Interesting times ahead for marketers and privacy professionals part 1
Global privacy regulations such as the GDPR, CCPA and ePrivacy, as well as updated guidelines from the DPC, ICO and CNIL will have a profound effect on marketing activities. Faced with the legal and financial ramifications of ignoring a consumer’s right to privacy, marketers must rethink their data collection, use, and retention methods.
Arekibo recently hosted a webinar on that topic with Efrain Castaneda, Privacy Counsel at OneTrust. Efrain shared some interesting thoughts about how cookies and tracking technologies can be used by companies in practice while remaining compliant with global privacy regulations. Efrain joins us again today with the first part of a two-part series, in discussion with our Head of Strategy Fergal McHugh to dive into some of these issues in more detail. This conversation took place on 21st of September 2020.
Fergal: It looks like there are variations in cookie law not just internationally, but across the EU, and I know from personal experience that this is sowing some confusion among organizations as they attempt to get compliant. I wanted to start by getting your view on the level of consistency out there.
Efrain: We can look at this from many angles. First, we must remember that the cookie law we have, namely the E-Privacy directive from the EU, is just a directive and it’s an old directive. It came out in 2002 and was updated in 2009 I believe. It is rather outdated law that had to be transposed into national legislation for it to have effect in each member state of the EU. That means that there are slight variations in the interpretation of the law. Some laws transposing that directive are even newer — that’s the case in Ireland where the implementation goes beyond considering specific aspects of the directive.
This variation has caused member states to diverge slightly in the way they interpret certain aspects of compliance. For example, Spain previously allowed implied consent for cookies, and then later they had to make a U-turn after the EDPB came out with their opinion on consent about what is and, what is not valid. In the case of implied consent, often acquired from you just scrolling down the web page — well one of the many problems you will find is that is not as easy to withdraw consent as it is to give consent. And then there is the issue of whether users are being sufficiently informed prior to the cookie being dropped. It became a sort of catch-22.
Another example is analytics cookies, they have become an increasing subject of attention for all DPAs. In particular, the German DPA has been focusing a lot on Google Analytics because of the level of invasiveness they believe is involved there. Google Analytics, as per the DSK guidelines must be subject to consent by the user because of that level of invasiveness. Nevertheless, they are still classified the same as functional cookies. There are other slight variations — some counties speak about nudging others don’t have a clear stance on nudging, but instead ban cookies walls.
However, more recently with the activity of the individual DPAs and the activity of the EDPB we can see coherent trends emerging. For example, requiring consent for analytics cookies is increasingly a feature of compliance. So now in Ireland you are required to have consent for all 3rd party analytics. You can find some nuances in France, for example there are exceptions there you don’t get in Ireland. But I think seeing more consistency and it is a matter of time before we see that increasing. With the overall development of the field we get a better understanding of what the technologies are doing and what we can do as users (obviously aided by the interpretations of the relevant authorities and tribunals).
Fergal: I wonder what happens with organizations with target users in multiple EU countries, for example an Irish company, say an airline with customers right across Europe. I suppose first they need to meet the Irish requirements, but presumably they are under no obligation to present the same banner here as they do in other markets and vice-versa? I can imagine circumstances that requires specific consent for analytic cookies, then maybe in France they are bundling those up in some other way because they don’t have the same requirements?
Efrain: The way I see it is that you can calibrate and fine-tune the settings on your banners depending on where you are targeting people. But obviously the more you want to calibrate that, the more attention you must pay to the nuances, so that you are offering the right settings and displaying the right information to the user so that it reflects the obligations of that area. If an airline is targeting users in France or in Greece you can fine tune that, you can play with geo-location. But you need to present it in a way that they can understand and in line with what the local DPA allows. So maybe if you are targeting someone in Germany you need analytics opted-out by default, but perhaps in Spain you can have 3rd party analytic cookies opted in. But you do have to pay attention to the nuances and that is not always easy.
Fergal: It seems to me that the Irish guidance is among the strictest in Europe. And I am wondering if we are looking at a situation where if you follow the Irish guidance you are not going to fall foul of the requirements of other EU countries? Or are there other EU countries adopting stricter guidelines than the ones we have in Ireland?
Efrain: I think that the Irish guidelines are a very good baseline. But it’s hard to find a one-size fits all. The Irish guidelines together with the CNIL or perhaps the ICO or the German would be the best way to find a baseline that could work. If you stick to those guidelines, because they are the strictest one you might have a chance of being complaint in the other countries.
I think the Irish guidelines are quite strict because these guidelines came out the sweep they conducted, so I think they are very objective in the way they approached their guidelines, perhaps a little less rushed than other DPAs and I’d say because of that they are a good starting point.
Fergal: You mentioned Germany. We have an interesting case there with a new model looking to make consenting to cookies more attractive. For example, Der Spiegel recently introduced a pay cash or pay data approach. I wanted to get your view on that. Is this something we might potentially see as a trend, or will it be likely to bottom out as unsatisfactory approach to getting consent in the future?
Efrain: Well I think that is a reflection of how the industry is shaping the cookie world faster than the law is shaping the cookie world. Right? You have on the one hand Facebook and Google with their “Limited Data Use” options and you also have Google planning to phase out 3rd party cookies. We can see this as the industry trying to figure out what the best approach is. And then you have the example from Der Spiegel, which is the first one like that I have seen in the EU, where you pay cash or data to access the content. The idea of it seems fair but I haven’t really investigated that model in depth so I don’t know if you pay with data whether they will show you targeting advertising and targeted content or whether it is just generic adds. So, depending on that I could have a problem with it.
