On October 1st, in the much anticipated Planet49 case, the Court of Justice of the European Union (ECJ) affirmed an earlier opinion set forth by the Advocate-General that utilizing pre-ticked boxes to obtain consent for website cookies does not represent valid consent because it does not show affirmative, unambiguous action on the part of the data subject. The Court decided this with reference to the GDPR, the ePrivacy Directive and the GDPR’s predecessor, the Data Protection Directive, which was in force at the time of the matter at issue.
The case, referred to the ECJ by the highest court in Germany, involved an online gaming company that offered website visitors the opportunity–after providing basic contact information–to enter an online lottery. To do so, visitors were shown two checkboxes: (1) an unticked box requesting the individual to agree to receive third party marketing messages, and (2) a pre-ticked box requesting the user to consent to the placement on their browser of advertising cookies. To enter the lottery, the third party marketing checkbox had to be affirmatively ticked, whereas the advertising cookie checkbox did not have to be ticked–but had to be manually un-selected by the visitor in order to refuse her consent to such cookies.
The Court analyzed Article 5(3) of the EU’s ePrivacy Directive, which requires that users have a GDPR-level of data subject consent prior to the storage and accessing of cookies on web browsers and other devices–which is separate from the requirement to then have a lawful basis for processing any personal data derived from those cookies, as is required by Article 6 of the GDPR. The ECJ found that because ePrivacy requires that a user must have “given his or her consent” for the storage or collection of cookies, this weighs in favor of a literal interpretation such that “action is required on the part of the user in order to give his or her consent.”
Other takeaways from the case include the ECJ confirming that the ePrivacy Directive’s consent requirements with respect to the storing or accessing of “information” apply irrespective of whether the information involved amounts to “personal data” as defined by the GDPR, and the finding that for consent to be valid, website operators must transparently indicate the life span of each cookie and whether any third parties will have access to them.
Questions left unanswered by the decision include a formal opinion on the legality of so-called “cookie walls” that require consent to third party cookies as a pre-condition to general access to a website, and an opinion as to whether a data subject can be required to consent to the processing of personal data for advertising purposes in order to participate in the promotional lottery. The latter question, which the ECJ was not asked to rule on, could by extension have implications for online ad-funded content.
This case serves as a reminder that for consent to cookies to be valid in the EU, the data subject’s consent at issue must be active, rather than passive; unambiguous and not implied, as would be the case by requiring individuals to be aware enough to un-tick a pre-ticked box; and specific, rather than bundled with other terms. For a summary of the case, see here.
TrustArc’s best-in-class Cookie Consent Manager helps organizations of all industries and sizes satisfy their cookie compliance goals via its support for “zero-cookie” load experiences. Through the integration of your organization’s tag management system, or the use of our Consent Manager API, the placement of cookies or the firing of tags or trackers can be withheld until after a user affirmatively opts-in using the Consent Manager. For more information, reach out to your Technical Account Manager or contact TrustArc today.
On July 31st, TrustArc offered the latest webinar in its free Privacy Insight Series entitled Cookie Crack Down: What New ICO and CNIL Guidance Means for Your Business. The hour-long session and its slides are available on-demand here.
The colorful webinar–we hope in terms of both its oral and visual accompaniment–attempted to make digestible the following far-ranging topics:
- How the data-driven digital advertising system works, from personalized ads, to the ad tech alphabet soup’s major participants, to identifiers and segments;
- The mechanics of real-time bidding (RTB) and bid requests, ad exchanges, and current RTB lawsuits in Europe;
- The interplay between the ePrivacy Directive and the GDPR, and the status of current ePrivacy Regulation legislative discussions;
- The U.K. Information Commissioner’s Office (ICO)’s report on ad tech and RTB, including its clarifications around consent for ePrivacy purposes (and, likely, then consent as the lawful processing basis for RTB activities), the impermissible collection and use of special category data, transparency, and the need for data protection impact assessments;
- The French CNIL’s recently revised “continued navigation” cookie consent interpretation;
- The ICO’s new cookies-related guidance, including the “strictly necessary” cookie consent exception, website audits, and the view of 1st party analytics cookies; and
- Why TrustArc continues to recommend a “Zero-cookie/tracker” load approach for your Cookie Consent Manager, by integrating either a tag manager or our own API to prevent the firing of tags or dropping of cookies until after an opt-in consent preference has been recorded.
For broader visibility and information sharing, what follows are short answers to questions that we received during and after the webinar. As always, this is intended for informational purposes only and should not be viewed as legal advice, but can nonetheless perhaps be used as considerations for further discussions with legal counsel on a case-by-case basis.
