Getting consent right is critical for the long term health of the digital economy. So is there a right way for enterprises to ask their customers for private data? Regulators think so. In many regions, they are issuing new guidelines. Rimma Perelmuter, CEO of MEF, offers this summary…
Next year, the laws around data privacy in the EU will change. The General Data Protection Regulation is coming, and it will mandate new practices around the way companies active in the European Economic Area (EEA) collect, store and share customer data.
Everyone knows about GDPR. Well everyone should know. Certainly, MEF and our members are doing their best to encourage discussion and collaboration on the topic.
To date, most of the focus has been centred on sharing best practice and information around what GDPR says. In other words:
- What does it mean to be a good steward under GDPR?
- Where do the opportunities lie in giving consumers control over how their data is managed (e.g. the Personal Data Economy)?
These are important questions to consider. However, it’s equally important to explore how to ask for personal data in the first place.
This issue – consent – is critical. After all, free flowing data is good for the economy. And while evidence suggests most people are not happy to disclose their data, if they know what they are sharing and trust the enterprise asking for it, their attitude is different.
In fact, they will actively reward businesses they trust. Earlier this year, MEF’s Consumer Trust Survey revealed that 47 per cent of people will recommend a trusted service to friends and family, and 44 per cent will leave a positive review.
To shine more light on digital consent, MEF has just published a free white paper analysing all aspects of the issue. It explores legal definitions, best practice, regulation, technology solutions and more.
The paper shows how, at the most fundamental level, ‘getting consent right’ starts with communication. An itemised menu written in plain language is a good place to begin. Consumers will appreciate it.
But there’s more to it than presentation. New requirements under GDPR include gathering multiple consents and giving individuals the right to withdraw from a service. And yet organisations have to follow these guidelines without causing consumer ‘fatigue’. Legalistic solutions are clearly not the answer. So enterprises have to look into emerging innovative practices and technologies.
So let’s look at the key changes GDPR will bring.
As consumers, we’re all aware of the shortcomings of present consent practice. In theory all consent should be ‘informed’: a person must understand what they are signing up to. Sadly, this is not always the case. In fact, sometimes consent is deliberately confusing with its pre-ticked boxes and vast Ts & Cs.
GDPR aims to outlaw these shady practices and bring more clarity to digital consent. Its main goals are as follows:
• More transparency
They must also explain how they intend to use it, and if they plan to share it with third parties (for which they will also need explicit consent).
• No more implied consent
It used to be that signing up for some services was, in itself, enough to imply consent. No longer. The regulation states clearly that “silence, pre-ticked boxes or inactivity should not constitute consent“
• No more bundled consent
Consent requests must be separate from other terms and conditions. It should only apply for services it is relevant for.
• Better access to consent data
Under GDPR, enterprises must keep records of what individuals consented to. This should include what they were told, and when and how they consented. Users must be given access to this information at any time – and have the right to delete it.
• Higher standards of consent in special categories
When personal data is sensitive (racial origin, political opinions, sexual orientation etc), GDPR demands a higher standard of “explicit” consent. This could be an email or even a physical letter from the consumer.
• Better protection for children
Controllers must obtain the consent of a parent or guardian when processing the personal data of a child under the age of 16.
Clearly, GDPR will force many companies to face up to the challenge of making consent better for their customers.
That might be hard work for some. But the time is right. Our own research shows that consumers care deeply about this issue. To quote another finding from our Consumer Trust study, when asked what makes an app or service trustworthy, more people (33 per cent) pointed to a ‘clear, simple privacy statement’ than any other response.
Enlightened enterprises operating in EU markets understand this. They’re already putting in place forward-looking consent practices and collaborating to drive trust in data driven services.
For the rest, GDPR will provide a legal nudge. In the long run, that has to be a good thing for everyone.
Sign up now for ‘MEF Connects Digital Consent Webinar
In a perfect digital world what would consent look like? Sign-up for an enlightened and expert discussion on this hot-button topic that looks beyond legal compliance and explores the innovations required to help deliver consent – from both a user and enterprise perspective.
Join us for the first edition of MEF Connects Digital our new series of online events, connecting members and the wider mobile ecosystem outside of a traditional trade show environment.