Table of Contents
As always, this is meant to be general guidance and should not be viewed as legal advice. Please consult with your legal counsel to ensure your actions align with the interpretations and requirements of your legal team.
When it comes to collecting data about your consumers, the ever-shifting rules and regulations are enough to make your head spin. Given the complexity of the landscape, many marketers (and analysts, for that matter) aren’t clear on what the rules are and how to handle the requirements for consent.
As a result, many companies get into trouble, either because they think they’re compliant when they aren’t, or because they miss out on opportunities to gather anonymous data because they don’t want to do anything wrong.
If either of those scenarios describe you, I have good news for you: once you understand some key details about existing regulations and requirements, you can confidently collect and use data while remaining compliant with all applicable laws and regulations.
To help, I’ve put together a brief guide to walk you through what you need to know about data collection, cookies, and consumer consent. We’ll explore the requirements according to the main pieces of legislation currently in effect (EU ePrivacy Directives, General Data Protection Regulation (GDPR), and various state-specific U.S. laws). Then, I’ll share a few technical solutions that can help you maintain compliance while still collecting compliant, anonymous data.
Consent For European Users
A quick note: European law differs from United States law in that there are two types of legislation: Directives and Regulations. From the official Europa website:
- A “directive” is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to devise their own laws on how to reach these goals
- A “regulation” is a binding legislative act. It must be applied in its entirety across the EU.
This will be very important when discussing the requirements as outlined in the ePrivacy Directives and GDPR. Rules regarding consent and cookies are country-specific, while rules regarding consent as a lawful basis for processing apply to all EU members. Let’s explore this nuance and what it means for you.
EU Directive 2009/136/EC (EU ePrivacy Directive)
The EU ePrivacy Directive, which applies to organizations who have users in Europe or operate in Europe, was passed in 2009 and amends EU Directive 2002/22/EC which was originally passed in 2002. In the context of marketing and advertising, the directive importantly speaks to the storage and accessing of information from a user’s terminal equipment. From the text:
“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information ... about the purposes of the processing”
EU Directive 2002/22/EC Article 5(3)
For our practical purposes, the directive is governing the use of cookies (small text files stored on a user’s browser that contain a unique anonymous identifier associated with that user). It means that you are required to get informed consent from your users prior to accessing or storing anything on their terminal equipment (i.e. browser). Put simply, you need the user’s consent before setting or accessing a cookie. No consent—no cookies.
To comply with this directive, most organizations use “cookie banners,” which pop up on a website when a user first visits. These banners are clear indicators to the visitor that the website is utilizing cookies. The use of these banners led to the country-specific laws meant to satisfy the directive as “EU Cookie Laws”.
For many years following the passage of this directive, confusion reigned supreme. Due to the EU legislation being a directive, it meant that each country had their own rules regarding the definition of “informed consent”. Until GDPR went into effect in 2018, as far as this directive was concerned, if a user continued to use the service (i.e. the website) after viewing the banner, the site was able to set and access cookies. Marketing and advertising practices were largely not impacted.
This changed with the codification of the definition of “informed consent” following GDPR. Let’s explore this regulation and its implications.
GDPR, Consent, and Personal Data
GDPR, which passed in 2016 and went into effect in 2018, overlaps the EU ePrivacy Directive. Despite their similarities, these are two separate pieces of legislation, and it’s important not to confuse them.
Like the EU ePrivacy Directive, GDPR applies to organizations that operate in Europe or have users in Europe. While it has many provisions, one of the most important is that the GDPR expanded on the directive’s requirement for consent by specifically defining what “consent” means. Consent is defined in Article 4(11) of GDPR as:
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Being a regulation, this definition applies to all prior EU data protection laws, including the country-specific laws meant to satisfy the ePrivacy Directive. This means users must provide an unambiguous indication of their informed consent before cookies used for purposes of marketing and advertising can be stored or accessed on the user’s terminal equipment (browser).
In addition to codifying the definition of consent, GDPR also requires that any processing of personal data must have a lawful basis for that processing (personal data in this instance is defined as any information that can be used to directly or indirectly identify a natural person).
It is an important note that consent does not have to be the lawful basis for processing personal data for purposes of marketing and advertising. GDPR specifically states in Recital 47 that “…The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” It is possible that you can process personal data without consent so long as you have taken the necessary steps to justify said processing as a legitimate interest.
[For more information about lawful basis of processing, consult our eBook for marketing and advertising professionals on GDPR.]
If your organization is using consent as the lawful basis for processing, then not only do you need to get explicit prior informed consent before setting and accessing cookies on the user’s machine (due to ePrivacy laws), but you also need to get consent to collect and use any of that user’s personal data (to satisfy GDPR).
