GDPR: The End of Gated Content?

Chris Debo, CISA Chris Debo, CISA | May 28, 2018

As the GDPR comes into effect, many marketers are scrambling to align their online marketing strategies to the regulation. Unfortunately, like most regulations, there are many requirements that are confusing or ambiguous; one of those is the treatment when requiring visitors to provide their contact information to receive access to restricted (gated) content, such as white papers and research.

What Does the Regulation Say?

Article 7 of the regulation is very clear when it comes to the collection of personal EU resident information: Consent must be clearly given for processing of personal data, the data subject must be made aware of how the information will be used, and they must have the ability to withdraw consent at any time.

The fourth paragraph of Article 7 goes even further to say:

When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

The key takeaway from the paragraph (and the one that gives marketers the most trepidation) is that services cannot be provisioned on the condition that personal data be provided if that data “is not necessary for the performance of that contract [or service].”

Can Gated Content Really Be Considered a “Service”?

Until recently, there were many different interpretations of Article 7. Quid pro quo content doesn’t necessarily constitute a contract or a service; many viewed it simply as an in-kind exchange and that visitors, if clearly made aware of the intent of data collection, could elect to simply not download the content.

However, the Article 29 Working Party released revised guidance in April 2018 that, although not addressing gated content specifically (and still not being completely clear on what constitutes a “service”), does shed additional light on the subject. Several statements, while not individually concluding on the matter, collectively paint a clear picture of the regulation’s intent:

  • The purpose of personal data processing [should not be] disguised nor bundled with the provision of a contract of a service for which these personal data are not necessary.
  • Even if the processing of personal data is based on consent of the data subject, this would not legitimize collection of data which is not necessary in relation to a specified purpose of processing and be fundamentally unfair. Any element of inappropriate pressure or influence upon the data subject (which may be manifested in many different ways) which prevents a data subject from exercising their free will, shall render the consent invalid.
  • The controller needs to demonstrate that it is possible to refuse or withdraw consent without detriment. For example, the controller needs to prove that withdrawing consent does not lead to any costs for the data subject and thus no clear disadvantage for those withdrawing consent.

The Working Party even goes so far as to provide several example scenarios. While none address gated content specifically, the first is the most applicable:

 “A mobile app for photo editing asks its users to have their GPS localisation activated for the use of its services. The app also tells its users it will use the collected data for behavioural advertising purposes. Neither geolocalisation or online behavioural advertising are necessary for the provision of the photo editing service and go beyond the delivery of the core service provided. Since users cannot use the app without consenting to these purposes, the consent cannot be considered as being freely given.”

If We Give Them a Choice, Why Does it Matter?

Assuming that the provider of the gated content was completely transparent about the purpose for collecting the data subject’s information and the intended use of that data, the use of gated content really comes down to a few key questions:

  • What is the service being provided?
  • Is collection of personal data necessary to provide that service?
  • What constitutes “inappropriate pressure”?
  • Will the data subject be at a detriment if they do not provide their personal data (in other words, would it be “fundamentally unfair”)?
  • Will the data subject be at a detriment if they withdraw consent after providing their personal data?

On the surface, the service being provided seems obvious: Meaningful, proprietary guidance and research is the product. If this is in fact the service, then the collection of personal data is surely not necessary to provide that service. If the provider felt that the content was valuable, they could charge a fee for the service. However, this is not the same as asking for the personal data of EU residents that is protected under the GDPR. Additionally, while the data subject will not be at a detriment if they decide to withdraw consent sometime in the future (they will have already received the benefit of the service), they may be at a detriment initially if they decide not to provide their information and download the content, especially if the content has pertinent information that could be used by a competitor if that competitor chose to provide their information.

On the flip side, one could also argue that the actual service being provided in exchange for the data subject’s contact information isn’t the gated content, but actually the follow-up contact or subscription to other content (such as newsletters or blog articles). In this case, the GDPR would likely view the gated content as merely a ruse to convince the data subject to provide their information. In this context, “inappropriate pressure” is being applied to the data subject to coerce them to submit to data collection.

In both scenarios, the collection of a data subject’s personal information violates the intent of the regulation. When assessing whether the subject’s personal information was “freely given” the key question is whether they would have given it had they not felt compelled to do so to obtain access to the content. While this subject will continue to evolve over time and additional clarity will be provided with subsequent legal rulings, the consensus of the available information is that content cannot be provided under the sole requirement that data subjects provide personal information that is protected under GDPR and not necessary for fulfillment of the service.

Is This Really the End of Gated Content?

For businesses that do not operate in the EU or promote goods/services to EU residents, gated content can still be leveraged as a marketing strategy. This is also true if EU residents access your site but are not directly targeted (e.g., you do not market services in Europe but your site can be accessed from within the EU). For those businesses that are subject to the rules and regulations of the GDPR, there are only two options: Continue with business as usual or modify the approach to gated content.

For many companies, gated content is significant source of sales leads and is essential to their business model. Simply abandoning this model may not be a viable option.  In these cases, they are most likely asking (and answering) the following questions:

  • Is it likely that an EU resident is going to file a complaint just because we asked for their e-mail address? It doesn’t seem very plausible.
  • Is the EU even equipped to enforce the regulation at this point? We can’t imagine that we would be high on their list of priorities.
  • Even if someone did report us, wouldn’t such a minor infraction just result in a simple warning and corrective action plan? They aren’t going to fine us 4% of revenue for an e-mail address.

For risk-tolerant companies, all of these are valid questions. And at the individual data subject level, gated content may not seem like a big risk. However, if a company experienced a data breach where all their marketing contact information was released, and it was found that this information was primarily collected via gated content forms, the penalties and fines could quickly escalate. The most important question, then, is how much is it worth to you?

If your company does decide to comply with the spirit of the regulation, the methods for soliciting information will need to change. While marketers can still provide content and ask for data subject information, the following conditions must be met:

  • Data subjects must be made aware that they are not required to provide their personal information in order to receive the content.
  • Data subjects must be made aware of the reasons for data collection, how their data will be used, and of their right to withdraw consent at any time.

Although most marketers will find that the number of data subjects willing to voluntarily provide their personal information will decline when not required to do so, they may also find that those that do elect to provide their information will be highly qualified and can lead to more targeted marketing. Additionally, it puts the onus on the content provider to have high quality, timely, and relevant information. If the content demonstrates value, visitors will come back for more and likely engage your company to provide products or services at some point.

Additional Note: Data Subject Consent Given Prior to the GDPR

Another area of concern for many marketers has been the handling of data subjects that have already provided their consent for processing prior to GDPR. The new guidance addresses this topic as well:

Controllers that currently process data on the basis of consent in compliance with national data protection law are not automatically required to completely refresh all existing consent relations with data subjects in preparation for the GDPR. Consent which has been obtained to date continues to be valid in so far as it is in line with the conditions laid down in the GDPR.

So, there you have it. If your company is complying with the GDPR regulation, it is not necessary to do a complete refresh of data subject authorization for processing. With that said, it wouldn’t hurt to demonstrate adherence to the spirit of the regulation by informing these data subjects that you have their data, as well as their rights under the new regulation.

If you would like to discuss GDPR compliance or have any questions related to this new regulation, Avalution can help. Please contact us today to learn more.

_______________________

Chris Debo, Avalution Consulting
Business Continuity Consulting | Information Security Consulting | Catalyst