PrimeConduct - GDPR & DPO Services

Bundled Consent vs Building trust

Bundled Consent or Building Trust – That is the question.

With all the privacy updates from companies I have been looking further at websites with what appears to be bundled consent, and one particular major retail site which recently emailed me their privacy update, caught my attention.

I was expecting, maybe hoping, that this was going to be their opportunity to tell me how trustworthy and reliable they are as a business and I should look no further for food, products, technology and even financial products. They managed to draw me in to their website but then it all started to go horribly wrong.

The part that concerned me the most was not the need for some personal information to deliver products to my home, that seems fair and reasonable. It even seems reasonable that I may save my card details on their site to make repurchasing simpler. What really bothered me was the list of third parties that they share personal information with, to which I have never consented.

This included IT providers, which in my experience is not necessary if the data is encrypted, as recommended almost universally. The data should only be accessible by those who really have a justification for accessing it.

It also included bundled consent for data to be exported outside the EEA. The regulation on this appears to me to be pretty clear and uses the word explicit. If I want to order something from them that comes from a country outside of the regulation then they need explicit consent from me for that specific purpose, with an expectation that data will be erased after the purpose is fulfilled, except for that which is absolutely necessary for conformance with legal obligation, another item they do not confirm.

The policy claims that you can write to them to have some or all of this turned off but again that appears to me to be contrary to the legislation, where are the specific explicit consent boxes in “My Account”.

If you then look at the limited tick boxes available on “My Account”, you find the wording is still old style “I’d prefer not to receive updates……”. Overall it appears that this retailer is missing the point.

It also included, according to the Privacy policy, all of the following third parties.

Monetate , Session Cam, CACI , Visual IQ, BazaarVoice , AppNexus, BlueKai , Bidswitch, Adobe Tag Management , Rubicon, RichRelevance , Doubleclick, Scene7 , Omniture, New Relic , Edigital, Ensighten , Google, Tapad , Facebook, TagMan, Twitter, Infection Media ,

Now I realise that I can install, as I have, blocking software to stop tracking cookies, web beacons and the like and frankly I would recommend everyone does that, but that leaves the onus on the consumer and seems to me to conflict with the responsibilities of the supplier under the regulation.

Consent is supposed to be clear transparent and specific. Providing my name address and card details to have product home delivered is one thing, sharing that with numerous other companies is quite another. This is bundled consent and although I can block this, I can also use the nuclear option and not use this retailer at all. I would prefer that this provider became a trusted supplier that I can reasonably expect to look after my personal data.

My advice to all businesses is build trust, only use personal information for it’s intended purpose and the customers will come. The reason for hiring an experienced Data Privacy Professional is partly to see the regulation from the consumers perspective which if implemented will build trust and benefits to the business which outweigh the costs and reputational damage of trying to apply a work around. I was drawn in to the website from an email that had to be sent out, what an opportunity to engage and create a positive experience, and maybe even a chance to sell me something. Instead there followed a complaining letter to their DPO. Opportunity lost, brand reduced, trust seriously bent.