A larger worry is that is that in principle it might be going against certain obligations imposed by the GDPR such as not blocking content on the condition of supplying your data. But in this case but you are giving the user the choice which is in a way a more balanced approach than not asking, or if the only option was to pay your data and submit to tracking on the site and across the web using third parties.
So, I think it could be problematic from a legal standpoint but there is something right in the approach. When you step into the shoes of the user, you think, at least they are upfront, I know I am paying, and I know my data has some value for them. Other websites will not tell you that your data has value for them, even though that is why they are looking to get your data. Most websites claim that they want the data for functional purposes – for performance, for user-friendliness — but they do not tell you that they value your data because they monetize it.
Fergal: But I wonder if there is something a little disingenuous about that. Typically, the value of data is in aggregate, your individual contribution is a drop in the ocean. There are different kinds of privacy advocates out there, some value privacy for its own sake. Others think that use of our data is a theft of our property, privacy concerns are property concerns, something like that. However, there is a more fundamental sense in which your data is only really valuable in terms of role it plays in vast data sets. I wonder if the Der Spiegel approach is just another kind of illusion, letting people feel like they are in control while it is just a new game being played. Maybe it’s out of step – and I think you mentioned this earlier – that it is out of step with the “spirit” of what the legislation is trying to achieve in the first place.
Efrain: I absolutely agree with you and then if you dig a little deeper you find that the whole problem is the illusion of control, it is an illusion because we are the product, when it comes to cookies and tracking, it’s not the app we are using. And the AdTech vendor is not just buying an impression on a website it’s buying a dataset. When you are the product or when your data is the product how can you control it? Even if they give you information about what they are doing, they give you an illusion of choice, sometimes it’s just that. Even if you read the privacy policies, unless you have been immersed in this discipline for the past few years it is unlikely that you will understand the depth of control or lack of control you have or don’t have.
Fergal: I think that last point takes us into another interesting topic. You mentioned Google’s plans to phase out 3rd party cookies – they are going to be replacing that support with their own “Privacy Sandbox” and it seems like that at face value, if you just see it on a headline it seems like a good thing, but then typically, the devil is in the detail. It seems like there is going to be a huge amount of complexity in terms of what this privacy sandbox is going to mean. We are going to need to see a lot of detail in order to understand how much better off we may or may not be. I wanted to get a sense of what your view on what these patterns for the future mean. Where they are going and what it’s going to be like for users?
Efrain: I think the biggest challenge here is for marketers because this is definitely changing the model. It’s not news that 3rd party cookies are being phased out. Slowly and surely Firefox and Safari started doing that a while ago. And Apple has been limiting data use for some time now. What’s different here is that Chrome has something like 60% of the market share! I guess that’s why Google decided to phase them out slowly, rather than in just one single move. They will begin limiting the ability for people to use 3rd party cookies on Chrome within the next month or so and this will last for about 2 years so we can expect that 3rd party cookies to be phased out of Chrome and most other browsers by the say 2022. In the meantime, we are all trying to figure out is what is going to be next. I have seen the proposal from Google for their Privacy Sandbox. It is something that makes sense as you say. From the outset, you can see that this is more privacy focused. You can see that switch from web from Web 2.0 which was mainly an engagement logic to 3.0 which is a privacy logic. We start to see a lot of encryption mechanisms which before were mainly a feature of the deep web, and now we are starting to take on the limits, the privacy gadgets that they have in those darker browsers, and they are becoming part of the mainstream internet, because we are more aware of our data.
The fact that users each and every day, grow more and more aware of what it means to hand over your data, what it means to be online, what it means to share your information with every website you visit — well this will of necessity inform the steps that the industry is taking to change the model. So, from Google we hear they have these several components for the privacy sandbox where you are not going to be able to identify individual users, at least at first. Instead you will be able to use and trade on interest groups. So, some people are interested in football and swimming and libraries, right? Now you have a group of people and if you buy the dataset representing that group – or if you get it from Chrome, I am not sure what the model is going to be — but you will have a privacy budget and if you exceed your privacy budget because you want to show a video to that specific group you may run out of budget and then if you do you will have to get consent from the user to keep sending them stuff if they really are interested.
We don’t really know how it’s going to work, but we know to some extent, because of the components they are using, that if you start mixing and matching datasets you will be able to single out users, it’s not that difficult. But using the privacy budget they want to thwart practices like fingerprinting. So yes, you will be able to do things like that, but it will take you twice or three times as long as it did before because you are not getting that information from your pixels and cookies and beacons. Now we just don’t know is what is going to happen with these technologies — we know what is going to happen with 3rd party cookies — but of course when people are talking about 3rd party cookies are they also talking about these other forms of tracking, pixels, beacons and those more inconspicuous technologies that you don’t even see, you are not aware that they are there. So, all is not clear just yet. By contrast what is clear is that the game is changing. On the one hand you have the Google Privacy Sandbox and the phasing out of 3rd party cookies, and on the other hand you have Johnny Ryan attacking real-time bidding for the past two years. And that will give you something to worry about, especially if you are in the marketing industry.
To be continued with part 2.
Register for our upcoming webinar on the 18th of November with OneTrust and Efrain about getting compliant, staying compliant and the future of digital marketing.