can lead to an individual, not really by itself, but by combining it with other data.
In summary, the golden criterion for speaking of personal data is that data, on its own or in combination with other data, allows an individual to be singled out. Singling out means being able to point someone out of a certain crowd, to individualize someone.
Consent
While being one of the more well-known legal bases for processing personal data, consent is only one of six bases mentioned in the GDPR. The others are: contract, legal obligations, vital interests of the data subject, public interest and legitimate interest as stated in Article 6(1) GDPR.
The basic requirements for the effectiveness of valid legal consent are defined in Article 7 and specified further in recital 32 of the GDPR. Consent must be freely given, specific, informed and unambiguous.
In order to obtain freely given consent, it must be given on a voluntary basis. The element “free” implies a real choice by the data subject. Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid.
For consent to be informed and specific, the data subject must at least be notified about the controller’s identity, what kind of data will be processed, how it will be used and the purpose of the processing operations. The data subject must also be informed about his or her right to withdraw consent at anytime. The withdrawal must be as easy as giving consent.
Last but not least, consent must be unambiguous, which means it requires either a statement or a clear affirmative act. Consent cannot be implied and must always be given through an opt-in, a declaration or an active motion, so that there is no misunderstanding that the data subject has consented to the particular processing.
Data transfers
The next concept is the transfer of personal data outside the European Economic Area (the EEA). The EEA includes every EU member state, plus Norway, Iceland and Liechtenstein. A country outside the EEA is called a “third country”. A transfer of personal data to a third country is only lawful under the GDPR insofar as an adequate level of protection is ensured with that transfer. This means adequate in relation to the protection of personal data that is guaranteed within the EEA.
According to the GDPR, such an adequate level of protection can be guaranteed in three possible ways:
1An adequacy decision exists for the third country (art. 45 GDPR).
This means that the European Commission has confirmed that the third country offers an adequate level of protection.
2 Appropriate safeguards are in place (art. 46 GDPR).
In the absence of an adequate decision, appropriate safeguards must be provided. The most efficient and practical means that the GDPR indicates is the conclusion of standard contractual clauses (SCCs) approved by the European Commission with the entity in the third country to whom personal data are transferred.
3 One of the exceptions of art. 49 GDPR applies.
In case you cannot provide appropriate measures either, there is a last resort and that is the presence of one of the exceptional situations of Art. 49 GDPR. Only one option is really relevant for our story and that is when the data subject has explicitly consented prior to the concrete transfer. But, beware, in order for this to be a valid consent under the GDPR, quite a few conditions must be met.
We already know that consent must be explicitly, freely, specifically, informed and unambiguously given by the data subject. In addition, the GDPR explicitly states that for a transfer, the data subject must be informed in advance of the possible risks of such a transfer. In concrete terms, as a controller, you must inform the data subject that, by giving his/her consent, there is a risk that US authorities will be able to access his/her personal data.
Impact on MarTech
The cowboy years, when anything was possible and the sky was the limit, are over. Legislators are stepping in and are trying to protect consumers from the data collection frenzy. The EU took the lead with the GDPR legislation (in force since May 2018). And we are seeing similar initiatives in the US, South Africa, India and other countries.
The Austrian Data Protection Authority was first on December 22, 2021, with the French Data Protection Authority CNIL following on February 10, 2022 and on March 2, 2022. On June 23, 2022, also the Italian GPDP released a similar statement. They all declared the use of Google Analytics illegal.
Considering the fact that more than 50% of MarTech solutions are headquartered in the US and that they are the dominant players in the market, one cannot help but conclude that many organisations will have to rethink their current marketing approach. Continuing to use the industry standard solutions has suddenly become a liability.
The positive side of this is that it forces everyone to think critically about the technology they use. What value do we actually get out of the technology? And do we really know how much data we are sharing with this third party? Simply using a solution “because everyone else is doing it” is no longer advisable.
The downside, of course, is that we lose some of the functionalities and methods we were used to in marketing. The impact of this will be for each organisation to decide. For example, it may be that an organisation will suffer a major competitive disadvantage if it is no longer able to personalise its customer experience. Or ad spend may rise as remarketing is no longer possible.
Thus, there is no unequivocal answer to the question of whether an organisation should switch to an alternative solution or not. This will always depend on the perceived value of the original technology, balanced against the expected costs associated with a migration. For example, a new implementation must take place, employees must be re-trained, internal processes must potentially be adapted and licensing costs must be recalculated.
Decision tree
Ultimately, as an organisation, you will need to do a risk assessment: what risks do we think we are running by using the tool in question? And do the benefits we experience when using the tool outweigh the estimated risks? The risk can be twofold: the chance that you will actually be fined and the chance that your public relations or brand image will be damaged by the attention that might be drawn to a complaint.
To help you evaluate what to do with a certain MarTech solution, we have made a decision tree (see figure 1) that guides you through the questions that you should ask yourself about the tool.
Eventually, you will end up with one of these four decisions:
1 Continue to use the solution as it is.
- We believe that the benefits of the tool outweigh the risk of receiving a complaint.
- Be aware that this involves an actual (potentially high) risk and is not advisable from a legal point of view.
2 Mitigate the risk by taking additional measures.
- We feel confident enough that the extra measures will be sufficient to defend our case in court if it comes to a complaint.
- Be aware that this approach does not completely eliminate risk. In particular, the potentially negative PR associated with a complaint remains difficult to eliminate.
3 Migrate towards European alternatives
- We believe that we will get the same benefits from a European-based solution, without having to deal with the complexity of data transfers to the US.
- Only migrating one solution (ex: Google Analytics) does not solve it. Be consistent and find an EU alternative for all cloud-based solutions your organization uses.
4 Stop using the solution
- We came to the conclusion that we did not experience many benefits from the tool. It is not worth looking for an alternative or taking complex measures.
Conclusion
The MarTech domain is evolving at an accelerated speed. The main driver for these developments is nowadays no longer the new technological possibilities, but the stricter privacy legislation and the corresponding consumer awareness.
In this guide, we tried to provide a better understanding of the legal framework, and our handy decision tree to determine whether or not you should continue using certain solutions.
In some following articles, we will try to explain how recent court decisions impact the use of common marketing technologies and how organizations should deal with them.
Does all this seem very challenging to you? Then do not hesitate to call on specialised parties. For example, deJuristen in case of the legal framework and Stitchd for the technical possibilities. They support many organisations, both large and small, specifically in this area.
