Two months after the General Data Protection Regulation (GDPR) took effect, compliance is patchy, meaning national regulators may soon need to think about how they will enforce the new EU privacy rules, writes Lewis Crofts, MLex’s editor-in-chief.

The threat of big sanctions – up to €20m ($23m) or four per cent of global sales, whichever is greater – wasn’t enough to get everyone into shape by 25 May, even though businesses have had ample time to prepare since the GDPR was adopted in April 2016.

Regulators’ patience may run out

Businesses across a wide range of industries have yet to reach full compliance with the GDPR, it is understood. And while a cottage industry has sprung up to offer ‘compliance solutions’, regulators privately doubt whether such tools can capture the nuances of individual companies’ obligations.

The GDPR is deliberately not prescriptive about the exact steps companies need to take to comply, particularly with regard to seeking consent: one of six possible justifications to process people’s data, and the hardest to define.

This vagueness allows the GDPR to govern all sectors of the economy, and to some extent futureproofs it against technological advances. But it also leaves businesses without clarity on how to be compliant.

Guidance notes issued by the article 29 working party (the umbrella group of EU national regulators, which has since reconfigured as the European Data Protection Board (EDPB)) offer a bit more clarity, but no specific instructions.

The response from industry has been mixed. Some companies have implemented more protections than they probably need to, erring on the side of caution. Others have looked sideways to make sure they’re broadly in line with their competitors – a practice that could lead to whole business sectors being in breach of the rules.

And it’s possible that some are looking at the letter of the law and wondering how little they can get away with.

Consumer websites

To see the range of responses to the GDPR, it’s instructive to look at a group of companies that often sell their users’ data to advertisers: consumer-facing websites, whether news providers, online shopping sites or information providers, such as online dictionaries.

Website operators must also make sure their use of cookies is compliant with the GDPR

These sites gather data from users through tracking devices known as cookies. Some of these are essential for the sites to run smoothly – by saving language preferences or a shopping cart, for example – but others process data for non-essential purposes or pass data to advertisers or other third parties.

While cookies are governed specifically by another EU law, the e-Privacy Directive, website operators must also make sure their use of cookies is compliant with the GDPR. A planned update to the e-Privacy Directive, which is working its way through the EU bureaucracy, may give operators more guidance on how to do so.

Under the GDPR, websites must seek permission from users before using their data for non-essential analytics or passing it to advertising partners. They must accompany this request with clear information, make it as easy to withdraw consent as to give it, and not collect any non-essential data by default.

A quick internet browse reveals a wide range of approaches. Many of these risk being in breach of the GDPR.

Most sites display a banner at the top or bottom of the screen the first time a user visits, outlining the site’s cookie policy and asking the user to make a decision.

Some sites make users click through to a screen which gives them more information and asks them to make a choice. In some cases, this choice is generic, allowing options for all analytics use and all advertising, with further options for more granular permissions. In other cases, the user is taken straight to a list of partners to make individual choices.

We are going to be active

Andrea Jelinek, EDPB

Other sites give users an option on the banner to immediately accept a default set of conditions, without seeing what they are. In some cases, the default is to opt out of all permissions, but in others it is to opt in to everything. This is often accompanied by nudges to accept the default: the button to do so may be big and green, while the one to see further options is small and grey.

That could give companies with an opt-in default a significant competitive advantage. With such banners appearing on nearly all consumer-facing websites, a user can quickly tire of the process and seek the path of least resistance. If it takes one click to opt in and four to opt out, many users will be nudged into doing the former.

And, in most cases, despite the obligation to make it as easy to withdraw consent as to give it, websites often make it very difficult to find where to open the options again once a user has made their initial choice.

Regulators’ choice

Where to draw the line on what is legal and what is not will come down to national regulators in EU countries or, if it’s a cross-border matter, the EDPB.

Most regulators would rather guide companies toward compliance rather than immediately use their multi-million-euro enforcement powers. But that doesn’t mean they’ll be idle.

‘Independent of the cases which have been driven by complaints, we are going to be active,’ Andrea Jelinek, the EDPB chair and head of the Austrian authority, said recently.

The softest approach for regulators would be to identify which companies are non-compliant, and tell them to make changes and run the process again of seeking consent wherever it was incorrectly applied. For internet users, that would mean more procedures to click through, but in the end, they would have been given a fair chance to give or withhold their consent.

But, eventually, regulators’ patience may run out, or they may decide that a company is so flagrantly in breach of the rules that an example needs to be set. If they do, the GDPR has given them some very big guns to wheel out.

For more insight on data privacy and security and other areas of regulatory risk, visit the MLex Market Insight website.