Staying compliant with Google's EU Consent Policy - even in the UK
At a recent business meeting I advised delegates of the ripple effect the introduction of the EU Digital Markets Act (DMA) and Google’s updated EU User Consent Policy will have in how businesses operate online – even in the UK. For Small and Medium-sized Enterprises (SMEs) in the UK, understanding and complying with these regulations is not just about legal necessity but also about fostering trust and maintaining a competitive edge. Of course, if you don’t have any Google products on your website you can make a mug of tea and relax. If you do though, read on…
Understanding Google’s EU User Consent Policy
At the heart of these changes is the need for explicit user consent – nothing new there if you already comply in detail with the Privacy & E-Comms Regulations in the UK, but there is definitely a segment of businesses that not only share data via cookies nominally under a Legitimate Interest banner, but also take a ‘I’ll wait until I get caught’ approach to risk. The DMA and Google’s policy demand that businesses obtain clear and affirmative consent before processing personal data. This includes the use of cookies, data storage, and personalised advertising. The goal is to give users control over their information, ensuring their privacy is respected in accordance with the General Data Protection Regulation (GDPR).
Key Requirements of Google’s EU User Consent Policy
- Gaining Explicit Consent: Consent must be voluntary, precise, well-informed, and unambiguous - basically to GDPR standards. No more pre-ticked boxes or implied consent. Again, this is nothing new if you are already compliant…
- Providing Clear Choices: Users must have the ability to manage their data preferences in detail, so be able to drill down and understand exactly what cookies you are using, what data is shared and to who, how long a cookie will stay on a device and where in the world the data is going.
- Enhancing Transparency: Businesses must disclose their data practices and any entities that have access to user data i.e. the data recipients. This used to be the realm of businesses that embraced ethical practices – now it is a requirement.
- Collecting Consent Records: Documentation of user consent, including the text shown and the time of consent, is mandatory – Now this is where many small businesses and sole traders may come unstuck. Most web developers and website-hosts offer a cookie banner that does the job reasonably effectively – blocking non-essential cookies until consent is given. However, these style banners do not record when consent is given in terms of data / time stamping it for the website owner. Google are now saying that this is mandatory.
Who Needs to Comply?
The scope of these policies extends beyond the EU hence the ripple effect…….:
- Global Websites and Apps: Any platform accessible to EU residents must comply – so it doesn’t matter whether you target an EU audience or not.
- Digital Marketers and Advertisers: Those using tools like Google Ads or Analytics must follow these guidelines.
- E-commerce Platforms: Online retailers serving EU residents are subject to these regulations.
- Content Publishers Using Ad Networks: Publishers monetising through networks like Google AdSense must adhere to these policies.
Here are the Steps to Stay Compliant
- Implement a Consent Management Platform (CMP): Tools like Cookiebot or OneTrust can help manage user consents and regional legal demands. These products do date and timestamp when a user gives their consent but are clearly not free, and if not configured correctly, may still deploy cookies without consent.
- Integrate Google Tag Manager with Consent Management: GTM’s Consent Mode ensures tags operate only with user consent.
- Update Your Privacy Policies: Keep your privacy policy clear and current to reflect your data practices.
- Engage and Educate Your Users: Create content that explains the value of data sharing and the benefits it brings.
- Conduct Regular Audits and Monitor Results: Regular checks and monitoring tools can help maintain compliance.
Key Takeaways
- Compliance is a Must: Aligning with the DMA and Google’s policy is essential if you want to be legal and secure user trust.
- User Consent is Central: Explicit user consent is the cornerstone of these regulations.
- Education and Transparency are Key: Informing users and being transparent about data practices will enhance trust and brand reputation.
- Regular Audits are Crucial: Stay compliant by regularly auditing your data practices and consent records.
For UK SMEs, adapting to these regulations is a step towards building a more trustworthy digital environment. By embracing these changes, businesses can ensure their marketing strategies are both effective and lawful, paving the way for a future where user privacy and business growth go hand in hand.
But wait I hear you cry.... What if I don't bother? Well Google are promising to police their own product usage and have advised that not compliance could mean that your business can no longer access their products or services - so which is the lesser pain......... the cost of compliance or the cost of the impact on your business without using Google.
This article serves as a foundational guide for SMEs to navigate the complexities of the DMA and Google’s EU User Consent Policy. By following the outlined steps and understanding the importance of user consent, SMEs can position themselves as trusted brands where respect for user privacy is paramount.