From the Criteo Privacy Team
On May 25, 2018, the General Data Protection Regulation (GDPR) goes into effect, replacing the 1995 Data Protection Directive. The GDPR will harmonize the various data privacy laws that exist across all 28 member states of the European Union (EU), including the UK.
Since our founding in Europe in 2005, Criteo has become a global company operating major offices across the EU, using technology aligned with the best industry standards in terms of data privacy and security. We’re accustomed to complying with country-level requirements around the world and, consequently, we’ve long been in compliance with key elements of GDPR.
As GDPR draws nearer, we’ve seen misconceptions about the new legislation, especially when it comes to how GDPR defines consent and data privacy. We thought we would clear it up by addressing the most common questions that we’ve seen over the past few months:
What is the purpose of GDPR?
GDPR aligns data protection policies across EU member states while providing consistent application and enforcement by local Data Protection Authorities (DPA) in each EU member state. The objectives of the regulations are to:
- Modernize the legal system to protect personal data in an era of globalization and technological innovation.
- Strengthen individual rights while reducing administrative burdens to ensure a free flow of personal data within the EU.
- Bring clarity and coherence to personal data protection rules and ensure consistent application and effective implementation across the EU.
What type of consent from individuals is needed for companies like Criteo to collect personal data?
It’s important to highlight an important difference between unambiguous and explicit consent, which is a point of confusion for many digital marketers.
Explicit consent means the user must opt-in. This applies to sensitive personal data such as race, religion, sexual orientation, political affiliation, and health status
This is in contrast to non-sensitive personal data, such as browsing history. In this case, the GDPR requires companies to obtain unambiguous consent from users. As online identifiers (e.g. cookies) alone are categorized as non-sensitive personal data, an explicit opt-in is not required.
Additionally, GDPR guidance issued by the Agencia Española de Protecciòn de Datos (Spanish Data Protection Authority) is aligned with Criteo’s interpretation of non-ambiguous consent:
The GDPR requirements state that consent must be “freely given, specific, informed, and unambiguous.” What does this mean?
“Freely given” means that consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if he/she does not consent. Users can refuse Criteo’s services directly from the cookie message without suffering any consequences.
“Specific” and “informed” means that to be valid, consent must be specific and based on appropriate information. In other words, blanket consent without specifying the exact purpose of the processing is not acceptable. This is the purpose of our message: to specifically inform users that by clicking any link on the page they consent to our “cross-site tracking technology.”
A Win-Win for Businesses and Consumers
Here at Criteo, we view the GDPR as a positive development that will foster trust in our digital economy and provide an environment of transparency, control and certainty for our clients and shoppers. We have a clear understanding and are in compliance with what consent means under GDPR.
We are more than prepared to support our clients and partners through their GDPR compliance journey and will continue to publish regularly on best practices around effective GDPR compliance.
In the long run, we’re confident that the enhanced trust and transparency initiated by GDPR will benefit businesses and individuals alike.