One Year of the GDPR

N.B. This article is a transcript of TheGDPRGuy Podcast Episode 11 – One Year of the GDPR from May 2019

So the GDPR has its first birthday tomorrow. One year ago I celebrated its momentous birth by going to a baseball game by myself in Nebraska. This year, the GDPR’s birthday is on a Saturday so I’ll probably celebrate this hugely important event by doing some housework. I may even clean the car. As you can tell, these dates are a big deal to me.

You’ll find a lot of talk at the moment about how the GDPR has changed the world and set a global “high bar” for privacy standards. You’ll hear how Europeans have been empowered with their new rights and are exercising them like never before. This all sounds lovely but its mostly untrue and irrelevant.

If I could describe the GDPR in two words it would be a shock wave. There was a huge explosion of noise at the start, everyone got very interested and did their bit to achieve compliance, it reached far and wide and then away it dissipated. And one year on, I can’t help but think the world feels exactly as it did before.

And that shouldn’t be a surprise to anyone. After all the GDPR was merely an evolution of existing rules and not a revolution. But for many, especially within the Privacy industry, there was certainly hope that a culture of caring about privacy would improve. And the fact is it hasn’t.

So what has the GDPR changed in its first year?

Well, most visibly, if you’re in the EU then you’ll now be spending half of your time online reading cookie banners. I say reading but really I mean clicking the “I agree” button the very millisecond it comes on screen.

Cookie banners are an absolute nightmare and the result of a complete failure within the EU to get ePrivacy regulation right.

I’ll explain what the hell is going on with cookie banners and why there’s no end to this madness.

The background to cookie banners is that back in 2011, the EU agreed in its ePrivacy rules that websites have to get consent to enable tracking and the use of non essential cookies. But the definition of consent was under the pre-GDPR rules which allowed some wiggle room depending on your interpretation. This meant that most websites used an “implied consent” approach, showing a banner that basically said, “This website does stuff with cookies, deal with it” and an “Okay” button alongside. Then in 2018 the GDPR came along and confirmed that Consent absolutely required a high standard and websites had to be private by default. The GDPR also confirmed the need for thorough transparency.

And here’s where it all got messed up.

The problem? It can’t really be done.

And the EU knew this, which is why they had planned to get the new ePrivacy Regulation and its ambitious plans for browser based controls to be launched at the same time as the GDPR. And that never happened.

The problem websites have right now is twofold:

  1. There’s no technically sound way to adhere to the laws right now.
  2. The regulators show little sign of caring if you do.

Let’s look at the issue.

For starters, the ePrivacy laws and the GDPR require complete transparency, which means websites have to explain what trackers and cookies do what, and which ones are actually the data controller themselves, which ones are acting as a data processor for the controller and which ones are a separate data controller with data effectively shared, given or sold to them. And amongst that you have the conflicting definitions of what a third party is. Is a third party of Is a data processor placed security cookie, such as from a CDN like Cloudflare, also a third party?

Yes, I’m already boring you with this level of detail. Think of what this must be like for anyone not well versed in the fascinating world of ePrivacy.

But yet the website has to provide this transparency under the assumption that transparency creates an informed customer which gives them control. Again, nonsense. This is best seen by the website cookie banners that show you all the hundreds of third party ad networks, tracking systems and analytics providers – there is no way to really understand what is going on. Remember that the GDPR demands fairness, so all this information needs to be concise and simple too.

It’s a mess.

And remember that not all of these trackers and pieces of active content are out to get you. In most cases they help optimise the website to make it more usable, provide you more relevant content and serve you deals. Abandoned basket emails are a great example, often relying on in-page analytics technology to know what products you care about and sending you the best offers. And even if you take issue with the current way personalised ads share your data with countless other organisations, people do prefer personalised ads over non-personalised ads. And turning this off by default does hurt users.

