Here’s what I first thought when I first heard about the General Data Protection Regulation (GDPR):
“Yeah, those Europeans, always using regulation to try to solve every problem. And everyone sneaky will probably just find a way around it.”
You may or may not have thought the same as I did. (If you did, congrats on being among the most cynical people out there — but hopefully cynical with a smile!)
The GDPR, however, is important to meditate on for two reasons. First, because it does have real implications for ecommerce. And secondly, because it is coming soon to a country near you, in the form of the CCPA: the California Consumer Privacy Act, which takes effect in 2020.
There are endless articles online about the GDPR and it’s not worth rehashing them here. (The CCPA is slightly different, even stricter in some ways, but that’s a subject for a future article.) But one angle is worth deep-diving into: how will it affect your ecommerce implementations?
At the heart of the GDPR is that a site can not track anything — anything! — about you, without the visitor’s explicit consent. Hundreds of pages of legalese define the “anything!” in the previous sentence, as well as the details, nuances, exceptions, and footnotes. But that’s the core boildown.
Here’s the challenge it presents to ecommerce: at the heart of ecommerce is data. At the heart of data is tracking. And if you ask people if they want to be tracked… they will likely say no, or just ignore the question (which, in effect, is a no).
What to do?
Here at UV, we use many different strategies and we’re happy to have a call to discuss. (Hint, hint, hint.) But here are a few ways around it.
One way around it is to extrapolate from the data you do have. Even if only 10% of the visitors agree, you can really deep-dive into that 10%. Or extrapolate data from other countries as well. Of course, this is harder when you don’t have much scale. And this is far from ideal. The key weakness with this, beyond the need for scale, is that it prevents per-person conversion tracking for that 90% so it makes a lot of modern marketing methods like remarketing much more difficult.
A second way around this is, instead of having the small strip on the bottom of the page, is to be REALLY ANNOYING about it. Have a huge pop-up that doesn’t go away. Prevent use of the site. Basically, force users to accept or go away. This is my personal preferred strategy. The weakness with this strategy is that you have to accept the fact that your site will be more annoying for most users.
A third way around it is to work with a lawyer who interprets the GDPR in a way so that you put the “Do you accept that we’ll track you?” question strip on the bottom but you track them BEFORE and UNTIL they ask not to be tracked by clicking that box. While this is not the most common interpretation of the GDPR — a very common, and very strict, interpretation is that before and until they explicitly agree, you can not track a single thing; and their act of agreeing thus enables all your trackers — there is a definitive minority opinion that you can do this. You should definitely consult with a friendly and competent lawyer, and we can recommend a few. The weakness of this strategy is both the need to consult with a lawyer, as well as your company’s personal tolerance for strict vs liberal interpretations of the law.
What to do? You know your company’s preferences and tolerances better than we do, so you need to find the right balance for you. Of course, analyzing seriously this question is a very personal issue for each company: how much of your revenues come from affected jurisdictions? Enough to make it worth it? How strictly do you prefer interpreting things? How at risk is your company for a GDPR audit from the EU? If your company is audited, how much is at stake? These are questions only you can answer, given that despite our magic powers here at UV, we are still not mind-readers.