How to control all these third parties on our website? There can be many…! Yes, indeed. We recommend identifying all first and third party trackers present on your website via Website Monitoring Manager; understanding how they arrived on your digital property in the first place (e.g., with your permission versus “daisy-chaining” in); reviewing any underlying contracts with the unaffiliated entities; categorizing the cookies/trackers according to what they do for your digital property; and using Cookie Consent Manager with a tag management system or our API to not allow their loading until after a user consents.
What are EU regulators’ views on “cookie walls” that require consent to advertising cookies in order to access a site? As discussed during the webinar, the UK ICO generally disfavors cookies walls when employing a “take it or leave it approach,” on grounds that this generally results in consent not being freely given. That said, the ICO did leave the door open slightly for cookie walls used to access specific website content rather than as a prerequisite to general site access. The Dutch supervisory authority, on the other hand, has wholly endorsed the view that obstacles that prevent an end user from interacting with a website unless that user first affirmatively consents to the dropping of non-strictly necessary cookies or firing of other tracking technologies equates to the consent being invalid. The Dutch regulator in March 2019 indicated that it will “intensify the verification of correct compliance and has already sent a number of specific parties a letter about this,” suggesting that with that notice now enunciated, enforcement action is likely to follow.
Should the consumer at the end of an Internet session automatically revoke consent? That’s technically possible, such as by requesting an opt-out for all cookies or by altering one’s browser settings, but in practice for persistent (i.e., non-session) cookies that’s probably not scalable for most consumers given how many websites they visit.
Under the California Consumer Privacy Act (CCPA), aren’t even cookie data, inferred interests and behavior “personal information”? The definition for PI under the CCPA is very broad–arguably more expansive than the GDPR. In addition to including inferences drawn to create a profile about a consumer reflecting the consumer’s preferences, behavior, attitudes and abilities, the CCPA’s PI definition also includes IP address, unique personal identifiers and browser search history.
Have you taken the EU court ruling of 29.07.19 into consideration already? Alas, we ran out of time during the webinar, but we’re pleased you’ve referred to the Fashion ID case. In it, the Court of Justice of the European Union found a joint controller relationship between Facebook and website operators using its “Like” button on their website–but only with respect to the collection and transmission of website visitor data to Facebook, and not with respect to subsequent processing by Facebook. Although we continue to monitor how the implications of this complex matter may be further understood, the ECJ seems to have clarified that websites using widgets or social media plug-ins must transparently inform end users of this and request consent in advance of sending PI to such third party recipients.
You indicated that ePrivacy (U.K. PECR) requires GDPR-level prior consent from an end user to access or store information on the user’s device using cookies or similar technologies…but does using a cookie tool to store EU site visitors’ consent preferences break this requirement? The ICO has clarified that exemptions to the consent requirement do exist for its PECR regulations that transpose the ePrivacy Directive into U.K. law. TrustArc’s dynamic Cookie Consent Manager solutions was built to help organizations provide notice, offer meaningful choice and remember users’ cookie preferences within a browser. In its recent guidance, the ICO noted that “user preference,” when coupled with proper purpose limitation, can form the basis for such an exemption, including in the context of a cookie consent mechanism. It further clarified that “the act of interacting with the consent mechanism can be sufficient for consent to be obtained for any cookies relating to that mechanism, provided the user is given clear and comprehensive information as to the fact that a persistent cookie will be set on their device for the purpose of remembering their cookie consent preference.”
If I’m running A/B tests on a website, do I need to ask for consent to the users based on ICO guidance? If you are running A/B tests on a website targeted at EU visitors, and the website tests involved cookies or similar tracking technologies that access or store information on the user’s browser or mobile device, then absent an exemption considered with counsel and documented (such as, perhaps, for limited security, network management, authentication, or other purposes “strictly necessary” to provide the end user a requested service), then it is likely that consent for ePrivacy/PECR purposes would need to be obtained prior to such access or storage.
If I am a data collector, but the personal data unequivocally will not be used for any marketing or sales purposes, do you feel a notification of cookies is sufficient? Or is a separate active consent still a necessity? Regardless of the purpose, for ePrivacy Directive compliance, consent is likely needed to access or store information on a user’s browser or device unless an exemption applies. It’s possible to assert a different lawful basis, such as legitimate interests, to process any subsequent information derived from the cookies or trackers for which you obtained ePrivacy consent, but this is a nuanced determination that should only be made when fully understood with legal counsel.
