On July 31st, TrustArc offered the latest webinar in its free Privacy Insight Series entitled Cookie Crack Down: What New ICO and CNIL Guidance Means for Your Business. The hour-long session and its slides are available on-demand here.
The colorful webinar–we hope in terms of both its oral and visual accompaniment–attempted to make digestible the following far-ranging topics:
- How the data-driven digital advertising system works, from personalized ads, to the ad tech alphabet soup’s major participants, to identifiers and segments;
- The mechanics of real-time bidding (RTB) and bid requests, ad exchanges, and current RTB lawsuits in Europe;
- The interplay between the ePrivacy Directive and the GDPR, and the status of current ePrivacy Regulation legislative discussions;
- The U.K. Information Commissioner’s Office (ICO)’s report on ad tech and RTB, including its clarifications around consent for ePrivacy purposes (and, likely, then consent as the lawful processing basis for RTB activities), the impermissible collection and use of special category data, transparency, and the need for data protection impact assessments;
- The French CNIL’s recently revised “continued navigation” cookie consent interpretation;
- The ICO’s new cookies-related guidance, including the “strictly necessary” cookie consent exception, website audits, and the view of 1st party analytics cookies; and
- Why TrustArc continues to recommend a “Zero-cookie/tracker” load approach for your Cookie Consent Manager, by integrating either a tag manager or our own API to prevent the firing of tags or dropping of cookies until after an opt-in consent preference has been recorded.
For broader visibility and information sharing, what follows are short answers to questions that we received during and after the webinar. As always, this is intended for informational purposes only and should not be viewed as legal advice, but can nonetheless perhaps be used as considerations for further discussions with legal counsel on a case-by-case basis.
How to control all these third parties on our website? There can be many…! Yes, indeed. We recommend identifying all first and third party trackers present on your website via Website Monitoring Manager; understanding how they arrived on your digital property in the first place (e.g., with your permission versus “daisy-chaining” in); reviewing any underlying contracts with the unaffiliated entities; categorizing the cookies/trackers according to what they do for your digital property; and using Cookie Consent Manager with a tag management system or our API to not allow their loading until after a user consents.
What are EU regulators’ views on “cookie walls” that require consent to advertising cookies in order to access a site? As discussed during the webinar, the UK ICO generally disfavors cookies walls when employing a “take it or leave it approach,” on grounds that this generally results in consent not being freely given. That said, the ICO did leave the door open slightly for cookie walls used to access specific website content rather than as a prerequisite to general site access. The Dutch supervisory authority, on the other hand, has wholly endorsed the view that obstacles that prevent an end user from interacting with a website unless that user first affirmatively consents to the dropping of non-strictly necessary cookies or firing of other tracking technologies equates to the consent being invalid. The Dutch regulator in March 2019 indicated that it will “intensify the verification of correct compliance and has already sent a number of specific parties a letter about this,” suggesting that with that notice now enunciated, enforcement action is likely to follow.
Should the consumer at the end of an Internet session automatically revoke consent? That’s technically possible, such as by requesting an opt-out for all cookies or by altering one’s browser settings, but in practice for persistent (i.e., non-session) cookies that’s probably not scalable for most consumers given how many websites they visit.
Under the California Consumer Privacy Act (CCPA), aren’t even cookie data, inferred interests and behavior “personal information”? The definition for PI under the CCPA is very broad–arguably more expansive than the GDPR. In addition to including inferences drawn to create a profile about a consumer reflecting the consumer’s preferences, behavior, attitudes and abilities, the CCPA’s PI definition also includes IP address, unique personal identifiers and browser search history.
Have you taken the EU court ruling of 29.07.19 into consideration already? Alas, we ran out of time during the webinar, but we’re pleased you’ve referred to the Fashion ID case. In it, the Court of Justice of the European Union found a joint controller relationship between Facebook and website operators using its “Like” button on their website–but only with respect to the collection and transmission of website visitor data to Facebook, and not with respect to subsequent processing by Facebook. Although we continue to monitor how the implications of this complex matter may be further understood, the ECJ seems to have clarified that websites using widgets or social media plug-ins must transparently inform end users of this and request consent in advance of sending PI to such third party recipients.
You indicated that ePrivacy (U.K. PECR) requires GDPR-level prior consent from an end user to access or store information on the user’s device using cookies or similar technologies…but does using a cookie tool to store EU site visitors’ consent preferences break this requirement? The ICO has clarified that exemptions to the consent requirement do exist for its PECR regulations that transpose the ePrivacy Directive into U.K. law. TrustArc’s dynamic Cookie Consent Manager solutions was built to help organizations provide notice, offer meaningful choice and remember users’ cookie preferences within a browser. In its recent guidance, the ICO noted that “user preference,” when coupled with proper purpose limitation, can form the basis for such an exemption, including in the context of a cookie consent mechanism. It further clarified that “the act of interacting with the consent mechanism can be sufficient for consent to be obtained for any cookies relating to that mechanism, provided the user is given clear and comprehensive information as to the fact that a persistent cookie will be set on their device for the purpose of remembering their cookie consent preference.”
If I’m running A/B tests on a website, do I need to ask for consent to the users based on ICO guidance? If you are running A/B tests on a website targeted at EU visitors, and the website tests involved cookies or similar tracking technologies that access or store information on the user’s browser or mobile device, then absent an exemption considered with counsel and documented (such as, perhaps, for limited security, network management, authentication, or other purposes “strictly necessary” to provide the end user a requested service), then it is likely that consent for ePrivacy/PECR purposes would need to be obtained prior to such access or storage.
If I am a data collector, but the personal data unequivocally will not be used for any marketing or sales purposes, do you feel a notification of cookies is sufficient? Or is a separate active consent still a necessity? Regardless of the purpose, for ePrivacy Directive compliance, consent is likely needed to access or store information on a user’s browser or device unless an exemption applies. It’s possible to assert a different lawful basis, such as legitimate interests, to process any subsequent information derived from the cookies or trackers for which you obtained ePrivacy consent, but this is a nuanced determination that should only be made when fully understood with legal counsel.
Will real-time bidding procedures be considered a “sale” under the CCPA? How are cookie issues impacted by CCPA? These are good questions that are not entirely clear from the text of the CCPA, and which intersect with areas where guidance from the California Attorney General is highly sought after. Given the breadth of the definition of “sell” or “sale” under the CCPA, which includes disclosing, disseminating, making available or transferring “a consumer’s [PI] to another business or a third party for monetary or other valuable consideration,” this would seem to capture many of the standard practices that exist every millisecond in RTB. However, determinations as to “business” eligibility, or whether an entity is acting as a “service provider” pursuant to a valid “business purpose” (and thus potentially outside the definition of a “sale”) versus acting as a “third party,” are all matters of interpretation that turn on the particulars of any entity’s activities, and so cannot be easily answered on a general level.
Which cookie consent management platforms would you recommend? Well, since you asked this question in earnest, we’ll answer in earnest–our very own Cookie Consent Manager of course!
Thank you for your questions and participation during this event. Feel free to sign up for a free subscription to our Privacy Insight Series or contact us anytime to learn more about how TrustArc can help your organization with all its privacy needs!