When it comes to privacy and GDPR Tim Walters, Ph.D. is not only our go-to Rockstar, he works with an impressive list of organizations that seek out his advice on how to make their way through the complexity of consumer sensitivity and increasing legislation, yet still deliver a customer experience that they expect. So, when we decided to theme this issue on privacy, “Beg Data” was the first on the penthouse invite list and Ian Truscott asked the questions…

What’s your view on the current, seemly confused state of web privacy implementation?

Confused is the right word.

When the GDPR came into effect in May 2018, we were plagued with these bizarre cookie consent notices – the vast majority of which (at least 80%, in my view) obviously violate the regulation. Nevertheless, right through the summer and into the fall of 2018 there was hardly any word from the data protection authorities (DPAs). I called it the silence of the sheepdogs. But I should have known better: citing a company for violating the GDPR is not like writing parking tickets. It requires a very thorough, painstaking, time-consuming investigation and marshalling of facts, and can easily end with a report of 100s of pages. So of course it took time for the first decisions to appear.

From late 2018 and into Q1 of this year the decisions – most famously the €50 million fine by the French DPA against Google, but they’ve also been issued in Germany, Poland, the Netherlands, etc. – have exposed flaws like insufficient or unclear information, pre-ticked opt-in boxes, bundled processing purposes, or “cookie walls,” where the notice says simply “by continuing to use this site, you consent to . . . . “

So the summary is if you think you got it right the first time, or think the regulators really don’t care . . . you’re probably going to have to do most of it over again.

Browsing from the UK, I occasionally land on US websites that simply refuse to serve content, based on an unwillingness (I guess) to comply with GDPR or to accept the risk of processing personal data from the EU. What do you think of this?

Yes, the case I’m familiar with is the Tronc family of newspapers, which includes the Chicago Tribune and Baltimore Sun. First, one has to grant that companies aren’t obligated to do business in the EU. But then, will they also pull out of Brazil, because of the LGPD? Out of the dozens of other countries that are implementing or considering “GDPR-like” legislation? Will they stop doing business in California – the fifth largest economy in the world – due to the CCPA, as well as the many states that will implement equal or more restrictive regulations? In short, as the GDPR goes global, pulling out of every geography with a data policy you don’t like is not a viable business strategy.

We seem to be in a well-established content economy built on an exchange of content for data. To play devil’s advocate, if everyone blocks ads and refused cookies, this economy would collapse, no one could justify creating content?

I’ll see your devil’s advocacy and raise you another!

The question would have to be, how “well-established” and widely accepted can this content-for-data exchange be if so many people are tempted to install ad-blockers or refuse cookies?

Evidently, it’s a pretty awful deal, and they’ll jump at any chance to get out of it. And, seriously, if we remove the CMO hat and think like consumers, who can blame them?

Imagine you’re making a long drive on a hot, muggy day. At a roadside stop, someone offers you a delicious glass of iced tea – and it’s free! Oh, except that in exchange, they’re going to install a tracing beacon on your car so they can target billboard messages to you as you drive past. Really? A glass of tea for months of surveillance? How about I just agree to write you a nice Yelp review?

Ok, but still, there’s a view amongst many content producers that there needs to be some kind of quid pro quo with the audience, after all, good content costs.

When I was at CMO at censhare, I publicly stated we would share content without registration, someone in the comments compared accessing content without registration to theft. Isn’t it fair that in exchange for content there should be a transaction of sorts?  

Absolutely, good content costs. (And the problem is so many organizations try to do it cheaply, which is usually worse than no content at all.) But since we’re talking about CMOs  (rather than dedicated content publishers like periodicals), the question is, why do you bear this cost?

The time-honored answer is “to generate leads.” As more marketers grasp the benefits of content marketing, the better answer is, “to build audiences.” In any case, we’ve got to wake up from this delusion that more is better and instead focus on quality.