Here’s what many people don’t realize, though: for measurement purposes, oftentimes you can aggregate anonymous data, without the use of cookies, as users interact with your websites without explicit consent. You can then use this anonymous interaction data to report on things like how many conversions and/or transactions have happened, what products or content are being viewed the most, or what the most popular articles on your website are.
EU Consent Requirement Summary
To simplify and summarize, the following consent requirements apply when dealing with users from the EU:
- Consent must be a “freely given, specific, informed and unambiguous indication of the data subject’s wishes”
- Consent must be given for the storage and accessing of cookies from a user’s device (ePrivacy)
- Consent may be used as the lawful basis of processing a user’s personal data (GDPR).
Data and Privacy in the United States
The EU Data Protection Directive and GDPR govern organizations in Europe (or organizations that have users in Europe). The UnitedStates, though, has its own set of regulations and laws, and if you operate in America or have American users, you need to be aware of those.
What can make U.S. privacy regulations confusing is that there is currently no federal legislation in America around data privacy. Instead, individual states are passing their own laws, which means regulations can vary widely. Some of the most notable of these are the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), Virginia’s Consumer Data Privacy Act (CDPA), and the Colorado Privacy Act (CPA).
Because different states have different legislation and rules, it’s important to make sure you know the regulations that apply to you. However, in general, U.S. law does not have the same explicit, prior consent requirement that the EU does. Instead, U.S. laws are focused on the user’s right to opt out of various usages of their data, such as the selling or sharing of their personal information (which may be defined differently in different states).
For example, a company could still collect complete information from a user in Virginia who has opted out of their data being processed for profiling and advertising; they just need to ensure that data is not used for profiling or advertising (i.e. the user could be used for analytics purposes but could not be included in audience lists or analysis for look-alike audiences). This sort of nuance is why it’s so important to understand the laws that apply to you.
Cookies in the United States
The other distinction between current U.S. regulations and the EU is that the United States does not focus on cookies in the same way. In the United States, you can set and access cookies; you can collect any information you want; and you can use that data for your own internal purposes. The only thing you cannot do is sell, share, or process personal information collected for purposes of profiling and advertising for users that have opted-out.
That’s a huge opportunity, because it means you can still use the information you collect for general reporting purposes and for getting information about transactions, optimization of your website, and so on. And, it’s yet another example of why understanding regulations around consent is so important.
U.S. Consent Summary
To succinctly summarize consent requirements in the United States regardless of the legislation:
- U.S. laws follow an “opt-out” model and do not require prior explicit consent
- U.S. laws do not concern themselves with cookies but rather how you are processing/using personal information
- U.S. laws allow for the opt-out of using user’s information for purposes of advertising but do not extend to the usage of information for purely analytics purposes.
Customizing Your Consent Management Practices
Maintaining compliance with EU and U.S. laws and regulations isn’t always straightforward. The challenge comes with how to get the data you need and are legally allowed to collect without processing any data you don’t have a right to—and then ensuring you’re using that data in a legal way.
That’s where consent management comes in. You can’t use just any platform, though: you need to use solutions with the technology that allows you to customize your data collection and processing settings. That way, you can collect the maximum data allowed for each user while remaining fully compliant with all applicable laws and regulations.
To start, it is likely beneficial to leverage a Consent Management Platform to manage the user’s consent experience and properly provide transparency into data processing practices as well as a mechanism to both opt-in and opt-out (where each is applicable).
Beyond just the CMP to manage the consent experience, various platforms are beginning to introduce the ability to customize the behavior of tags based upon the user’s consent indications. One of the best examples of this type of solution is Google’s “consent mode,” which has been introduced for all Google tags. It applies to Google Analytics, Google Ads, and Floodlight Tags. Consent mode limits the usage of cookies and processing behavior for users that have not granted consent, allowing you to collect anonymous data while maintaining compliance.
Google also offers functionality within Google Tag Manager, to simplify the configuration of consent for both your Google and non-Google tags.
Google isn’t the only one with these options. There are a number of other platforms that are embedding similar functionality in their tags and technologies as well. This removes a lot of pressure if you’re the marketer or analyst setting everything up, because the new technologies take care of everything for you.
[Implementing a consent management strategy? We’d love to help! Tag Inspector is used by thousands of sites globally, contact us here to learn more.]
The Importance of Getting the Right Data
The rewards of understanding and adhering to the applicable regulations cannot be overstated. Once you know exactly what data you can collect, how to get consent, and how to appropriately use the data you do collect, you will be able to achieve much greater insight to campaign and site performance as well as optimize user data for those that do consent. You’ll be able to gather and analyze the information you need to optimize your site, your offerings, and your content.
Do your due diligence, make sure you have a baseline understanding of the applicable requirements, and then build from there. And, remember, there are many existing technologies that will help you, so you don’t have to go it alone.