GDPR Compliance: Six Bases For Collecting Personal Data

The GDPR provides six legal bases for data collection and data processing in Europe. So, if you’re collecting personal data of any kind, there must be a legal ...

Updated April 24th, 2018

This article does not constitute legal advice, nor is this information intended to create or rise to the level of an attorney-client relationship. You should seek professional legal advice where appropriate.

From the Criteo Privacy Team: 

The European General Protection Data Regulation goes into effect in May 2018 and one of the most discussed issues for the digital marketing industry is that technical identifiers such as Cookies and Mobile Advertising IDs are now mentioned in the definition of personal data.  While this may seem like an exceptional development to many US-based companies subject to the regulation, this was already the case in many EU countries including France.  The only difference is that now, all EU member states must treat Cookies and other technical identifiers as personal data.

To learn more about how the GDPR defines personal data and consent, click here.

Secure Ad Performance

Discover our solutions for ad trust and safety.

What does this mean and how does it apply to your business?

The GDPR provides six bases for data collection and data processing in Europe:

  1. The vital interest of the individual
  2. The public interest
  3. Contractual necessity
  4. Compliance with legal obligations
  5. Unambiguous consent of the individual
  6. Legitimate interest of the data controller

It is important to note that all of these six bases carry the same value, which means that they are self-sufficient and exclusive from one another. For businesses in the marketing or digital marketing industry or who collect data for the purposes of marketing, the two bases that could be applicable are: (1) unambiguous consent of the individual and (2) legitimate interest of the data controller.

(Learn more: Join our next webinar on 6/30, “Surviving a Post-GDPR World”)

Which of these bases would allow a business to collect personal data in the form of technical identifiers (Cookies, Mobile IDs, etc.)?

Our view at Criteo is that unambiguous consent is the most applicable basis for our clients and partners who collect personal data including technical identifiers. 

What does it mean to have the “unambiguous consent of the individual”?  How does it apply to the collection online identifiers like cookies?

First, we must draw a distinction between unambiguous consent and explicit consent.  Explicit consent means the user must opt-in. This applies to sensitive personal data such as race, religion, sexual orientation, political affiliation, and health status.  Importantly, online identifiers (e.g. cookies) alone are categorized as non-sensitive personal data so an explicit opt-in is not required.

We anticipate that the rules on unambiguous consent will be based on existing positions of local Data Protection Authorities (DPA).  For example, the Spanish DPA[1], one of Europe’s most protective, recently published guidelines on the GDPR and stated that consent can be unambiguous when it is deduced from the action of the user – and the specific case used by the Spanish DPA is of a user continuing to browse a website that uses cookies to monitor his/her browsing.

Criteo’s clients and publisher partners do not process sensitive data but rather work with data related to web browsing, shopping intent and shopping history linked to pseudonymous technical identifiers.

(Learn more about the type of data Criteo collects and how GDPR impacts our methods.)<

The conditions required by the GDPR for a valid unambiguous consent are very similar if not identical to the conditions already detailed by the Working Party of the Article 29 in a past opinion[2]:

  • Specific information: “To be valid, consent must be specific and based on appropriate information provided to the individual. In other words, blanket consent without specifying the exact purpose of the data processing is not acceptable.”
  • Timing: “As a general rule, consent has to be given before the data processing starts.”
  • Active choice: “Consent must be unambiguous. Therefore the procedure to seek and give consent must leave no doubt as to the data subject’s intention. There are in principle no limits to the form consent can take. However, for consent to be valid it should be an active indication of the user’s wishes. The minimum expression of an indication could be any kind of signal, sufficiently clear to be capable of indicating a data subject’s wishes, and to be understandable by the data controller.”
  • Freely given: “Consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if he/she does not consent.”

How does the “legitimate interest of the data controller” apply?

For the interest to be legitimate, the purpose of the data processing needs to be reasonably expected by users.  The processing of personal data for direct marketing purposes may be regarded as and carried out as a legitimate interest. However, this legitimate interest cannot override the fundamental privacy rights of users and appropriate security measures must be implemented to mitigate potential risks to users’ privacy.  The basic standards that must be met before attempting to claim a legitimate interest are:

  • An explanation of what data is being collected, the specific purpose for which such data is collected as well as how that affects a browser’s online experience
    • For example: ”Our [website/app] uses cookies/advertising IDs for the purpose of advertising. This enables us to show our advertisements to visitors who are interested in our products on partner websites and apps. Re-targeting technologies use your cookies or advertising IDs and display advertisements based on your past browsing behavior. To read more and/or oppose to their services, please refer to their privacy policy listed below.”
  • A way for users to control their experience, including an opt-out choice, that is easy to use and access, with language that explains how that will affect a browser’s ad experience
  • Easy access to a privacy policy, as well as information on any industry privacy standards or commitments your business has adopted

What are the standards to establish a legitimate interest?

Some key questions every business must be able to answer in order establish whether there is a legitimate interest:

  • What is the purpose of the operation?
  • Is it necessary to meet one or more specific organizational objectives?
  • Does the GDPR or other national legislation specifically identify the processing activity as being a legitimate activity, subject to the completion of a balancing test and positive outcome?
  • Is there another way of achieving the objective?
  • Would the individual expect the processing activity to take place?
  • What is the nature of the data to be processed? Does data of this nature have any special protections under GDPR?
  • Would the processing limit or undermine the rights of individuals?
  • Is a fair processing notice provided to the individual? If so, how? Are they sufficiently clear and up front regarding the purposes of the processing?

As businesses in the digital marketing industry update their practices to comply with GDPR, it is important to remember that EU citizens are well aware of targeted advertising, understand the identifiers that drive it, and expect to see ads that are relevant.  Criteo partnered with IPSOS to field a consumer survey to understand the expectations of EU users and how they relate to targeted online advertising.  We surveyed 3,000 Internet users, ranging in age from 16 to 65 in France, UK and Spain, establishing a representative demographic sample across gender, age, region, and income level.  Specifically, we found that:

  • 90% of Internet users are aware of behavioral retargeting
  • 68% are aware that cookies enable targeted advertising
  • 75% expect to be served ads that match their interest
  • 73% would rather see relevant ads than pay an additional fee to avoid seeing ads

We will closely follow the guidelines and advice published by local Data Protection Authorities as the enforcement of the GDPR approaches.  Until then, learn more about what Criteo is doing to comply with GDPR and what you need to know about the two categories of personal data in GDPR.

Learn about our GDPR-compliant products.

[1] Guía del Reglamento General de Protección de Datos para responsables de tratamiento https://www.agpd.es/portalwebAGPD/temas/reglamento/common/pdf/guia_rgpd.pdf

[2] Working Party of the Article 29 – 2013 Guidance on obtaining consent for cookies: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp208_en.pdf

Subscribe
to our newsletter

Fresh sales trends and consumer insights to help
you plan and win.