Sunday 24th June 2018

The many ways the GDPR will change the web forever this week

Email marketing platforms can't agree, MPs are unclear, publishers are arguing with Google and there are 4 days until the GDPR comes into force. It promises to be a turbulent week, so we've listed what's likely to change below.
Jason Smith
by on 21st May 2018
GDPR summary

Over the course of this week you’ll likely start to notice some changes across websites.

These changes will be a consequence of the EU’s General Data Protection Regulation (GDPR), which comes into force on Friday 25th May.

From reading online commentary, small business owners appear to be particularly confused and disproportionately affected by the new legislation, mainly because, unlike large organizations, they don’t have legal teams to decipher the GDPR’s 99 articles and what it means for their businesses.

Moreover, large tech organizations are waiting till the last minute to address publishers’ concerns (see below) and even lawmakers — British Members of Parliament — are unclear on what steps to take to comply with the GDPR (and if lawmakers are unclear on what steps to take, what hope do small business owners have?)

We’ve listed some examples of what you can expect to see below.

You’ll likely see popovers asking for your consent

Obtaining user consent is a big aspect of the GDPR.

Websites will need to obtain users’ consent if they wish to serve personalized advertisements, which will likely result in users being presented with popovers like the one below.

Cookie form

News websites are among the worst offenders for leveraging third-party content and setting third-party cookies, according to a recent report by the Reuters Institute.

Moreover, news organizations will meet with Google executives on 24th May – one day before the GDPR comes into force – to try and resolve disagreements with the search giant.

Of particular concern to news organizations is that Google has placed the burden of obtaining consent onto publishers and, as yet, hasn’t adopted a new industry-wide framework that makes it easier for publishers to obtain consent.

Some publishers have also criticized Google for developing its own consent platform called “funding choices,” which restricts the number of ad networks publishers can work with to 12 (the tool is also currently in beta mode).

As a consequence of these challenges, some commentators believe the GDPR could signal the end of personalized ad targeting.

Fewer personalized ads

Dependent on whether users want websites to tailor ads to their characteristics (we’re guessing it’s unlikely!), users should probably expect to see a marked decrease in the number of personalized ads following them across websites.

To be clear, this doesn’t necessarily mean fewer ads.

In fact, if non-personalized ads are incapable of meeting the revenue needs of publishers, or if news organizations are incapable of instituting processes to acquire user consent to personalize ads, there’s the possibility they may have to find alternate means for monetizing their content.

For publishers, Google has recently updated its AdSense admin panel to allow users to only display non-personalized ads.

Some websites may become unavailable

A few organizations, including Unroll.me, Verve and Ragnarak Online, have decided to block access to their websites from the EU. Some other websites may also have taken this decision and simply not declared it publicly.

Moreover, a few services have popped up in recent months that assist webmasters in blocking all inbound traffic from the EU.

This is quite a clinical decision and is unlikely to be adopted by most websites.

Social sharing buttons may become less prevalent

Unbeknown to many, social sharing buttons send browsing and other data back to social networks.

To be clear, a user doesn’t need to click on a social sharing button for this to occur. Moreover, not all social sharing buttons send data back to social media platforms.

The irony in social sharing buttons being leveraged to send data is that the vast majority of users don’t even use them for the purpose they deem they’re intended for.

According to a recent report from 2015 by Moovweb, only 0.6 percent of desktop users and 0.2 percent of mobile users ever share content by clicking social share buttons on websites.

The report also states users are 11.5 times more likely to click on an advertisement than a social sharing button.

You may end up ticking more boxes than ever before

Email marketing platforms like AWeber, MailChimp and HubSpot exist to make it easier for digital marketers to send communications to their subscribers.

A number of popular email marketing platforms have instituted new processes for signing-up to email communications in the last few weeks, which some of them refer to as “GDPR-friendly”.

According to their help pages and blog posts on their websites, some of these platforms differ in their interpretations of the GDPR.

For example, some encourage their customers to reconfirm consent from their subscribers, while some deem it unnecessary. Moreover, AWeber and MailChimp appear to disagree over whether checkboxes are required when a user hands over their personal data through a web form.

Some organizations could take compliance to an absurd level

According to Warner Goodman LLP, “simply receiving an email from a new data subject triggers the requirement for an Article 13 Notice and possibly an Article 14 Notice”.

In other words, if an employee of an organization contacts another organization using a personally identifiable email address i.e. an email address that contains their name, then their data will be stored on the recipient organization’s server.

This alone, according to Warner Goodman LLP, makes it necessary to send the person who sent the email an article 13 notice, at least according to a literal interpretation of the GDPR.

If other parties are cc’ed into the email chain, and again according to a literal interpretation of the GDPR, they’d also need to be sent article 14 notices (which relates to data collected about a data subject from someone other than the data subject).

Under such a literal interpretation, personal assistants would also likely need to keep track of who had and had not received GDPR notices from previous correspondence.

Warner Goodman LLP also states this is an example of where it would be disproportionate to provide Article 13 or Article 14 notices.

From this, you can probably tell why GDPR isn’t simply as clear cut as many may assume. It’s innately fuzzy on the specific processes organizations must adhere to if they want to remain compliant.

Embedded video content may become less prevalent

When a request is made to retrieve third-party content from a website like YouTube, a browser will often send cookie data with the request.

Some webmasters are resorting to enabling privacy enhanced mode on YouTube videos they want to embed, which has the effect of serving the video from the domain youtube-nocookie.com.

This has given many webmasters the impression that videos served from the youtube-nocookie.com URL won’t drop cookies on users’ computers until the user plays the video, however responses from this domain also store information in the browser’s HTML local storage.

Meanwhile, some websites, like the University of Edinburgh, have implemented mechanisms to request consent before a video is viewed.

Web measurement platforms are being tinkered with

Late last week Google launched a new API that allows users of its web measurement platform, Google Analytics, to delete data associated with a user.

Many webmasters assume, or are working on the advice, that if they don’t store personally identifiable information in Google Analytics, or if they don’t enable advertising features, then they are covered under GDPR.

However, it may not be that simple. For example, it’s possible that user data on some websites could be pushed into a URL when a form is submitted, and that URL may then appear in Google Analytics i.e. user data will be stored in some form on Google’s servers.

According to Google’s former Head of Web Analytics, Brian Clifton, “If you use these Advertising features in [Google Analytics], you must request explicit consent. If you do not, then you don’t”.

Politicians may be subject to scrutiny by the press

Politicians appear to be finding it difficult to comply with the GDPR. According to a report from the BBC, MPs have, after training, formed the impression that the GDPR mandates that “all data from before the last general election would have to be deleted”.

The report also states that some MPs have already deleted old data after being told “all MPs are doing this”.

So, to summarize the events…

Overall, the week to follow promises to be a bumpy ride and it may take many months before organizations are up to speed on how best to comply with the GDPR in practice.

As for our approach, and as we’re a relatively small organization without a legal team at our side, we’ll almost certainly be deleting all third-party content that may or may not send anyone’s data anywhere! This will include comment platforms, embedded third-party content, plugins and, to a lesser extent, adverts (we don’t like them and thus barely utilize them).

While this is likely to affect the user-experience on our website, from our perspective it’s evident, from the inability of large organizations or even Members of Parliament to comprehend what constitutes compliance with the GDPR, that this is the best approach until the big-wigs can get their ducks in a row and start providing robust solutions to many of the questions posed by the GDPR.