Will real-time bidding procedures be considered a “sale” under the CCPA? How are cookie issues impacted by CCPA? These are good questions that are not entirely clear from the text of the CCPA, and which intersect with areas where guidance from the California Attorney General is highly sought after. Given the breadth of the definition of “sell” or “sale” under the CCPA, which includes disclosing, disseminating, making available or transferring “a consumer’s [PI] to another business or a third party for monetary or other valuable consideration,” this would seem to capture many of the standard practices that exist every millisecond in RTB. However, determinations as to “business” eligibility, or whether an entity is acting as a “service provider” pursuant to a valid “business purpose” (and thus potentially outside the definition of a “sale”) versus acting as a “third party,” are all matters of interpretation that turn on the particulars of any entity’s activities, and so cannot be easily answered on a general level.
Which cookie consent management platforms would you recommend? Well, since you asked this question in earnest, we’ll answer in earnest–our very own Cookie Consent Manager of course!
Thank you for your questions and participation during this event. Feel free to sign up for a free subscription to our Privacy Insight Series or contact us anytime to learn more about how TrustArc can help your organization with all its privacy needs!
TrustArc is proud to present the next Privacy Insight Series webinar “Cookie Crack Down: What New Regulator Guidance Means For Your Business” with TrustArc Senior Counsel Darren Abernethy. This webinar will take place on Wednesday, July 31st at 8am PT / 11am ET / 4pm GMT. Don’t miss this opportunity to learn more recent cookie guidance – register today!
The only thing hotter than temperatures this summer in the European Union is activity around the digital advertising ecosystem, real-time bidding, website cookie practices and discussions of the interplay between GDPR and the current ePrivacy Directive.
Traditional interpretations (and consumers’ expectations) are changing, and it’s important for organizations to understand the pulse of supervisory authorities’ recent guidance, reports and announced plans with respect to advertising technology—in order to begin operationalizing any needed updates to data governance, website and supply chain practices.
This TrustArc webinar will provide:
- An overview of the recent cookie guidance and real-time bidding report from the U.K. Information Commissioner’s Office;
- A walk-through of what the French privacy regulator’s recently announced changed interpretation of what constitutes valid cookie consent means for organizations globally; and
- A breakdown of advertising ecosystem participants’ data protection best practices in transparency, documenting legal bases, treatment of special category data, cookie consent exceptions, and more.
Speaker Darren Abernethy is an active participant in DAA, DAAC, EDAA and other advertising industry privacy self-regulatory organizations. Darren is a regular contributor to advisory boards and marketing tech publications, and has authored multiple papers on consent, ad tech and marketing best practices.
Can’t make it? Register anyway – we’ll automatically send you an email with both the slides and recording after the webinar.
TrustArc publishes a broad range of privacy educational resources, including research reports, benchmark statistics, solutions briefs, product updates, webinars, workshops and much more. Check out the following resources on hot topics including CCPA, GDPR, Vendor Risk Management, DSAR Best Practices, Cookie Consent, and much more. Register for the free TrustArc Privacy Insight Series subscription and find out why over 20,000 privacy professionals per year take advantage of TrustArc privacy education resources.
Perhaps the only thing higher than temperatures this summer in the European Union is the level of regulatory attention being paid to data-driven advertising and website cookie practices (including similar tracking technologies within mobile applications and other non-browser environments, collectively referred to here as “cookies”). This TrustArc blog post summarizes the major announcements and publications regulators have issued over the last few weeks, including what is expected to follow–and how TrustArc helps.
UK ICO Report on Ad Tech, RTB and Privacy. First, the United Kingdom’s Information Commissioner’s Office (ICO) released on June 20th an “Update Report Into Adtech and Real Time Bidding,” which concluded that advertising technology-related entities and those involved in real time bidding (RTB) should reassess their privacy notices, lawful processing bases, and personal data uses and sharing in light of the GDPR, as many have not to this point. The ICO is in the midst of evaluating practices within the advertising industry, in keeping with the view announced in its 2018-2021 Technology Strategy that web and cross-device tracking is one of its three “priority areas” for the current period. The report’s findings:
- pointed out deficiencies in publishers’ transparency practices, such as not specifically naming third party recipients of personal data collected on the basis of consent;
- adjudged that “special categories” of personal data included in targeted programmatic auction bid requests (e.g., inferred ethnic, health, sexual orientation or political audience segments associated with specific cookie or other unique identifiers bid on by advertisers) are regularly being processed unlawfully by ad tech companies due to failure to obtain explicit consent from data subjects;
- clarified that consent–rather than legitimate interests–is not only required for the placement or accessing of cookies or similar tracking technologies on an end user’s device (under the U.K.’s PECR rules implementing the EU’s “ePrivacy” Directive), but is also generally the appropriate lawful processing basis for the real-time bidding transactions that underpin the programmatic auctions between buyers and sellers of ad spaces for targeted advertising; and
- noted that “the ICO has published [pursuant to GDPR Article 35(4)] a list of processing operations likely to result in…high risk, for which [Data Protection Impact Assessments] are mandatory, [and] RTB matches a number of examples on this list,” resulting in the conclusion that RTB-involved “organizations are therefore legally required to perform DPIAs.”
