January 25, 2018
Brands want to know how to collect personal data from European data subjects under the restrictions imposed by GDPR. Many have said that creating gated content — content which requires completion of form to view — is a solution.
We’re not so sure.
The relevant constraints here are that a consumer’s consent to the collection of data must be “freely given” and “explicit,” and must be sought in “clear and plain language,” and “separately from any other information.” So far, so good. Let’s say a pop-up, a lightbox, or whatever kind of form a website uses, is clear and unambiguous about its request for personal information like name and email address. The user is required to complete the form to earn access to a white paper, a webcast, a video, or some other web content.
“To encourage users to subscribe or opt in to specific types of content — versus an all-or-nothing approach — marketers should build preference centers, enabling clients to control how they prefer to engage with you. For example, clients may opt out of general marketing emails, but opt in to event invitations. Marketers should focus on tactics like gated content, website subscription pop-ups and event subscriptions.”
“As you attract these individuals, you convert them into leads using forms, calls-to-action and landing pages on your website using high-quality ‘gated content’. Throughout the Inbound process, every exchange has been consensual and can be easily tracked…”
But is the situation really that clear? Consider the language in Article 7, “Conditions for Consent.”
“When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
In lay terms, that language seems to say that consent is not freely given if the data subject can’t get a contract performed or a service provided without offering up their data, where the data isn’t necessary to performing the contract or providing the service.
Now, whatever marketers might think, collecting personal data just isn’t a necessary precondition of reading a white paper or viewing a video. Does the contract part of this matter? We are not lawyers (as we always insist), but a contract usually implies some kind of exchange of value between two parties. Maybe this provision only applies where a data subject is paying to register to read, view, or attend some piece of content? Perhaps the data collection is necessary to process payment and record the registration?
Perhaps. But at the very least, Article 7 does seem to place a burden on the data processor to show that it was necessary to collect personal data before the data subject could be allowed access to the content, and that may be a high hurdle if no fee is being collected (and credit card details, etc., required), or the brand is not explicitly asking the subject to join a mailing list, or perhaps become a registered member of a community.
After all, as we all know, what the form usually means is: “Here’s a piece of content you can only consume on condition you hand over your personal data, which I am going to store and use to try to sell you stuff.” And to say the least, that goes against the spirit of “freely given” consent.
After all, if consumers are going to be given the option to click on: “No thanks, I don’t want to give you my data,” and get access to the content anyway, the so-called gate is wide open.