GDPR and client-side tools

17 April 2018

Lots of GDPR advice out there. As far as I can tell it pretty much falls into three categories.

• Play it straight and handle user consent correctly. Good part: you end up with less personal data, but what you do have is better quality and you clearly know what data you can use for what purposes. Bad part: UX gets annoying because users have to fill out a bunch of web forms.

• Cut back on surveillance marketing. Good part: better for brand equity in the long run. All advertising is brand advertising. Some of it is just brand advertising in the wrong direction. Bad part: what long run? CMO is a short-term job, and surveillance marketing projects get budgets for a reason. Strip-mining brand equity is a short-term win.

• Hack the system, and build a way to keep doing surveillance marketing as usual. Good part: like one spider said to the other spider in the Far Side cartoon, if we pull this off, we'll eat like kings. Surveillance marketing lobbyists might still get European governments to accept this kind of thing. Bad part: what if Johnny Ryan at PageFair is right, and it won't work for regulatory reasons? Or if the client side improves privacy protections and it won't work for technical reasons? What did I tell you? Delay to e-privacy regulation causes uncertainty Then you have done just as much work as the clean solution, with nothing to show for it.

But what if there is another way?

1. Start with the clean version. (Here's that link again: How to: GDPR, consent and data processing).

2. Add microformats to label consent forms as consent forms, and appropriate links to the data usage policy to which the user is being asked to agree.

3. Release a browser extension that will do the right thing with the consent forms, and submit automatically if the user is fine with the data usage request and policy, and appears to trust the site. Lots of options here, since the extension can keep track of known data usage policies and which sites the user appears to trust, based on their activity.

4. Publish user research results from the browser extension. At this point the browsers can compete to do their own versions of step 3, in order to give their users a more trustworthy and less annoying experience.

Browsers need to differentiate in order to attract new users and keep existing users. Right now a good way to do that is in creating a safer-feeling, more trustworthy environment. The big opportunity is in seeing the overlap between that goal for the browser and the needs of brands to build reputation and the needs of high-reputation publishers to shift web advertising from a hacking game that adtech/adfraud wins now, to a reputation game where trusted sites can win.