As the first point of contact with consumers, publishers are in most cases shouldering the burden of gaining user consent for data usage under the EU’s new General Data Protection Regulation (GDPR), which comes into force on Friday 25th of May 2018.
And with GDPR just a few days away, we’ve started to see publishers update their privacy policies and their privacy pop-ups, many of which are similar to what users will have encountered following the EU’s regulations on the use of cookies in 2012. Thus far we’re seeing a range of interpretations (though its worth noting, some of these mechanisms may again change after May 25th), though it’s worth stressing that GDPR is a broad regulation covering many industries, meaning each industry has had a job of interpreting its obligations under GDPR, so there is still no agreed standard for how publishers get consent. It’s therefore not been clear how different the new consent mechanisms will be from existing cookie notifications.
Will they look and operate the same, as a small notification which assumes consent if the user continues browsing? Or will they appear as landing pages which require users to give explicit consent to data usage before they’re allowed on the site?
Here are what some of the first-movers are doing:
Google is undoubtedly expected to be subjected to particularly close scrutiny by European regulators, so it might be expected to play it safe when it comes to gaining consent. Currently, Google displays a “privacy reminder” which appears on the Google homepage and on YouTube; this reminder is currently optional, and can be postponed or ignored, though this may change come May 25th.
The reminder gives links to Google’s updated privacy policy which will take effect on May 25th. Users can either accept these terms, or click ‘other options’, which leads them to a hub for turning off some of Google’s tracking based features. A user can choose to turn off their history tracking on Google and YouTube, and can also turn off Google’s ad personalisation on Google search and across the web.
Oath
Oath has opted for a mandatory consent check – on Tumblr at least for now. Tumblr automatically directs users to a page giving details on its updated privacy policy, which provides links to other pages where users can adjust their preferences and see more information on how their data is used. The page currently lets users either accept the terms or “do this later”.
However on other Oath properties like Yahoo and HuffPost, consent is still gained via a standard looking cookie notification, which assumes consent if the user continues browsing the website.
Dailymail.co.uk
The Daily Mail’s consent mechanism appears as a pretty standard cookie notification, but clicking on “see our privacy settings and policy” directs users to a screen where they can see the Mail’s ad partners, and can either disable each one individually via links to their privacy policy pages, or can choose to block all of them via one click.
ITV
ITV currently has a compulsory consent check which must be completed when a user visits its domain for the first time. ITV’s mechanism doesn’t give an option for users to give consent via continued browsing; they may adjust cookie settings via a link provided, but must explicitly agree to ITV’s data use detailed on an updated privacy policy before they can continue browsing.
Cookie Control
Cookie Control, the tool used by UK’s own Information Commissioner’s Office, has been updated for GDPR compliance. The tool is accessed via an icon in the bottom-left of the screen, which opens a sidebar where data permissions can be adjusted, giving users the option to turn off certain types of cookies and tracking features including Google Analytics, Facebook Pixel and Google AdWords.
Several others have updated their privacy policies, with new policies taking effect on May 25th, but these are currently reached via a fairly standard looking cookie notification (again, this may change come Friday).
Twitter’s terms and conditions have been updated with a clear GDPR focus, for example with explicit explanation of how users can access, delete and move their data:
Channel 4 has also updated its cookie and privacy policies, giving much more detailed information about what data is collected and how it is used, but again this is only accessed by a cookie notification which can be ignored.
Ziff Davis, the publisher behind Mashable, IGN and AskMen, also “encourages” users to read its updated cookie and privacy policies, which have been updated with specific reference to GDPR, but again this can be ignored, and consent is assumed by continued use of the site. This looks like one of the smarter solutions, as the notification is obvious and perfectly visible, but doesn’t take up a third of the screen like some of the others do.