The ePrivacy Regulation, which shows little sign of arriving before 2021 was meant to bring the ePrivacy rules up to date with integration into GDPR standards of consent and ensure browsers could technically find a way to navigate the issue. But in its failure to arrive we have a mess of implementation. But what makes it even worse is that the EU regulators don’t seem to care.

If you look at the top ten retailers in the UK right now, not one has a website in compliance of the rules on cookies and trackers. There’s no enforcement by the regulators. Nobody cares. Which means that the next fifty retailers behind them aren’t going to care either, and so it goes on. As a Head of Marketing or even a CEO of a small company, if you have a Privacy person such as me telling you to obey the rules, you’ll quite sensibly reply with, “But Apple, Amazon and Tesco don’t do it, so why should we?” You’ve done a little risk assessment in your head, the likelihood of any negative press or regulator enforcement is low, and the impact of such an event is also low, so the overall risk is negligible. That’s hard to argue with.

And do you know what, I think the regulators have got this right. In the grand scheme of things, enforcement of cookies and tracker non compliance should not be prioritised. I know that this opinion will make many a Privacy person’s head spin, and if that’s you, please feel free to turn away now.

Here’s my argument. The GDPR is rightly based on privacy risks which vary to a greater or lesser extent depending on the scenario. And sensitivity to those risks depends massively on who you are. For instance, culturally, the UK is very different to Germany in its caring of surveillance and personal privacy. Within the UK we care little for the fact that London has the second highest density of CCTV surveillance in the world, with the first being Beijing. But we do care about data loss, and the security aspects of data protection are a much bigger concern to us. That’s probably why you’ve seen the ICO focus on fines related to inappropriate security. The UK population (and the US for that matter) care more about data security than data privacy.

And back to the cookie banners, ask anyone that works in Privacy, Security, or IT, (i.e. people that should know better), and most will freely admit that they don’t read the annoying cookie banner and just click whatever big green button removes the roadblock as quickly as possible. Even WE don’t care.

But this doesn’t make it right. And the GDPR tried to combat all this with its introduction of “Privacy by Default”, which should make websites private from the start and keep you safe from your own daft behaviour.

But again, a failure somewhere between the idealism of the EU and the deprioritisation in the regulators meant this never took off. What does Privacy by Default even mean? How private should a website be? What defaults, options and controls should exist? In the absence of any detail, Privacy by Default just hasn’t happened, which impacted cookie banners greatly, letting websites feel they could happily continue leaving trackers fully enabled by default.

But as this is the GDPR’s birthday, my gift this year will be given to the UK regulator, the ICO, for their excellent attempts to change all this with the introduction of their Age Appropriate Design Code. Don’t let the name fool you. This isn’t just about children. It’s a trojan horse to tell websites and apps (or Information Society Services if you want to use that strange term) how to implement Privacy by Default. It’s basically a GDPR how-to guide, so specific in its detail that the fact of its existence provides a stick to beat you with if you ever try to be vague on Privacy by Design and by Default. For instance, it says that you must treat all users as children with high-privacy defaults unless you can prove they are an adult. Proving age online is difficult to do and brings high friction, so only a tiny percent of websites will do this, thus pushing a high-privacy by default rule out to the whole UK.

Effectively, the ICO’s Age Appropriate Design Code gives the UK the world’s toughest ePrivacy rules, outside of places like China and North Korea. And if the ICO enforces it, then for the UK at least, cookie banners might see some real change.

As someone who writes, configures and deploys cookie banners, and also as someone that clicks through them at whirlwind speed, I feel this problem as much as anyone. They’re a huge annoyance and sadly give the general public the wrong impression of what the GDPR is. The GDPR isn’t about bureaucracy. Yes it can bring with it some more paperwork. And it hasn’t changed whether people deeply care about privacy, but it has got people talking about it. And considering it’s only one year old, I’ll take that as a win.

Images in this post have been kindly provided by:

Carl Gottlieb

Carl Gottlieb is the privacy lead and Data Protection Officer for a select group of leading tech companies. Carl’s consultancy company Cognition provides a range of privacy and security services including virtual DPO and virtual CISO.