Professional Documents
Culture Documents
GDPR Consent
Overview and scoring of how websites
have adapted to data privacy regulations
2019
Presented by
GDPR vs the status quo
We are in the middle of a battle between two competing
philosophies of how personal data should be handled on the
internet.
On the other side is the General Data Protection Regulation (GDPR) and
like-minded data privacy advocates. They endorse a system where
internet users decide on collection of their data only after seeing an
explanation, in plain language, of how their data will be used. However,
this ask-first-collect-later approach reduces the amount of data
businesses have at their disposition, putting in doubt the profitability of
some free products and services.
GDPR has been in force since May, but what has really changed? This
report tries to answer part of that question by examining how
organizations in the EU and North America are collecting and using
data consents for EU internet users.
The tech and advertising companies that have a stake in keeping the
status quo won’t change without more of a fight. But how are other
websites reacting so far? If consent mechanisms are in place, do they
work according to the GDPR philosophy? Or have organizations opted
for a hybrid approach?
12
GDPR consent
Consent is one of many bases for data processing. We’re
focusing on it exclusively because it’s simple to evaluate in
practice. Most website owners want to use personal data in the
form of persistent tracking cookies. Under the GDPR, they
should ask for consent.
3
2
Methodology and scoring
We checked 25 websites from 8 countries, selecting 5 large and
visible organizations from 5 different sectors.
Maximum score +2
+10
Clear choice about data collection
Minimum score -2
-5
Third-party cookies placed without consent
4
Scores for all 200 websites
(each vertical line is a score for one website)
10
European Union
North America
8
-2
-4
Averages
5
Sector averages
(for the EU only*)
Insurance
Banking 2.10
in Germany
Insurance 1.87
4.8
Media 2.47
Government & Education
E-commerce 1.73
in Belgium
Government & Education 1.70
-1.2
0 1 2 3 4
*The relevance of the GDPR to some of these industries in North America is unclear. Does a US bank operating only in
the US have to comply with the GDPR when an EU citizen visits the site? We don't know yet how the regulation will be
enforced. For this reason we decided not to include American and Canadian websites in the sector average results, as
they would serve to, maybe wrongly, depress the scores of some industries more than others.
87%
of websites clearly mentioned
36%
of websites offered a
clear choice about
data subject requests data collection
6
High scorers 5% of websites
surveyed
6
• No third party cookies without consent
• Clear way to exercise data subject rights
7
Trends worth noting
Towards GDPR
Clear-headed description of choices
Many took the spirit of GDPR to heart and tried to describe in very clear
and direct terms how their websites worked, even if other parts of their
website didn’t show that same spirit. For example:
Where a choice was available, the popups or chat box style menus were
usually clear and easy to use. There were also many varieties,
indicating that there is a healthy market developing around displaying
and gathering data consents.
8
Exaggerated importance of cookies and tracking
technologies
Instead of stating in plain language what they want to do, i.e. “we
record your personal data for purposes x, y and z”, many websites
jumped right into the details. They contained long technical
explanations of cookies complete with the names of every cookie file
and the variables stored within. While the completeness is appreciated,
these organizations have forgotten that most people don’t understand
or care about such details.
9
Expert analysis
We asked 4 internet data privacy experts what they thought
were the biggest events of 2018 and what to expect in 2019.
Follow @johnnyryan
Every time you visit a website and see a “behavioral” ad, intimate
personal data about you, what you read online, and your device, is
broadcast to tens or hundreds of companies.
10
But this broadcast is unlawful under the GDPR. Article 5 (1) f, says that
personal data be “protect[ed] against unauthorised or unlawful
processing and against accidental loss.” If one can’t protect the data, it
must not be used.
But billions of bid requests are broadcast each day. This is the most
massive data breach that internet users have ever suffered.
Few noticed what I think was an important privacy event in 2018: the
new RTB “3.0” specification was released in November. Despite serious
complaints before European regulators regarding bid requests, RTB 3.0
did nothing to fix the issue.
11
Aurélie Pols
Privacy Engineer & founder of Competing on Privacy
Follow @AureliePols
12
• Data privacy is bigger than data breaches and GDPR fines, it also
affects the future of how we work. The European Group on Ethics in
Science and New Technologies did a great job at describing a path
forward when it comes to AI taking over our jobs.
13
David Clarke
Founder of GDPR Technology Group and Cyber Security advisor
Follow @1DavidClarke
2018 was the GDPR’s year of codification. 2019 will certainly be the year
of its enforcement.
Since the GDPR has come into force, several high profile incidents have
been brought to the attention of regulators.
14
Also important to take into account is the rise in reporting of
complaints by the public. By August of last year, ICO had already seen a
doubling in complaints since the GDPR came into force – a trend
expected only to accelerate according to officials’ predictions.
15
Maciej Zawadziński
CEO of Piwik PRO and Clearcode
Follow @zawadzinski
16
Predictions for 2019:
• Huge crimes, little sins. Headlines about ever bigger data breaches
are becoming commonplace, but many smaller privacy violations
likely go unnoticed. Small- and medium-sized companies are aware
that data protection authorities don’t have any tools to scan the
whole internet for violations and they’re taking advantage of the
situation. This won’t change in 2019 but users can support an ethical
evolution by asking questions, enforcing their rights and making
more conscious choices.
• It’s likely that ePrivacy will be delayed again due to a turbulent
outlook for 2019. The chaos in the EU because of a possible economic
downturn, Brexit and other sensitive political dilemmas will cause
us to wait another year for the lex specialis to the GDPR.
17
Report methodology notes
Members of the Piwik PRO team collected the data in December
of 2018 and January of 2019.
18
Neither the choice of countries or websites was meant to be wholly
representative of the EU or any given country or region. We intend this
as an introductory study to get a general idea for how local actors have
interpreted and reacted to the GDPR.
Scoring
Some of our scoring criteria deserve further explanation.
19
About Piwik PRO
AdTech and MarTech experts founded Piwik PRO in 2013 due to the lack of an analytics
stack that was both high performance and privacy-friendly. Our suite of products
marries privacy by design, flexible hosting and full data ownership with enterprise-
level features and support.
The Piwik PRO team consists of seasoned analytics experts and engineers who have
advised on and delivered a wide range of successful implementations. Acting as your
technology partner, we share our expertise, tailor our products and services to match
your particular goals, and support you from start to finish. We take enormous pride in
helping businesses and public sector organizations thrive!
Contact
NORTH AMERICA DACH BENELUX UNITED KINGDOM
222 Broadway
Lina-Bommer-Weg 6
Stationsplein 45
15-17 Leeke Street
New York, NY 10038
51149 Cologne
unit A4.004
London WC1X 9HY
USA Germany 3013 AK Rotterdam
United Kingdom
The Netherlands
+1 (888) 444 0049 +49 221 6430 7750 +31 858 881 458 +44 2033182881
Web:
Email:
https://piwik.pro sales@piwik.pro
20