With business owners across Britain preoccupied with GDPR compliance ahead of next month’s introduction, its forgotten sibling – the so-called “cookie law” – could also change the way brands communicate with consumers and collect data. So what should firms being doing right now to prepare for new regulations?
This article was updated on 25/04/2018
What is ePrivacy regulation?
While ePrivacy and GDPR are both EU-led directives, they are not the same and understanding the differences is crucial for both business owners and consumers.
Fresh research from Mailjet considered the impact of the ePrivacy regulation, or the “cookie law”, on marketing strategies at UK companies. The platform surveyed 400 marketers in the UK and France to see what direction the changes could take brands in.
New ePrivacy regulations will take on board the definitions of privacy and data included in GDPR and create detailed guidelines over specific areas. The regulations are an extension of the existing EU ePrivacy directive, otherwise known as the cookie directive, taking GDPR into account.
The cookie law was due to arrive alongside GDPR in May, but the regulation is yet to be finalised and could have to wait a little longer.
What is going to change?
Under ePrivacy changes, online users will be able to set cookie permissions from their internet browser. Subsequently, users will be faced with cookie request pop-ups upon arriving at a website. The ease of potential opt-outs could mean the withdrawal of millions of consumer datasets from brands and digital marketers, according to Mailjet.
Some 91 per cent of respondents to Mailjet’s international survey expected these pop-ups to directly cause of a loss of traffic by restricting access to some, or all, of a website’s content. However, 57 per cent believed the traffic loss could only be around ten per cent.
Of greater concern could be the loss of user tracking via websites. Almost a third of UK marketers claimed the most important information from cookies they collected was via Google Analytics, suggesting alternative data sources would become even more vital.
Return of email marketing
A sudden loss of direct traffic on such a scale could see brands shift to new marketing channels. Almost eight in ten respondents admitted email marketing could emerge as a practical channel for procuring data. Meanwhile, 72 per cent would invest more in social messaging services, while two-thirds were looking to Amazon as a direct communication channel.
Commenting on the how changes to ePrivacy could affect brands, Michyl Culos, head of marketing communications at Mailjet, said: “ePrivacy will impact marketers across the world in many different ways.
“Immediate concerns will likely centre on the loss of data fuelling customer experiences and revenue, the longer term opportunity of browser-level cookie approval means both B2B and B2C brands will have to focus strategically on how they can grow and maintain the most valuable customer insights that really drive their business forward.”
One month to GDPR: What businesses need to do now
Over the last year, our experts have been helping company owners get their house in order ahead of GDPR. Here are their essential tips.
Undertake an organisation-wide data audit
Ryan Wain, chief marketing officer at Unlimited Group, advised decision makers to undertake a full audit on data held by a business.
“By doing this you will understand and identify what data you have, where it is and how it is being used,” he said.
“Distinguish between personal and non-personal data, identify its use, the processes applied to it and the legal considerations. This does not have to mean line-by-line data analysis – where they can be, different data sets can be grouped together.
“But you will need an understanding of all the different data sets you have for the transparency and accountability needed to demonstrate as part of GDPR compliance.
“Inevitably, you will find data that’s years’ old and no longer needed. If you decide this poses a compliance risk, deleting it delivers immediate benefits.”
Following this, Wain advised owners to delete old data, catalogue the results and then fill in the gaps.
He added: “Possibly the most important consideration is to avoid viewing GDPR compliance as a process with a hard and fast end point. Rather, it will be an on-going journey as you gather and process new data moving forward.”
Collecting customer information under GDPR
What are retailers permitted to do with the email addresses and customer information handed over by shoppers at checkouts? Charlotte Ebbutt and Malcolm Gregory, from law firm Royds Withy King, explain the rules.
“Email addresses collected at the point of sale are considered personal data under current data protection regulations and under the GDPR. The rules state that data must be ‘collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.’
“This means that if an email address is given for the purpose of receiving an e-receipt, it must only be used for that purpose. A retailer cannot then use that customer information for marketing or any other purpose. Once the receipt has been sent the email address should be deleted, as the regulations do not allow for the unnecessary storage of personal data.
“If a retailer wishes to use email addresses gathered at the point of sale for subsequent direct marketing this must be ‘explicitly brought to the attention of the customer’ and presented ‘clearly and separately from any other information’.”
Handling employee data
Even when Britain leaves the EU, data relating to EU citizens will still be under the remit of GDPR.
If you are processing data related to EU citizens, your business or organisation will still be under the remit of GDPR. Post-Brexit, it remains to be seen if UK citizens will be included in this remit. However, the wise thing to do now is prepare to process all data using these new regulations.
Final takeaways to become GDPR-compliant
- Request for consent and purpose of data collected must be intelligible – for sensitive personal data, users will have to “opt in” rather than “opt out”
- Individuals must have the right to access their data
- Individuals must have the right to withdraw consent and prevent further dissemination of data
- Those concerned must be notified if there is a security breach
Sign up to our newsletter to get the latest from Business Advice.