UK ICO and French CNIL Increase Activity Around Cookies and Consent Practices

Perhaps the only thing higher than temperatures this summer in the European Union is the level of regulatory attention being paid to data-driven advertising and website cookie practices (including similar tracking technologies within mobile applications and other non-browser environments, collectively referred to here as “cookies”). This TrustArc blog post summarizes the major announcements and publications regulators have issued over the last few weeks, including what is expected to follow–and how TrustArc helps.

UK ICO Report on Ad Tech, RTB and Privacy. First, the United Kingdom’s Information Commissioner’s Office (ICO) released on June 20th an “Update Report Into Adtech and Real Time Bidding,” which concluded that advertising technology-related entities and those involved in real time bidding (RTB) should reassess their privacy notices, lawful processing bases, and personal data uses and sharing in light of the GDPR, as many have not to this point. The ICO is in the midst of evaluating practices within the advertising industry, in keeping with the view announced in its 2018-2021 Technology Strategy that web and cross-device tracking is one of its three “priority areas” for the current period.  The report’s findings:

  • pointed out deficiencies in publishers’ transparency practices, such as not specifically naming third party recipients of personal data collected on the basis of consent; 
  • adjudged that “special categories” of personal data included in targeted programmatic auction bid requests (e.g., inferred ethnic, health, sexual orientation or political audience segments associated with specific cookie or other unique identifiers bid on by advertisers) are regularly being processed unlawfully by ad tech companies due to failure to obtain explicit consent from data subjects; 
  • clarified that consent–rather than legitimate interests–is not only required for the placement or accessing of cookies or similar tracking technologies on an end user’s device (under the U.K.’s PECR rules implementing the EU’s “ePrivacy” Directive), but is also generally the appropriate lawful processing basis for the real-time bidding transactions that underpin the programmatic auctions between buyers and sellers of ad spaces for targeted advertising; and
  • noted that “the ICO has published [pursuant to GDPR Article 35(4)] a list of processing operations likely to result in…high risk, for which [Data Protection Impact Assessments] are mandatory, [and] RTB matches a number of examples on this list,” resulting in the conclusion that RTB-involved “organizations are therefore legally required to perform DPIAs.”

The ICO’s report identified areas where it has concerns and expects to see changes, but it also articulated a recognition that the ad tech sector is “an extremely complex environment” that does not change overnight.  With this in mind, the ICO indicated that it seeks to “take a measured and iterative approach, before undertaking a further industry review in six months’ time.”  

>> Download TrustArc Cookie Consent Privacy Advisory now for free!

CNIL’s Change of Consent Interpretation and Timeline. Next, the French privacy regulator, the CNIL, announced on June 28th that in light of a rise in complaints and requests related to online marketing, it has devised an action plan for the next year making “targeted online advertising a priority topic for 2019.” Part of this plan will be the release this month of new guidelines that will rescind the CNIL’s 2013 interpretation that continued navigation of a website could be understood as an expression of an end user’s consent to the placement of website cookies or similar tracking technologies. The CNIL indicated that it will give stakeholders a transitional period of 12 months during which “scrolling down, browsing or swiping through a website or application will still be considered by the CNIL as acceptable.” Still, the CNIL will regularly investigate matters of transparency, withdrawal of consent, security obligations and more, including instances when cookies are impermissibly set before consent is collected for ePrivacy purposes. The CNIL’s calendar lists its tentative schedule for cookie-related matters as follows:

  • May – June 2019: Update of the CNIL standards to align with the GDPR (i.e., update of the CNIL’s 2013 interpretation of consent for cookies);
  • June – Sept 2019: Stakeholder working group to test the operational consistency of the guidelines;
  • November 2019: Results of work
  • End of 2019 – Early 2020: Publication of new guidelines for cookies
  • June – July 2020: End of the grace period, entities must comply with the rules of the new guidelines.

UK ICO’s New Guidance on Cookies. On July 3rd, the ICO regulator announced that it had published new, detailed guidance covering the use of cookies and similar tracking technologies on websites and other terminal equipment. The ICO’s guidance is intended to facilitate compliance with the Privacy and Electronic Communications Regulations (PECR, the U.K.’s transposition into local law of the EU’s “ePrivacy” Directive) and the GDPR, firstly setting forth the distinctions and relationship between those legal regimes, and further providing context and nuance around cookies, consent and transparency.

Cookie Consent and Transparency. The ICO’s guidance confirms that if using cookies, the operator of an online service must inform users of what cookies will be set, explain what the cookies do, and obtain consent to storing cookies on a device before doing so. Moreover, if using any third party cookies, the operator must clearly and specifically name who the third parties are and explain what they will do with the information. Exempted from these requirements are cookies needed to transmit a communication over an electronic communications network, as well as cookies that are “strictly necessary” to provide a service or site requested by the user. 

Lawful Processing Basis. Whereas PECR addresses the storing or accessing of information on users’ browsers and devices by requiring consent as a prerequisite to doing so, the GDPR (and its six possible lawful processing bases under Article 6) governs the processing of any personal data gained from cookies. In its guidance, the ICO recognizes that “it may be possible to rely on an alternative lawful basis for subsequent processing beyond the setting of any cookies,” but separately states that, “trying to apply another lawful basis such as legitimate interests when you already have GDPR-compliant consent would be an entirely unnecessary exercise, and would cause confusion for your users.” 

