Collection of consents on the web: an encouraging state of affairs but in need of improvement
Collection of consent, state of play since the GDPR
Entering into force on May 25, 2018, the GDPR aims to, among other things:
“give citizens back control over their personal data, while simplifying the regulatory environment for businesses,” according to the European Council.
It therefore seems only natural that consent, allowing individuals to have this control, is one of the fundamental points of this recent regulation. Companies must comply with new constraints to legally collect and process personal data for commercial or analytical purposes. This is especially true for websites.
If a large number of them play the game, there is still a significant proportion that barely do the minimum, or even less. This is what a study conducted by Converteo on 100 French websites reveals, revealing that 67% of companies have adopted a Privacy Center (a module allowing users to precisely define their consents), and that 86% of them have a properly integrated cookie banner. 18% have even gone so far as to implement a Cookie Center.
However, 38% of organizations do not ask for consent and do not provide any apparent information about the processing of personal data collected, while 44% cite legitimate interest as a justification, one of the other 5 legal bases for processing personal data.
Consent is therefore requested for commercial prospecting purposes only in 30% of cases, for personalization only in 16% of cases, and for analysis only in 2% of cases… Figures that still indicate a favorable evolution compared to 2017.
The only measure observed concerning Internet users under 16 years of age (the age from which it is possible to consent alone according to the GDPR, but having been lowered to 15 years in France) is the restriction of the creation and use of an account, which is carried out by only 44% of sites.
The December 2018 IAB France Barometer, on the other hand, focuses on the top 100 French media sites (according to the list compiled by the ACPM). Among them, 56% have adopted a valid consent management platform (a module that is displayed during the first visit to a site, in order to collect the user’s consent), compared to 48% in November, and 39% in October, so significant progress in a short time.
If all the sites are still far from collecting the consents of their visitors in accordance with the law, it is easy to observe clear improvements, sometimes provoked by the CNIL…
Practical cases of collection: preventions and precisions
The administrative authority recently did not hesitate to issue formal notices to three programmatic advertising companies whose collection of consent did not comply with the RGPD: Teemo, Singlespot and Vectaury.
The first two were closed, but the third is still pending at the time of publication. In order to carry out advertising targeting, these three companies use development kits (SDKs) integrated in their partners’ mobile applications to collect users’ personal data.
Among the grievances they were accused of :
- information about the collection of consents and the processing of personal data was only accessible after the installation of the applications and the SDK;
- If an application already installed on a smartphone was integrated with the SDK, it was installed without the user’s knowledge;
- Information about the consequences of refusing consent, the purposes of the processing, the companies processing the data and the partners with whom it was shared was far too vague, and more precise information was difficult to find when it did exist;
- Consent for the SDK was required to use the applications, while the collection of data was not necessary for their operation;
- Users could initially only give their consent in a global way for all the treatments carried out, without knowing their various natures. The possibility of specifying the choices according to the treatments only appeared later. Vectaury had specified in its contracts with its partners the obligation to collect consents for each purpose, but this precaution was clearly not sufficient for the CNIL.
These cases are therefore a reminder of the characteristics and requirements of a valid consent, in particular the obligation to provide detailed information about each processing of personal data, and the fact that users must knowingly give their consent for each of them.
Collecting consent from users
According to a study by Opinion Way, while 72% of French people accept the privacy and cookie policies of the sites they visit without reading them, 86% think that companies use their users’ personal data without their consent. Moreover, only 38% believe that companies give their customers a choice regarding the data they collect. A general feeling that is not very positive…
The Privacy Barometer conducted by Commanders Act provides more precise information about the reactions of the French to consent requests. This study is based on the analysis of the behavior of 10,450,000 Internet users, and reveals that they view the consent messages about 1.8 times before making their choice, a decision that is therefore taken from the first time it is viewed.
Few are more interested, as only 0.1% reach the pages that allow for cookie settings, and only 0.07% inquire about pages that explain how to change the acceptance settings in the browser.
The report also indicates that three techniques for collecting consent on websites each lead to different results:
- Strict consent, which takes the form of a message and an “Accept” button upon entering the site, leads to an acceptance rate of 28%.
- Soft consent, collected as soon as the user reaches a second page of the site, leads to 69% acceptance.
- Super soft consent, collected as soon as the user scrolls down the first page, which is currently authorized but questionable, and which will probably be prohibited by the next ePrivacy directive. It leads to an average of 78% acceptance.
These rates reach 56% on PCs, 59% on cell phones and 76% on tablets. The report explains these variations by the difference in the size of the consent pop-ups depending on the media, which are much larger on mobile and tablet devices. It would seem that Internet users prefer when they are clearly visible and stand out from the site, provided that they do not completely hide its content.
Even if the French have a rather negative opinion of the way organizations generally handle their personal data, they are in favor of their use with consent in the majority of cases, and seem to prefer clarity and transparency. At the same time, despite the overall efforts of companies to provide compliant consent requests, many are not up to speed, or could improve.
In any case, they would certainly benefit from it, as the CNIL does not hesitate to reprimand breaches of the GDPR on this point, and the ePrivacy directive will bring some clarifications in the near future. Given this context, and faced with a real growing distrust of consumers as well as a rejection of traditional commercial prospecting, companies would be well advised to move towards “positive” marketing.
Informing customers, giving them a real choice, proposing to them in all transparency to provide their data and preferences in order to adapt to their expectations, in short :
Differentiate yourself by showing you are worthy of their trust through the collection of their consent.