Five Years of GDPR: Why Businesses Are Still Falling Short of Consent Requirements | Industry Insights | All MKC Content | ANA

Five Years of GDPR: Why Businesses Are Still Falling Short of Consent Requirements

By Amy Holtzman

When the EU's General Data Protection Regulation (GDPR) was enacted in May 2018, it transformed how businesses manage user privacy online. But five years later, despite more than 1,800 GDPR enforcement actions fines exceeding €4 billion, many businesses still struggle to get consent management right. Why?

It boils down to two main factors: the intricacies of regulatory consent requirements and the shortcomings of the technical solutions commonly used for managing user consent.

Understanding the GDPR's Valid Consent Requirements

To collect or process user data under the GDPR, you need a solid legal basis to do so. For most businesses, obtaining user consent is the most straightforward way to get that legal basis. However, the consent requirements of the GDPR are often misunderstood by businesses.

The GDPR mandates that consent must be "explicit, informed, and given freely."' This means businesses must give users a complete understanding of what they are consenting to and give them a clear decision to either accept or decline data tracking and processing.

However, a closer look at online practices reveals that many consent banners fail to meet these standards. In a 2020 study, MIT, UCL, and Aarhus University researchers scrutinized the consent banners of the top 10,000 UK websites. They found that a mere 11.8 percent of these websites adhered to the bare minimum of EU law requirements for compliance.

Many use pre-checked boxes that assume consent or design the opt-out process to be far more complicated than opting in. A troubling practice known as 'implied consent' has also emerged, where user actions like quickly closing the banner or navigating away without making a choice are considered as consent. This practice contradicts GDPR guidelines and is so prevalent that regulatory bodies regularly issue warnings. Worse yet, some unscrupulous consent management vendors operate under the concept of "global consent'" wherein consent for one website is taken and applied to thousands of others.

While many users may click 'yes' quickly to access a website's content, exploiting this behavior for data tracking is against GDPR guidelines. Such practices, known as "dark patterns," are not only non-compliant but also erode user trust.

And regulators are taking notice. EU regulators have handed out 584 fines for the insufficient legal basis of data processing – the highest number of fines for any category of violation. What is the average cost of those violations? €2.8M.

The Technical Challenges: Consent and Preference Enforcement

Let's say you've done everything right. You've given users a clear, conspicuous choice for informed consent and haven't used any tricks to get it. Job done, right? Not quite. The unfortunate reality is that true compliance is much more nuanced, and you might be missing more than you realize.

The reality is that while obtaining consent is a critical aspect of complying with global privacy laws, it's just a piece of the larger process. Compliance doesn't end with a cookie banner.

Businesses are often lulled into complacency by a well-crafted cookie banner and ignore the technical backend required for compliance; real compliance goes far beyond this initial interaction. User rights and preferences, articulated through consent, must be honored before, during, and after interacting with these banners.

To adhere to the GDPR, and the growing list of privacy laws that have copied its consent requirements, such as China's PIPL and Quebec's Law 25, user consent must translate to tangible actions. If a user opts out of tracking, no cookies, first or third-party, should be triggered, and likewise, no tracking should occur pre-opt-in.

To achieve this, you need complete control of the tags and cookies firing on your properties, you can't simply rely on assurances from your third-party partners – even Data Processing Agreements (DPAs), as a guaranteed shield against noncompliance.

Many commercial Consent Management Platforms (CMPs) attempt to uphold user privacy selections by utilizing APIs that depend on third-party cooperation. However, this approach often falls short of the GDPR's standards due to its inherent inability to provide real-time enforcement.

The GDPR, in Article 18, stipulates an immediate stoppage of marketing-related data processing upon user objection. Any lag between opting out and the actual halt of tracking falls foul of the law. For proper compliance, you must proactively block tracking and data collection until consent is granted. With the GDPR, it's always better to seek permission than forgiveness.

The GDPR unequivocally asserts that any data processing needs prior consent, as noted in Article 6. Importantly, consent doesn't have a retroactive effect. GDPR insists that "It shall be as easy to withdraw as to give consent." Consequently, any data processing before acquiring the relevant consent or after its withdrawal constitutes a direct violation of the law.

In short, real GDPR compliance means blocking all cookies before consent is granted. This proactive approach is far superior to merely reacting, relying on a hodgepodge of APIs, and crossing your fingers that your vendors got the memo.

So, take a moment and ask yourself: Is your compliance strategy as secure as you think?

The views and opinions expressed are solely those of the contributor and do not necessarily reflect the official position of the ANA or imply endorsement from the ANA.


Amy Holtzman the CMO at CHEQ, the leader in Go-to-Market Security. Amy is a founding member of Chief, a private network that connects and supports women leaders, a co-founder of NYC-based Women in Revenue Marketing, and a member of Pavilion.