The regulator also noted that any data processing involving analyzing or predicting preferences or behavior, or tracking and profiling for direct marketing and advertising purposes, will in most cases require consent as the lawful processing basis. Also confirmed is that “consent is necessary for first-party analytics cookies, even though they might not appear to be as intrusive as others that might track a user across multiple sites or devices,” although the ICO concedes that the setting of a first party analytics cookie “results in a low level of intrusiveness and low risk of harm to individuals,” and that “it is unlikely that priority for any formal action would be given” to such instances.

Cookie Audits and Banners. The ICO also emphasizes the utility of performing comprehensive “cookie audits” to detail what cookies are being used on a site and to discern which of them comprise “strictly necessary” first and third party cookies versus those which do not. The guidance likewise addresses forms of notice and means of consent, including prominently displayed cookie banners that provide clear information about cookies and user control options to allow or disallow those that are non-essential. 

It further notes that the blanket use of “cookie walls,” which require users to agree or accept the setting of non-strictly necessary cookies before the user can access the rest of the site’s content, will generally amount to invalid consent because the user lacks a genuine choice other than to acquiesce in order to use the site. Lastly, the ICO declined to specify how often consent should be obtained from users, noting that this is dependent on a number of factors such as frequency of visitors or updates of content or functionality. 

How TrustArc Helps

TrustArc offers the leading technology solutions in the cookie consent space with our  Website Monitoring Manager and Cookie Consent Manager

For product demonstrations or more information on how we can help your organization, contact TrustArc today!

Round II of EU Cookie Compliance Inspections

cookies

By Helen Huang, Senior Product Manager

In September 2014, the French Data Protection Authority, CNIL conducted a “cookie sweep” to review compliance with the EU Cookie Directive and published a combined analysis from 8 DPAs, including the Czech Republic, Denmark, France, Greece, The Netherlands, Slovenia, Spain, and the UK. The “cookie sweep” involved the CNIL conducting onsite and remote inspections to evaluate compliance with the latest EU cookie standards. The 2014 cookie sweep findings showed that many companies’ websites did not comply because insufficient notice and valid consent were being given to and/or sought from visitors. Many websites subsequently put in place compliance solutions as enforcement and possible fines continue to be very real. Details about the results of the initial sweep can be found here.

With the upcoming expanded and stricter consent requirements under the General Data Protections Regulation – the GDPR, as well as anticipated amendments to the EU Cookie Directive, it is worth paying closer attention to the actions and next steps needed to come into compliance with EU regulations.

On July 27, 2016, the CNIL announced a new round of cookie sweeps and cookie enforcement actions that will focus on specific industries: Ad Tech, Social Media and Analytics companies. The French Data Protection Authority recognizes the complexity of the online advertising ecosystem, and holds both publishers and their processors responsible for activity on a website.

Publishers should provide more information on the ad tech, social media and analytics partners they work and share data with, the nature of data collected and processed by them and the rights of the data subjects to object.

In terms of next steps, publishers partners should also “(i) assess their current cookie compliance strategy, (ii) update their publisher terms (where required) and (iii) equip publishers with actionable tool kits containing for instance FAQs, template end-user wording and means to object.” With CNIL as the lead DPA, companies should still expect different degrees of strictness and various ways to implement the consent mechanism in each EU member state.

When developing your cookie compliance strategy, one of the most critical requirements is to provide proper Notice, Consent, and Choice to visitors. Launched in 2011, TRUSTe Cookie Consent Manager has continued to keep pace with evolving laws and regulations, and has been enhanced to tackle the complex landscape and varying requirements of the EU countries. TRUSTe has deployed hundreds of cookie consent solutions for many of the world’s most recognized brands, enabling them to comply with the EU Cookie Directive. Click here to see a live demo and learn more about why TRUSTe Cookie Consent Manager is the trusted data privacy solution.

If you have any questions about consent requirements under the EU Cookie Directive or GDPR, please contact TRUSTe to learn more about how we can help.

 

TRUSTe’s Dynamic Platform Detection Simplifies Cross-Device Ad Privacy Compliance

Keyboard Illustration Compliance

Today, we announced Dynamic Platform Detection, as a new feature of our TRUSTed Ads Compliance Manager.

Using just a single smart tag, companies can provide opt-outs across both mobile and desktop platforms. With this new feature, companies can also provide consumers with a greater assurance that their opt-out preferences are being honored across devices, while simplifying compliance.

TRUSTe Ads Compliance Manager is a comprehensive technology solution that overcomes the challenges of addressing consumer privacy preferences in desktop and mobile across any platform, device, or cookie/non-cookie environment. With the addition of Dynamic Platform Detection TRUSTe is taking the industry one step closer to a universal opt-out which can be supported and guaranteed across a variety of connected advertising environments.

To read more about Dynamic Platform Detection, click here.

Now is the Time for Transparency on Behavioral Targeting

TRUSTe and TNS 2nd annual Behavioral Advertising Attitudes Survey release today reports ’09 results fairly consistent with ’08 results. Consumers very aware of tracking by third parties and they want content and advertising to be more relevant. While about half of consumers remain concerned about tracking, we show a statistically relevant increase in comfort of 6 percentage points.

Now is the time for publishers to act. Consumers expect brands they know to protect their privacy. And companies already experimenting with proactive notice and control features report very low opt-out rates.

Don’t bring up the rear guard of the industry. Consumers know they’re being tracked and in the absence of straightforward dialogue, doubt and suspicion take over.

div>