You, of course, made the right decision at censhare (a software vendor). If you gate that content, what do you get? First, a bunch of useless fake data. Second, a bunch of real data from people who don’t want a sales call – so you’re wasting your time and taking on the risk of processing personal data from which you get no benefit.

As you’ve often stressed, Ian, we need to flip this around. Instead of the marketer saying; “Hey, I gave you this whitepaper, you need to give me something in return!” it should be “Thanks for giving me your attention, here’s a whitepaper in return. If you find it valuable, please come back for more!” That way you appear as a trusted advisor rather than a desperate lead generator, and the value you deliver will be rewarded with a subscribed audience member.

And related to that, do you think this is the right of content publishers to refuse entry for people that refuse to consent to cookies? I’m referring to commercial properties here, not sites that share essential information we all need – do we have a right to free access content?

This would be a kind of cookie wall, which were declared to be a violation of the GDPR by the Dutch DPA in March. But you’re right, common sense says that a site owner ought to be able to dictate the conditions for accessing their site.

What you have to remember, however, is that protection of personal data is a fundamental human right in the EU. Accordingly, collection and processing that data requires a legal ground – of which there are six in the GDPR. For marketers, consent and legitimate interests are the most important.

But, for better or worse, “it’s my house and you’ll play by my rules” is not one of the legal grounds. As a site owner, you can certainly charge a fee to access content – so in that sense, consumers don’t have a right of free access to content – but you may not require the collection of data, beyond what is required for the site to function.

My previous role was with a German company, we implemented a very strict cookie compliance policy and we saw an immediate drop in recorded web traffic as a chunk of our audience went dark. What’s your advice to marketers, who need to justify content spend and balance this with privacy?

Did you lose half of your audience . . . or did half of your visitors do you a favor by telling you they’re not valuable leads (at least at this time)?

In a nutshell, my advice would be, don’t look at privacy as a hurdle or restriction that gets in the way of your marketing goals. Rather, ask how you can 1) communicate your respect for privacy and personal data and 2) offer real measurable, tangible benefits in exchange (“in order to improve your experience” does not count) in order to 3) increase trust among truly engaged and therefore far more valuable audiences and 4) build a competitive advantage out of what you tend to now see as a regulatory burden.

Who’s rocking getting the balance between the commercial drivers and privacy right?

Sadly, no one, as far as I know. A year after the GDPR, we’re surrounded by worst practices. Like I said, I don’t think it’s a good idea to view it as a balance between business goals and privacy concerns or requirements. Marketers should ask:

1) Are our cookie/consent notifications even legal (in light of the current and ongoing DPA decisions, which apply to anyone using the highlighted practices)?

2) Are they integrated into the overall customer experience strategy, rather than a hostile gateway? (I have yet to see any that are.)

3) Do we truly engage the consumer (or buyer – it doesn’t matter if it’s B2C or B2B) and offer a compelling value proposition?

4) How can we better understand our audiences in order to make the most compelling value proposition when requesting consent for data processing?

Who are the biggest culprits?

Facebook, Google, and the entire real-time bidding (RTB) advertising ecosystem.

Any final thoughts?

Just to return to the question about blocking content in the EU or other areas with regulations you don’t like.

I think it’s crucial to understand that for marketers, today, G.D.P.R does not just designate the EU’s General Data Protection Regulation. In addition to that, and far more importantly, there is clearly what I call the real GDPR – a Global Data Privacy Revolution.

Ultimately – and especially from a CX perspective – it’s not about satisfying regulators and avoid their possibly substantial fines. It’s about satisfying consumers and avoiding losing far more money because you’re unable to build trust, get access to data, and compete in this new data environment.

Thanks Tim!


Customer experience and data privacy consultant, writer, and keynote speaker, Tim Walters is a Vice President and the privacy lead at The Content Advisory, as well as a contributing analyst for TechGDPR and the founder of Zero Theory Solutions. You can follow Tim on Twitter

Share this article
You might also like