Evidon launches ‘first commercial-grade’ GDPR solution
Replacing its previous compliance platform for the EU Cookie Law, the new version offers single-click or drill-down consents for users of sites and apps.
Less than a year from now, the General Data Protection Regulation (GDPR) goes into effect.
This week, New York City-based Evidon launched a beta version of which it says is “the first practical, commercial-grade solution” to collect user permissions in compliance with GDPR.
Called the Universal Consent Platform, it updates the company’s previous Site Notice Platform, which facilitated user consent for the GDPR’s predecessor, the European Union’s ePrivacy Regulation (“Cookie Law”).
Although this new platform is intended for publishers of mobile apps and desktop/mobile web sites, CEO and co-founder Scott Meyer told me that his company is also looking at applying the platform to other devices, such as voice-based agents like Amazon’s Alexa or smart car dashboards.
Under GDPR, companies with EU visitors need to obtain consent for collection and use of their personal data, which includes browsing behavior. Meyer noted that companies doing business in EU countries should take steps to comply because of the possible heavy fines. This includes, he pointed out, US-based brands with a European presence.
U.S. companies without much business in the EU will technically be in violation if they don’t comply, because GDPR covers any EU citizen wherever they are. But, practically, Meyer said there will likely be little legal exposure for those US-only firms, since “EU regulators don’t have some huge army.”
The platform has been designed so that a user can click a single “Accept” button if they choose to give consent across the board, or they can drill down into providing specific consents in a variety of categories. Once granted for a site or app, the user doesn’t need to grant permission again on subsequent visits, but can change consents at any time via an “Options” button. Here’s the single acceptance screen:
And here is a drilldown screen with individual consents:
Meyer noted that “GDPR is not trying to break the Internet,” in that it provides for some implied consents.
One type of data collection, he pointed out, involves info that is essential to the functioning of the site/app, such as determining what fonts your browser can display so a site can present itself properly. No explicit user consent is needed for this.
A second type, he said, relates to data collection that is needed for the publisher to respond to users’ actions, such as obtaining an address from the user to ship a purchased product. In supplying the address, the user implicitly grants permission.
The third bucket is the one most associated with GDPR. It covers data collection not essential to run the site or fulfill a user’s request, such as data relating to ad targeting, and it is the primary focus of the various consents in Evidon’s Consent Platform.
Evidon says that over 10,000 commercial sites and apps from about 250 brands have used the previous Site Notice Platform. About 20 firms, representing several hundred domains, have signed up to begin using the new Consent Platform.
Meyer told me that, while some qualitative user testing has been conducted on usability for the new platform, his company will now spend the next ten months before GDPR goes into effect to test how this platform can best obtain consent without discouraging user traffic.
Competitors TrustArc and OneTrust also have GDPR offerings, Meyer noted, adding that his company has about 90 percent of market share for solutions offering compliance with the Cookie Law. He described a GDPR solution recently offered by Janrain as “complementary” because Janrain is primarily focused on identity management.