EU cookie compliance advice for Irish organisations
With a deadline looming for Irish data controllers to get cookie compliant we sat down with Fergal McHugh, Head of Strategy at Arekibo to talk about cookies, compliance, GDPR and the future of digital marketing in a new era of regulation.
Why is there such a fuss about cookies right now?
Yes, you might wonder at the sudden flurry of activity in relation to a piece of legislation that has been around for 18 years. The EU ePrivacy directive dubbed the “cookie law” effectively dates back to 2002. Now of course there have been amendments since then, 2006 and 2009, and in Ireland it didn’t become law until 2011. And then with the introduction of GDPR in 2018 the requirements for cookie compliance got an upgrade. But nevertheless, the overall shape of what was needed for compliance has been around for quite a while. Despite this, a recent sweep by the Irish Data Protection Commission (DPC) found that the level of compliance with the legislation was more or less non-existent. The DPC sweep, focusing on a range of websites that might be regarded is integral to the fabric of Irish life, found almost no satisfactory examples of compliant use of cookie technology. And on the foot of this they issued new guidance on what compliance should look like and a deadline for website operators to get compliant, October 5th 2020, six months from when updated guidance was provided.
How does something like this happen?
Well that’s complicated. What we are dealing with is a range of factors. Broadly there was a lack clarity on what the legislation meant, and regulators were not doing much to check compliance. The resulting ambiguity meant that many operators believed they were compliant. And now due to a change in the regulatory context rather than any change to the legislation — new guidance and a renewed commitment to enforcement — operators are finding themselves having to play catch-up.
Two recent rulings from the Court of European Justice (“CJEU’) are key drivers behind the renewed focus on cookie compliance, Planet49 and Fashion ID. In the Planet49 case the court ruled out the use of pre-checked checkboxes to acquire consent. In the Fashion ID case the court rules that if an operator places a third-party plugin on its website is must assume joint controllership of any data collected by that third-party. For your typical website operator, the consequences of these two rulings — again I am mainly thinking of the Irish situation, but this is also true across Europe — was that most were simply not compliant with the legislation. The judgements also re-affirmed things that many operators were already aware of but hadn’t necessarily taken action on, for example that the cookie data didn’t have to be personal to require a GDPR standard of consent.
These judgements are relatively recent. The Fashion ID judgement dates to July of last year, the Planet 49 judgment to October of last year. But on the other hand, they don’t really add anything that is actually new, merely make explicit what in many cases is already known, or perhaps should have been.
You mentioned other factors?
Yes. I am thinking of reasons why the cookie issue has become more obviously important and at the same time why a great many operators have not taken any real action toward compliance in this area. The current ePrivacy legislation comes from a directive. A directive specifies a result without necessarily dictating how that result should be achieved. Because of this, individual EU countries have taken a range of different approaches, and some confusion has resulted from that.
The next ingredient is the delay in putting through the new ePrivacy Regulation, a radically overhauled version of the 2002/2009 directive, this time coming in the form of a regulation meaning it gets implemented as EU law and not a local statute. Now with this piece of legislation is hopelessly stalled some operators had decided to stay non-compliant and see what would happen next.
Why? What did they expect might happen?
Well, some operators no doubt had in mind the reasons for that proposed regulation stalling in the first place. There has been what commentators have described as “unprecedented” levels of lobbying seeking to water down or even block legislation that in industry eyes is too strict and is going to have a serious dampening effect on ad-sponsored free web content. Other industry concerns relate to a range of non-privacy threatening tracking activities that are getting lumped in with privacy-sensitive tracking and that take the law at face value could ultimately hurt, irreparably, both businesses and consumers. Apparently, the lobbying in the face of the new ePrivacy regulation beats even the record for lobbying against GDPR. And according to reports even though most of this lobbying comes from industry there has also been a lack of transparency in the interaction between lobbyists and some member state governments. At the frontier of digital in Europe you might say that a great number of people want this legislation dead.
We now have a piece of legislation that was due to come into force at the same time as GDPR that is still stuck in the pipe, and the reason for the delays appear to have direct connections to the kinds of things that website operators want to keep doing. If you like a waiting game, then the confusion over the proposed e-Privacy regulation looks like an opportunity.
What happens next?
In a sense it has already happened. The new guidance from the DPC is basically telling website operators that there is no ambiguity here and that they can’t sit it out and hope for better times to come with the new ePrivacy regulation.
What does this mean for website operations and data controllers?
It means that they have a relatively short window to get compliant. The DPC intends to commence enforcement in this area from October 6th.
Now that this is out in the open why has there still been such a low level of compliance, and given the threat of enforcement, fines etc. why would operators even risk this?
The main reason is that operators have a great deal to lose, or think they do. Cookies are a very simple technology, not sophisticated at all, but a great deal of valuable tracking real-estate hangs off them. For example, the digital advertising spends in Ireland, which is of course a very small market, was roughly €673m and a great deal of the success of this activity depends upon users accepting cookies on their browsers. This grew 17% from the previous year. This is an area of expenditure which has been growing aggressively year on year. Now there is an expectation that this number will fall this year due to Covid 19. Next year’s spend on the other hand could see declines due to the kind of penetration that advertisers can get will have been significantly impacted by internet users staying with the default, and simply not opting into the tracking environment which gives digital advertising its unique power.
Given the expected cost to the digital economy and to the economy more broadly is compliance going to benefit users. Despite the cost, is this overall a good thing?
