First, as it will be a legal matter now and furthermore next year (as the EU Law directive on the personal data protection shall apply on the 28 May 2018) to every company within the EU.
That’s not fun, but that’s reality.
What are the potential risks?
On the legal aspect, remedies and sanctions can be claimed only by the person whose rights are at stake; this will be someone who is, or at least claims to be, the data subject.
Regarding the sanction, it’s quite flexible and nothing has been fixed yet:
“although EU Member States enjoy a margin of discretion in determining what measures are most appropriate for safeguarding rights that individuals derive from EU law, in line with the principle of loyal cooperation as laid down in Article 4 (3) of the TEU, the minimum requirements of effectiveness, equivalence, proportionality and dissuasiveness should be respected.” – Data Protection FRA.
However, the most important risk is not the legal sanction, but the communication about the potential trial linked to that complain. Paying some amount of money for not having respected personal data to someone who has noticed it and wants to fight for it, is not that much compared to facing an entire army of “unhappy” visitors and potential customers. They may have come to your website during the last few month and suddenly realized that your company have registered their email or postal code without their consent (maybe even more information such as the number of children, age, nationality…).
At this point it is no longer a “one guy” issue, but a “bad buzz and communication big matter”. And it will take more than a week to recover it.
What should you do as an individual?
Yes, we all are customers, visitors, and we all have a private life. It’s also our responsibility even if we are making business by tracking people on the internet space, to evangelize, to inform others.
Using an ad-blocker?
Using an ad-blocker is not the best option, even if that’s usually efficient and easy to setup. But on a long-term approach that will influence the industry to develop another way to track you, to identify you, to target you. And that new way will maybe not be as easy to control than the cookie system that we are currently using. I would always recommend my relative to choose what they want to see rather than to hide it. You can do it with different platform such as YourOnlineChoices.
This directive doesn’t mean that you will no longer have advertising during your visit, but you will have the opportunity to be pro-active in that targeting process. When targeted right, you will be offered ads that you actually want to see.
If you have a doubt about what a company can do with your data (personal or not by the way), ask them. Try to find out the purpose on their legal page (they must have one), and if you still have a doubt, use a competitor.
This directive or law is not only about cookies, data protection or privacy, it’s at first about trust. Can you trust the company or the service you are currently using?
What should you do as a company?
Win the trust of your customer. Be transparent and honest. Yes, you need some of their information about their way of living, where they live, where they come from and what they are interested in, but for specifics purposes. You´ll just need to explain it to them. Moreover, you’ll need to use the data to show them in practice they benefit from it too.
Take Amazon for example. You can save your credit card number for the next time you will buy on their website. That means that yes, you are basically giving them all the information needed to buy online with your credit card and give them the consent to save it for a potential next time (that’s not mandatory, only an option). Why would you do that? Just because it’s convenient – you know it’ll make your life easier. And also, because you trust the service.