The intent of the General Data Protection Regulation was to restore people’s online information to them. Under GDPR, businesses must ask consumers to opt in to sharing their data to process it for services like advertising.

One common complaint from companies is that if they provide more than one service, they have to get people to opt in separately to each one instead of bundling the consent process into one opt-in. For example, users must opt in to sharing their data with each Facebook product, including Facebook, Watch, Messenger and WhatsApp. GDPR prohibits bundling consent requests, but that isn’t stopping companies from doing it. At the Digiday Hot Topic UK: GDPR event in May, which occurred before the law took effect on May 25, half of the 22 companies surveyed by Digiday indicated they planned on bundling their consent requests.

Those who violate GDPR run the risk of heavy fines. Bloomberg reported that a complaint against Google filed in France claimed that Google “relies on an overall bundled consent to anything contained in the privacy policy for Android phones, which includes several other products.” Even the Interactive Advertising Bureau was accused of bundling consent in the run-up to GDPR.

In preparation for GDPR, Axel Springer ran tests to determine the optimal method for soliciting consent from readers. The publisher determined that people were slightly more likely to opt in to sharing their information with all of Axel Springer’s publications than just one site. In theory, Axel Springer’s approach could be GDPR-compliant if the publisher delivers the same service and processes user data the same way on each of its sites. However, regulators could consider the approach bundling if they decide that Axel Springer can’t ask for a universal opt-in. Because no one knows yet what GDPR enforcement looks like, it’s anyone’s guess if consent requests like Axel Springer’s are legal.

One line of thinking was that with many companies are breaking the law, it would be harder for regulators to punish companies for infractions like bundling consent requests because regulators wouldn’t be able to keep track of all the violators. But since GDPR took effect, complaints against companies have grown remarkably. In just over three weeks, regulators in France and the Czech Republic each received over 400 GDPR complaints, though it is uncertain how many of them pertain specifically to bundling consent.

  • LinkedIn Icon