Working the Law Part 2 - Data, Cookies & Soggy Bottoms
At Station10, we love 3 things. New technology and all of its applications, ethical and compliant data collection and usage, and the Great British Bake Off. Unfortunately, one of these three things doesn't tend to overlap with the others on a regular basis, so we don't get to blog about it, but on this occasion it actually does, so I'm going to run with it (bear with me, it all makes sense why in the end!).
Last night was 'Dairy Week', where the contestants had to bake a number of items including cultured dairy produce. Everything went as you would expect until the technical challenge. Here, Prue set a challenge to bake a set of 'Maids of Honour' which were a type of tart that none of the bakers had seen, heard of, baked or tasted before. As always, Prue left them with a parting thought, and they were off to the baking. With the technical challenge, as always, they were given a set of technical descriptions on how to bake the tarts, but without context or detailed descriptions, no one was the wiser of how they should look or come out. At the end of the bake, you had all of the contestants lined up, varying from 4 puddles of baking, to some that looked quite nice (well, I'd have eaten them happily).
The moment of truth came, Prue and Paul came out, and the first thing they said was 'none of these are right'. Some were better than others, but as the end results had never been seen before, no one knew what they were aiming for, so all of them missed the point.
So, why do I talk about these miscooked dairy bakes?
I feel this is a fitting metaphor for where we are currently with the application and implications of GDPR and the ePrivacy Directive.
We've all been given a recipe, that's really quite detailed, but none of us have been here before. We've not 'tasted' what good compliance and customer experience looks like from a GDPR sense. All we have is a Paul Hollywood shaped ICO, warning us that what we have baked has a 'soggy bottom'.
What the regulations have given us is a number of challenges to overcome, which I don't think many people have actually got to the bottom of. The two biggest of which, for me, are the 'pseudonymous/anonymous' and 'directly and indirectly identifiable PII' tightrope, and the differences between PECR and GDPR in terms of what needs to be shared.
The Pseudonymous/Anonymous argument is one that I regularly have with clients and my esteemed colleagues at Station10. When is something anonymous, and when is it not? Is Web Analytics data ever actually anonymous?
What is classed as anonymous and pseudonymous? In GDPR terms, there is a pair of GBBO 'technical challenge' definitions:
Recital 26 defines Anonymous data as “information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable"
Pseudonymisation is defined as "the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable individual”.
So, is Analytics data anonymous? I believe not, and here's why. Analytics data is made up of an aggregation of a host of 'identifiers' (be it cookies or whatever tech you choose to use for the devices you are on) to give us 'anonymous' data. My position is that the 'identifiers' are just that, identifiers. If you can drill down into any data set to an 'individual' item, you can't truly be anonymous data.
To give you a case in point, a website which is pure brochureware, with lots of pages of pretty images and interesting prose about why you should use the companies services. The company uses a web analytics package to measure its use, and looks at the 'visitors' metric. IS this anonymous? Maybe. The company, to try and drive value from its website and increase leads, adds a simple contact us form onto the site which captures email address and name. Is this anonymous data? Definitely not. Is it possible to, through time based correlation, ascertain which visit leads to the contact form being completed, and therefore join the data together? Definitely. Therefore the analytics 'identifier' is indirectly identifiable PII.
As another example, the same website chooses to add an A/B testing tool to the website, which uses the analytics data to perform its segmentation, testing and personalisation. At this point, is the analytics cookie anonymous? I would argue no, it is not anonymous, as we are processing the data in such a way to pick out an individual from the dataset, and provide them with a different experience to other people. This means that all analytics data is pseudonymised at best (all the cookie is doing is applying its own 'label' for my device, rather than just saying it is 'Nick’s Microsoft Surface').
So with this being said, at what point would you need to ask for consent? For me, because the opportunity to do the types of analyses highlighted above will always exist, I would argue that you want to obtain consent from the second you start using these tools. This is for 2 reasons. Firstly, it’s the right thing to do under the 'spirit' of GDPR. The second is that you can only use the data you have collected for the purposes it was collected for. The second of the 7 key principles of GDPR is: “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.
If I may want to pair the data I have with another data source to do 'something', I can only use the data from the period of time I have been collecting the appropriate consent to do so. To give an example, I have been collecting 'anonymous' web analytics data on my website for a number of years. I employ a new Digital Marketing Director who wants to integrate this historical data within a CRM tool, linking all purchase/transaction data with the anonymous browsing data I have held for the users while they were considering my company’s products. As this is 'new' processing, unless I have have included this type of processing in my 'consent' language when it was 'freely and explicitly' given by the data subject, I have no legal basis to process this data in this way, rendering all this valuable data (literally) useless.
The point I make here, is that if you want to use your data for pretty much any of the value driving activities in a modern marketing environment, web data is always pseudonymous so needs explicit consent for its use, otherwise you'll end up with a 'soggy bottom' and risk GDPR non-compliance. And don't get me started on the ePD’s need to explicitly state what all cookies are and what they are used for when placing them on an end user device... I'll save that for the next blog in the series.