If part one of the BH Consulting cookie guide left you hungry for more, now we serve up part two. In this blog, we’ll mix in a portion of the Cookie Consent Framework, blend in some recent cases surrounding it, add a generous helping of third-party cookies, and weigh up what the next step for cookies might be.
Cookie consent and the IAB framework
Let’s start with a case that made ripples throughout Europe as it brought to light topical issues like online advertising, targeted ads and user privacy.
In February 2022, the Belgian data protection authority (APD) found that the Transparency & Consent Framework (TCF), a tool used to record individuals’ online ad preferences, violates the GDPR. The finding stated the TCF failed to comply with GDPR principles of transparency, fairness and accountability, and lawful processing.
The TCF is a set of policies and technical specifications that companies can use to inform and obtain consent from users about their data processing operations. The Interactive Advertising Bureau Europe (IAB), a digital marketing industry organisation, developed the framework.
The Belgian authority further held that IAB Europe acts as a data controller for the personal data processed through the TCF and fined the IAB approximately €250,000.
Data protection authorities of other EU countries, including the Belgian APD, also participated in the decision-making, making the decision’s principle binding in all EU countries. This development followed the French data protection authority (CNIL)’s earlier decision on cookie consent.
The Belgian DPA gave the IAB two months to present an action plan to implement corrective measures. The IAB then appealed this decision.
In September 2022, the Brussels Market Court adopted an interim decision in a case brought by IAB. The Market Court decided to refer preliminary questions to the Court of Justice of the European Union, regarding the concept of data controllership in the GDPR and on whether a TC String (a digital signal containing user preferences) can be considered as ‘personal data’ under the GDPR.
The Market Court ruled that the original decision was illegal due to irregularities at the stage of the investigation. The referral to the CJEU now means that a final judgement by the Market Court is unlikely until 2023 or even 2024.
Following this, in October 2022, the IAB announced that Belgium’s DPA had informed it that it intends to pursue its examination of the action plan. Despite the Market Court’s interim ruling, IAB Europe said it welcomes opportunities to dialogue with the Belgian APD, even as it believes the APD’s initial decision cannot be enforced.
Over the past year, we’ve seen large case fines and complaints against multiple companies for violating GDPR rights. So, the IAB’s framework is not exempt: the complaints alleged that the TCF did not comply with the GDPR principles of legality, appropriateness, transparency and more.
Cases like this reaffirm how vital it is for companies to stay on top of their GDPR and privacy compliance. The change in cookie regulation is tilting towards the user’s privacy rights. They’re becoming more and more sought by regulators and by consumers as public awareness of those rights is increasing.
Below, we’ll explore how third-party cookies are potentially being phased out in favour of less intrusive targeted advertising technologies. This benefits consumers but not companies as they will need to keep up with the ever-changing landscape of privacy rights.
What now for third-party cookies?
Over the last few years, advertisers have been hearing about Google’s move away from the third-party cookie. These are small, encrypted files that track user movement from website to website and collect data. In 2020, Google announced it would remove third-party cookies from its browser, Chrome.
Alternative browsers such as Safari and Firefox already block third-party cookies by default. However, Google’s announcement is significant because Chrome’s 65.68 per cent share means it has almost two-thirds of the browser market.
Google said it would instead adopt privacy-preserving application programming interfaces which prevent individual tracking while still delivering results for advertisers and publishers.
The implications of this will affect AdTech and companies’ ability to target consumers and track their online behaviour. Google has since delayed its planned move until late 2023 or early 2024. The delay gives marketers time to adapt to the possibility of a landscape without tracking cookies.
These developments come against a backdrop of privacy concerns prompted both by online consumers and industry gatekeepers questioning the current online data tracking systems.
The move away from third-party cookies is an industry-wide change but not everyone is ready. The Compliance Institute Ireland surveyed 144 compliance professionals in Irish organisations about Google’s third-party cookie ban. It found the move is expected to impact almost 90pc of Irish organisations and that only 12 per cent describe themselves as “very prepared” for the change.
In 2021, France’s CNIL published a blog on alternatives to third-party cookies and what these might mean for consent. It highlighted the following four main categories of alternatives:
- First-party cookies and browser fingerprinting
- Single sign-on
- Unique identifiers
- Cohort-based targeting advertising.
What does this all mean for me?
Cookies may be on their way out, having gained unwanted attention because of the information they collect and how they affect data protection and privacy.
With time to get ready, it’s never too soon to start planning for a future without cookies as we know them today. Here are four points to guide your strategy.
- Consider the privacy implications of moving away from third-party cookies
- Implement a privacy strategy to deal with the change from third-party cookies
- Move to first-party cookies and update your cookie banner accordingly
- Consider alternative advertising methods.