7 real life lessons about GDPR, cookies and consent for charities
Following a call on Twitter for a cookie consent support group, we held a lunch & learn session where large and small charities came together to discuss their approaches to privacy, consent, GDPR and cookie policies.
We were joined by a couple of external perspectives too. Here’s what we learned:
1. Document all of the decisions you make
Lots of charities are wrangling with how to implement all types of data legislation. They are often receiving conflicting advice from different groups of experts as there are few established ways of working yet. The advice in the room was that if you document your decisions and process, then you would be in a far stronger position if asked to explain anything to regulators, whatever conclusions you’ve come to.
It is also worth remembering, that the ICO’s website is the definitive source of information for all of these conversations — not other ‘experts’ who are invariably trying to sell services through their content.
Finally, don’t forget to consider the interplay between each of the different regulations such as GDPR and PECR. Again, more advice for this can be found on the ICO’s website.
2. Be better than ‘good enough’ — for the sake of your brand
The GDPR and other regulations have all come about from consumer demand. People want greater control over what of their data is shared and how it is used. Brands shouldn’t aim for the bare minimum they can get away with. There is a huge opportunity for organisations that want to lead the way in privacy. It’s something that can have positive impacts for your brand — particularly important for charities who need people to trust them. Currently, almost all the conversations are happening based on compliance and legal, rather than what’s best for the organisation as a whole.
3. Base your decisions on user research and insight
There is still much to work out when it comes to privacy and digital data. From the use of analytics cookies to retargeting to legitimate interest definitions — there is no full picture or precedent for people to rely on as yet. As such, when making organisational decisions about this work, you should consult the people that matter most — your audiences. If you could show this working and how it supports your decisions, if asked by regulators, you’d be in a much stronger position.
4. You have to make it as easy to withdraw consent as it is to give it
However you are collecting consent, you need to make it as easy to withdraw it as it is to give it. So if it is a single tick box and submit button, you need to match that same process if someone wants to remove their consent. This means practices such as ‘Call us if you want to change your preferences’ after people give them on a digital form aren’t compliant.
5. Cookie notices have to include the purpose, length of storage and who it will be shared with
When displaying your cookie notice, you need to be extremely specific. You have to tell people why you want to store each individual cookie. You also need to explain who the data will be shared with — by company. So allowing peolpe to opt in and out of broad category of Analytics or Marketing cookies isn’t enough. You need to say that you’ll be sharing information with Google, Facebook or Hitwise.
You can see our prototype for a more compliant cookie tool here — which still has plenty of work to be done to it…
6. Benchmark your cookie opt ins using server logs
Gov.uk are seeing about a 40% reduction in their analytics data after asking for explicit opt-ins. Others have suggested it’s closer to 80% (20% opt in) for sites that only ask for analytics consent — rather than any marketing cookies. An opportunity only really possible for government websites that don’t need to worry about things like Facebook pixels.
Once you implement a tool to allow people to opt in to google analytics, you’re still going to need to extrapolate the data you’re capturing, to give you a sense of your overall traffic. You can do this, by using the logs on your servers to see how many pages are being loaded. If you then divide this by the average number of pages / visit, you’ll get a rough idea of the total number of visitors. It’s far from accurate, but it’ll help you to collect some of the data our organisations are used to having.
7. Ask your media agency what they’re doing about Firefox and Safari
If you’re buying digital display media and in particular retargeting, you need to ask your media agency about Firefox and Safari. These browsers have cookies turned off by default and so are much harder to retarget. Many media agencies are just ignoring them and focusing on browsers / users they can target — which is potentially excluding a big chunk of your target market.
