2 Jan 2023

Consumers Are Demanding More Privacy – So Smart Brands Should Get Ahead of the Curve Now

Targeted internet advertising is not the privacy problem – it’s who we let in with it, says Nial Ferguson.

Nial Ferguson, Managing Director of Sourcepoint is Mr Accept All; literally. The consent management platform makes, among other things, the “Accept All” pop up boxes we’ve happily sworn at since 2018. Yet Ferguson has real concerns over what happens when we do, indeed, accept all.

I’m curious about this. I, like most people, assume that when I click the ‘Accept All’ button, all I’m really doing is allowing my information to be used to inform what I’ll be marketed. Advertising is, after all, the most visible way in which our information is used online. Those annoying advertisements for a lawn mower that follow you around for weeks after you bought one – or the weird Instagram ads that make you worry your phone is listening to you (it is, by the way!).

Companies collect information about us so they can try and sell us things we want. If this is an issue, should we just stop doing it? No, says Ferguson.

“Targeted advertising is actually really important for free content. Simply put, the internet will continue to be free because of it. The value of that advertising is phenomenal – it’s billions of dollars. If that wasn’t there, we’d see subscriptions everywhere. It would be a shame if we had to pay to access every piece of content on the web. But you need the trust that data is not being misused to support that”.

But wasn’t GDPR meant to sort that out in 2018? GDPR – or General Data Protection Regulation – required data controllers (the websites accessing your data) to explicitly ask for consent to take your data and ensure they kept it safe. So, the ‘Accept All’ button was born – and if they didn’t do this they would be fined.

“From May 2018 if you didn’t put in place the proper compliance, you could be exposed to fines. And the fines are 4% of your global revenue or 20 million Euros – whichever was higher: that’s why it caught people’s attention!” explains Ferguson.

The policing of GDPR falls to local Data Protection Authorities (DPAs). In the UK, it’s the Information Commissioner’s Office (ICO) but the people in charge vary from country to country – as well as how doggedly they enforce GDPR. Looking at the number of fines issued for not upholding GDPR since 2018 is surprising – a mere 1100 to date.

“There haven’t been as many fines as we would have expected”, agrees Ferguson. “There’s only a certain number of people working at the DPAs – there’s only so much they can do”.

“Some DPAs are more active than others” notes Ferguson, “Spain has issued the most fines – whereas Luxembourg has issued the highest value fines, having fined Amazon”. 

But due to restricted resources, he explains, most DPAs go after the “big fish” – e.g. the Big Technology companies. Meaning smaller fry are left largely unchecked.

“Obviously it’s much better now people are being asked to consent” says Ferguson “but it’s not perfect. I think we still have a long way to go until we can be confident that our data is being processed and used in a way we expect it to be”.

Consent and data: what’s the problem?

So, what are the issues at play here? Why, despite regulation, can we still not be confident our data is being used appropriately?

According to Ferguson, the first issue is our unwillingness to read the small print.

“The ‘Accept All’ button helps people understand that data is being processed – but a lot of people just want to get to the information they were looking for. GDPR is incredibly complicated – and the appetite to read about it is fairly small”

But beyond that is something more sinister – our data is being sold on in ways we’re not made aware of and, in some instances, in a way the website we’re using is not aware of.

“There has been massive improvement in advertisers’ behaviour as a result of GDPR. But there are still bad actors out there in the advertising ecosystem. Data is being passed from company to company, unbeknownst to the user”.

Ferguson goes on to explain one of the issues data controllers have is that they may allow permission for one of their partners to collect data and process it to solve a problem or deliver a service on their site.

“This is pretty normal and covered in the consent request – but the analogy we hear with bad actors is some websites put their foot in the door and allow a lot of other partners in to process data without anyone knowing. That’s the challenge that the industry has to face up to”.

Sometimes, he says, even the websites themselves are unaware of the issue.

“We use a scanning tool that allows clients to look at what’s happening on their page to see if the cookies they are using – so the technology that’s firing the page – are the ones they expect. And sometimes they are not. In these cases, it’s usually that the partners they have been working with have introduced other partners that were not consented to”.

Does it matter that our data is shared?

Why is this an issue? Consider if the information is incorrect – a website makes a false assumption about you, and this information is sold on from company to company. At some point having a false picture of you will cause you difficulties – beyond being sold a lawn mower you don’t want. Consider health insurance, for example.

“Some companies sell your data onto other companies. And that’s where eventually you get turned down for health insurance” explains Ferguson. And it doesn’t stop there. This information also has a bearing on your ability to secure a mortgage, or a credit card.  

“The problem is not advertising – it’s information being sold on” Ferguson summarises.

“People don’t have a problem with consent – they just want to know that their data is being used in the way they expect it to be. That it’s secure and it’s protected. Consumers are demanding more privacy – so smart brands should get ahead of the curve now” he warns.

But Ferguson is hopeful.

“We’re on a journey and we’re definitely heading in the right direction when it comes to the regulation. The Government and the EU are involved, and brands are starting to do more” he says.

“I don’t think there’s a risk of us going backwards. We’re only going to get more privacy conscious. In the future we’ll see more and more ways that you can manage your own data, like privacy control centres where you can see what data people have about you and how they are using it”.

Until then what should we do? Read the small print. Next time you consider accepting all, take a moment to look at the sheer number of companies you are consenting to share you data with. Chances are, you’ll think again.