Cookie cutters – life after data tracking
A new ruling that cracks down on a commonly used cookie consent framework has sent shockwaves through marketing companies relying on online data collection in Europe, in what has been seen as another step towards a cookie-less future.
But while the decision by the Belgian Data Protection Authority could have implications for businesses across the EU — and the world — it relates to an area of backend marketing technology that might escape notice for the businesses relying on it.
The decision centres around a so-called cookie consent framework, the basis on which websites seek agreement from users to capture, share and analyse their record of activity across the internet.
That data is usually sold and forms the basis of serving people ads based on their history, interests, past behaviour and other metrics.
In the post-GDPR world of enhanced privacy laws, covering all European Union citizens, the International Advertising Board created the Transparency & Consent Framework (TCF), which should mean website publishers disclose what data is being collected and how they intend to use it or share it.
It was a short-cut for business, making it possible — in theory — to comply with the GDPR without having to get into the complexities and nuance of what would happen to collected data when capturing user preferences that might later be used by advertisers.
In the IAB’s own words, “The TCF’s simple objective is to help all parties in the digital advertising chain ensure that they comply with the EU’s GDPR and ePrivacy Directive when processing personal data or accessing and/or storing information on a user’s device, such as cookies, advertising identifiers, device identifiers and other tracking technologies.”
The TCF essentially allows publishers and broadcasters to decide and enact their data collection according to the legal basis they believe to be most appropriate.
But the transparency of the TCF has been in question.
“The ruling has been a kind of a wake-up call, because these cookie consent banners that companies are using are often not very transparent.” – Julia Storkenmaier
In 2019, a series of complaints were filed against the International Advertising Board’s European chapter, IAB Europe, alleging it had breached various provisions of the GDPR in relation to large-scale processing of personal data.
Among other issues, the complaints encompassed appropriateness, transparency, storage restriction and security of user data, as well as accountability.
The lead supervisory authority, the Belgian Data Protection Authority, considered the complaints and in February of this year handed down its ruling.
Citing several breaches, the Belgian DPA labelled IAB Europe negligent and stated it “was aware of risks linked to non-compliance”.
“The approach taken so far does not meet the conditions of transparency and fairness required by the GDPR,” it ruled.
“Indeed, some of the stated processing purposes are expressed in too generic a manner for data subjects to be informed about the exact scope and nature of the processing of their personal data.”
In fact, the authority said, IAB Europe was supporting a system that posed “great risks to the fundamental rights and freedoms of the data subjects” given the scale of personal data involved and the tracking of data subjects.
Given IAB Europe represents around 700 of the world’s biggest media companies, brands, agencies and technology firms, the ruling is not insignificant.
By rejecting the TCF, it puts in doubt one of the key links in the AdTech chain used in modern digital marketing – and thousands of advertisers will be forced to delete any data collected under the framework.
The decision potentially creates a headache for companies that have so far relied on it to ensure they do not fall foul of the GDPR, according to Baker Tilly Germany’s Julia Storkenmaier, a lawyer who specialises in IT, IP and data protection.
“The ruling has been a kind of a wake-up call, because these cookie consent banners that companies are using are often not very transparent but they’re relying on these consent tools to be compliant,” Ms Storkenmaier said.
“What this ruling has shown is that they can’t rely on those tools anymore – they need to be doing the legal work and putting in the effort to assess whether the process they are doing really is compliant with the GDPR, and any other law that applies.”
Baker Tilly Germany Attorney-at-law Christian Engelhardt said the borderless nature of the digital marketing world had in some cases meant developers and marketers had struggled to adjust to the EU privacy regulations.
“A lot of developers do know about the GDPR and try to take it into account – but since many of them come from legal systems outside of the EU, and maybe don’t get prior advice or prior legal opinions on what they need to do, they tend to work within what they know,” he said.
“Some providers and developers also have a tendency to just work away and then worry about the legal details afterwards.”
Ms Storkenmaier agrees.
“It’s a problem, especially for companies that operate as a group – for example, part of the company is in the US and another part in the EU,” she said.
“An organisation in that situation is going to want to share data between their entities, but they may not currently be able to because the rules are so different between the countries.”
To understand the importance of the Belgian DPA decision, it’s helpful to remember the past — because once, many years ago, the internet could forget.