The ICO’s report identified areas where it has concerns and expects to see changes, but it also articulated a recognition that the ad tech sector is “an extremely complex environment” that does not change overnight. With this in mind, the ICO indicated that it seeks to “take a measured and iterative approach, before undertaking a further industry review in six months’ time.”
>> Download TrustArc Cookie Consent Privacy Advisory now for free!
CNIL’s Change of Consent Interpretation and Timeline. Next, the French privacy regulator, the CNIL, announced on June 28th that in light of a rise in complaints and requests related to online marketing, it has devised an action plan for the next year making “targeted online advertising a priority topic for 2019.” Part of this plan will be the release this month of new guidelines that will rescind the CNIL’s 2013 interpretation that continued navigation of a website could be understood as an expression of an end user’s consent to the placement of website cookies or similar tracking technologies. The CNIL indicated that it will give stakeholders a transitional period of 12 months during which “scrolling down, browsing or swiping through a website or application will still be considered by the CNIL as acceptable.” Still, the CNIL will regularly investigate matters of transparency, withdrawal of consent, security obligations and more, including instances when cookies are impermissibly set before consent is collected for ePrivacy purposes. The CNIL’s calendar lists its tentative schedule for cookie-related matters as follows:
- May – June 2019: Update of the CNIL standards to align with the GDPR (i.e., update of the CNIL’s 2013 interpretation of consent for cookies);
- June – Sept 2019: Stakeholder working group to test the operational consistency of the guidelines;
- November 2019: Results of work
- End of 2019 – Early 2020: Publication of new guidelines for cookies
- June – July 2020: End of the grace period, entities must comply with the rules of the new guidelines.
Cookie Consent and Transparency. The ICO’s guidance confirms that if using cookies, the operator of an online service must inform users of what cookies will be set, explain what the cookies do, and obtain consent to storing cookies on a device before doing so. Moreover, if using any third party cookies, the operator must clearly and specifically name who the third parties are and explain what they will do with the information. Exempted from these requirements are cookies needed to transmit a communication over an electronic communications network, as well as cookies that are “strictly necessary” to provide a service or site requested by the user.
Lawful Processing Basis. Whereas PECR addresses the storing or accessing of information on users’ browsers and devices by requiring consent as a prerequisite to doing so, the GDPR (and its six possible lawful processing bases under Article 6) governs the processing of any personal data gained from cookies. In its guidance, the ICO recognizes that “it may be possible to rely on an alternative lawful basis for subsequent processing beyond the setting of any cookies,” but separately states that, “trying to apply another lawful basis such as legitimate interests when you already have GDPR-compliant consent would be an entirely unnecessary exercise, and would cause confusion for your users.”
The regulator also noted that any data processing involving analyzing or predicting preferences or behavior, or tracking and profiling for direct marketing and advertising purposes, will in most cases require consent as the lawful processing basis. Also confirmed is that “consent is necessary for first-party analytics cookies, even though they might not appear to be as intrusive as others that might track a user across multiple sites or devices,” although the ICO concedes that the setting of a first party analytics cookie “results in a low level of intrusiveness and low risk of harm to individuals,” and that “it is unlikely that priority for any formal action would be given” to such instances.
Cookie Audits and Banners. The ICO also emphasizes the utility of performing comprehensive “cookie audits” to detail what cookies are being used on a site and to discern which of them comprise “strictly necessary” first and third party cookies versus those which do not. The guidance likewise addresses forms of notice and means of consent, including prominently displayed cookie banners that provide clear information about cookies and user control options to allow or disallow those that are non-essential.
It further notes that the blanket use of “cookie walls,” which require users to agree or accept the setting of non-strictly necessary cookies before the user can access the rest of the site’s content, will generally amount to invalid consent because the user lacks a genuine choice other than to acquiesce in order to use the site. Lastly, the ICO declined to specify how often consent should be obtained from users, noting that this is dependent on a number of factors such as frequency of visitors or updates of content or functionality.
How TrustArc Helps
TrustArc offers the leading technology solutions in the cookie consent space with our Website Monitoring Manager and Cookie Consent Manager.
For product demonstrations or more information on how we can help your organization, contact TrustArc today!