Yes and no. I think that regulation of digital is both desirable and important. It’s worth noting that if the combined force of ePrivacy and GDPR looks rather draconian, especially to people who depend on cookies for the livelihood. The abuses of the public trust have in cases also been quite severe. However, there are related questions about whether or not this kind of regulation is actually effective. It is legitimate to ask whom it protects, and the quality of the protection afforded.
Nobody has a crystal ball but what we do know is that policy interventions can have rather different effects than policy makers intend. Cookies are definitely on the way out, especially third-party cookies, with the major browser manufacturers committed to phasing out support for them. But cookies are not the only way to re-target, it is simply a very cheap and easy way of doing it. In fact, cookies have limitations with respect to today’s multi-device equipped users, and so a great deal of effort has been going into finding other methods to identify and re-identify users. Some of these new methods may turn out to be better for both users and advertisers, but it is equally possible that they may end up being more persistent and invasive than cookies.
I don’t want to get into the technical details of the future of tracking here, but I think it’s worth saying something about the place of the internet user in all of this. It is a feature of contemporary rhetoric that the end-user is going to be the beneficiary, no matter what side you are on. Advertisers claim to make people’s lives better by serving them up relevant connections to the things they want to consume. And of course, regulators want to protect user’s privacy and also protect them from predatory practices. It’s all focused on protecting the user. But it is all about the user in a different way, the combined force of ePrivacy and GDPR puts the decision about whether or not they get tracked primarily into the user’s hands.
Is it not a good thing, being in control?
I think it can be, but there is a real sense in which the complexities of a website operators tracking strategy is being dropped into the users lap for them to puzzle out. And even if the legislation and associated guidance emphasises making user choices clear and simple, I suspect that this is not always going to be possible. This is a real feature of our interaction with digital technologies, platforms and services — there is often a vast asymmetry between what users know and understand and what operators know and understand. And what we are doing here in a sense is letting that situation stand. Maybe the answer here is that these consent-based models are the right way to go, but as part of a broader strategy that looks to reduce this asymmetry. Awareness and education then would have crucial role to play. However, it is also worth stepping back and looking at the broader regulatory paradigm and ask are things generally going in the right direction. Are there other routes that might be better for advertisers and users?
Do you have an example?
Well its worth thinking about the ways in which the cookie consent model might be failing users. The approach is supposed to protect the user where they are vulnerable, but you might equally think that the consent approach stacks the deck against the user. One of the sources of that vulnerability simply is what users don’t know, and the work they either can’t do or are not prepared to do to get “in the know”. Now the privacy by default approach that’s built into cookie consent requirements does take some important steps in that direction, and in that way it’s a serious advance on the standard “notice and consent” approach.
My concern runs a little deeper. For example, the DPC’s recent report guidance explicitly calls out the idea of nudge-based cookie-banner design and in its guidance cautions against design approaches that nudge users toward accepting rather than rejecting cookies. But I think we need to see this against the background of our effective saturation in Cass Sunstein and Richard Thaler’s have dubbed “choice architecture” (the people who introduced the “nudge” into our vocabulary back in 2008). As Sunstein has pointed out repeatedly it is naïve to think that we are not constantly surrounded by choice architecture, on our high streets, in supermarkets and so on. And this is even more relevant in the digital space — every digital service is a choice architecture which has been designed and developed by choice architects. I think we need to take this situation on board without paying a kind of lip-service to the idea that there are going to be safe places where users are free of this kind of influence.
What are the alternatives?
That’s what we need to think about. I think that everyone, regulators, digital operators, marketers and so on all need to think about. There is a need to step back from what we already think we know and look more creatively at problem. I have my own views here. When we look at the justifications for why specific types of data and specific activities need to be afforded special protections if you keep asking the question they often run aground on platitudes about fundamental rights, right to privacy and so on. What you get here is that user’s experience of digital wedged between a pair of abstractions, rights that quite a lot of us can’t make any real sense of and compliance measures that feel less like protection and more like an imposition, extra red-tape dropped in between me and the services I am using. And in all of this, I am still not quite clear on how I am better off, where I am covered, and where I need to look out for myself.
This is a roundabout way of saying that we need to a more integrated approach. Regulatory activity needs to emerge from the kinds of things we want to achieve when we interact on digital channels and platforms and the kinds of protections, we want for users there — actually the kind of protections we want for ourselves because we are all users, data subjects etc. And I think we need to keep that in the picture. And you would be surprised the sheer volume of people and organisations who either implement or benefit from tracking in some shape or form. The next time someone presents you with a report that incorporates stats on user behaviour your question should be, how did we acquire this? We are at the same time data controllers and data subjects. Our approaches should be motivated by that.
Some of the more innovative recent thinking on issues of privacy and consent has put the emphasis on relationships and communities rather than individuals. This might be the beginning of kind establishing structures within the broader digital ecosystem that support trusted interactions between users and the platforms and the services they use. There are some programs like this already in the works, for example the IAB framework. Is that going to do work it needs to do? I am not sure, but I think this idea of what is effectively a “trust broker” is interesting and needs to be explored.
Any advice in closing, specficially to organisations impacted by the looming deadline?
Yes, get compliant first. Protect yourself. And then prepare to join the conversation about how we can make the future better for everyone.
Are you looking for advice on compliance? The deadline is past approaching so contact us today.
We had a recent webinar with OneTrust, watch the recording here and download the deck here.