A significant proportion of our clientbase have invested in technologies that track and identify their audience through the use of cookies with pseudonymous identifiers. These are essentially cookies that contain strings of alphanumerics that make a given cookie unique to its recipient. This uniqueness affords these technologies the ability to identify said recipient - either as a recognisable device, or in some cases a particular individual using a particular device.

It is the uniqueness of these cookies that qualifies them as 'personal data' under the upcoming GDPR regulation. This means that by using this technology, you will be legally processing personal data. GDPR necessitates that before you process personal data of EU citizens, you must obtain their absolute and definite consent, and you need to be able to prove it.

Legitimately obtaining consent is contingent upon numerous factors. Unhelpfully, there is a degree of ambiguity around what qualifies as absolute and provable consent. As I understand it, this consent can be synthesised as an affirmative action that is executed in an informed and unequivocal manner. This means that implied consent, soft opt-ins, preticked boxes are all out the window.

I would speculate that this is going to hit the adtech, marketing automation, and WebID tracking technology companies very hard. Mainly because I just can't envisage people consenting to being tracked ad infinitum, when there's a very easy option to say no. It doesn't matter how helpful the impact of the tracking is - whether it's a timely offer on a product, or a seemingly serendipitous phone call from a salesperson - ultimately if the option is there to avoid being sold/marketed to in the future, my money says that people will take it every time.