“Some providers and developers also have a tendency to just work away and then worry about the legal details afterwards.” – Christian Engelhardt
You might visit a primitive looking website, look at some content or browse at length, and when you returned, it was as if you had never been there at all.
As a user experience it wasn’t great, and for the owners of websites, it meant they knew little about their visitors other than keeping a clunky ‘hit counter’ in the bottom corner that marked each visit over time.
That was before the cookie.
The brainchild of a 23-year-old engineer at Netscape nearly 30 years ago, cookies were small text files passed between a person’s computer and a website, ostensibly identifying the presence of a specific computer but not the user.
Even before the GDPR became law, there were concerns that offering users the ability to decline having their data collected could undermine the AdTech sector, as companies would need a legal basis for collecting data.
In most cases, that legal basis would be active consent.
Since the GDPR, the days of cookies are numbered. Last year, both Apple and Google announced changes designed to make it more difficult to track individual users, Apple by blocking third-party cookies in Safari and Google by blocking them in Chrome.
Some of those changes have been deferred for now — Although Google’s plans were due to come into force this year, they have been pushed out to 2023, amid a panicked response from the enormous digital advertising sector.
Programmatic advertising, heavily reliant on third-party data, is worth more than $150 billion in the US alone, and while there’s no question a cookie-less future will improve data privacy, it presents an enormous challenge for marketing companies.
It will make it harder for marketers to measure the performance of their digital marketing, and potentially force a raft of other changes, such as increased investment in first-party data collection, website upgrades to increase the time and engagement that takes place on a company’s ‘home turf’ and other measures designed to keep customers and prospects engaged.
The US also has a proposed law on the books that could be even more punishing.
The Banning Surveillance Advertising Act, backed by a group of Democrats, would limit data collection even further — something the IAB argues could put at risk up to 17 million US-based digital economy jobs or ‘trillions of dollars’ according to advertiser lobby groups trying to oppose the measure.
For now, the digital marketing world, and the companies operating within it, are waiting to see how the Belgian DPA ruling plays out.
“It’s going to be a time of adaptation to understand the ruling and try to see if companies can adapt their practice.” – Anestis Dimopoulos
IAB Europe was given six months to act on the listed breaches, with penalties of 5,000 Euros a day to apply if they fail to do so, plus an administrative fine of 250,000 Euros.
However, the company has made it clear it believes the findings underpinning the ruling are wrong, and last month launched an appeal.
“If this decision does not stand, maybe none of this may change, but if it does, then the whole rules may have to change and it could have a huge impact,” says Vasilios Psarras, the Data Protection Officer and IT Audit Manager with Baker Tilly in Southeast Europe.
“The difference for the Data Protection Authorities now compared to a few years ago is that they are more vigilant on these cases. They have already passed the first wave of GDPR, and they know how to handle these issues.
“Now we are getting into the details, and they are getting a grip of what happens with the data. Some of the DPAs are productive, and some go after changes they want to see.”
Anestis Dimopoulos, Baker Tilly’s Head of Digital and Risk Advisory in Southeast Europe agrees.
“It’s going to be a time of adaptation to understand the ruling and try to see if companies can adapt their practices,” he says.
“There may be some room there for the TCF and the OpenRTB (a platform that allows real-time bidding for advertising) to adapt to requirements. Perhaps they can change. But there will be some disruption in the meantime, and they will not be able to fully implement the model until a final ruling.
“It will be interesting to see how this ends up, when combined with all the discussions about GDPR 2.0 and the introduction of emerging technologies such as AI or robotic process automation.
“The second issue will be how this impacts industries like financial services, health care, telecommunications. The regulatory point of view for these sectors is very strict.”
Whichever way this fight ends, the Belgian DPA ruling is likely to sound an early warning for companies in this space to consider their current approach to data privacy and consent, and how they may need to reconfigure going forward.
For some, this will mean significant changes in their operation – but Baker Tilly’s Dr Englehart said the increased awareness generated by the ruling meant the majority of companies would adjust as needed.
“I think the most important thing to do is make clients aware not only of the fact that they do have to comply with GDPR but how they do that, and that it’s not sufficient to just buy any off-the-shelf product and assume it will be fit for purpose,” he said.
“Most clients, once they become aware of it, don’t have a huge problem with changing their procedures or implementing what they need to implement – it may take time to make the change, but once they realise it’s a legal obligation, they just do it.”