Cookies and Consent Compliance: How to collect, store & deploy personal data through web trackers

The ePrivacy Regulation is not yet in place, but cookies and other tracking mechanisms are under scrutiny by Data Protection Authorities (DPAs). It is imperative that organizations understand the implications of cookies and respect for consent, paying particular attention to how they collect, store and deploy personal data through their web trackers. 

As CEO of Didomi, I was recently invited by the Data Protection World Forum (DPWF) to participate in a panel of experts to discuss the issue of consent collection and management in the light of EU regulations. It was an opportunity for me to talk about the value that publishers can derive from consent and privacy. I had the pleasure of speaking with Catherine Armitage (Director of digital policy, World Federation of Advertisers), Laurie-Anne Bourdain (Risk and Privacy Officer, Isabel Group) and Andrew Sharp (Practice Lead, Securys). 

Let's review the key points of our “Last Thursday in Privacy” debate organised by PrivSec on May 28, 2020.

What is Consent?

What do we talk about when we talk about consent? There isn’t one clear definition of the concept, as there are many different laws out there, creating confusion in the market. However, it is safe to say that the GDPR is becoming the standard and the all-encompassing reference for European countries, and we can all agree around their definition of consent. It is defined in Article 4(11) as: “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. 

Our job as a CMP is to make sure that all three levels of consent are properly accounted for:

●     Consent collection: a message for users to accept or not the use of cookies & trackers.

●     Consent storage: to keep a legal proof of consent and to better understand user behavior thanks to analytics.

●     Consent distribution: making sure publishers transfer consent signals correctly to their vendors. CMPs are here to help them by correctly integrating with vendors by deploying standards to transfer these signals.  

The third point is the most difficult to implement, as each vendor brings onto a given website a chain of new vendors, and it is very hard to track which ones will be dropping cookies.  

There are ways to systematically audit your website and understand the relationship between the cookies and the vendors, but it remains a challenge as situations are very dynamic and constantly changing. For instance, a large company may run an audit on day one, and think they fully understand what is going on. But if a team brings in a new marketing partner on the next day, who brings in ten new vendors, which will in turn bring in ten extra vendors each, then the company will find itself no longer being compliant on day two.  

Audits are still very useful of course, as they inform professionals on what is really going on on their websites, and who is dropping cookies and at what rate. Auditing on a regular basis is a great tool for implementing “privacy by design” and leaving a trail.

Harmonizing Consent Legislation

Each country has their own data protection authorities, with their own guidelines, which makes it particularly difficult to be compliant everywhere, all the time. Should companies try to comply with each country’s legislation separately, or apply the strictest possible set of rules for everyone? And even when ePrivacy comes in, what is the UK going to do? And those marketing outside of the EU? And how about the CCPA in California? 

I have been following the ePrivacy regulation since the very beginning, with all its ups and downs and many surprises. While we are waiting for the new Directive to be effective, our focus is on local DPAs and their coordination to interpret the GDPR and the ePrivacy Directive that is still valid. 

The good news is that I definitely see a consensus emerging around cookie consent in leading EU countries (with the exception of Spain – so far their DPA has defended scrolling as constituting valid consent even though this position looks to be evolving) and a lot of progress has been made in the last two years to reach a common definition of cookie consent. I believe that, despite apparent fragmentation, there is more harmonisation, and it is easier for EU companies to interpret the law than it was even just six months ago. In the U.S, things are changing too: the CCPA in California is a first step towards more control for American users. A virtuous circle is set in motion, with privacy gradually being at the heart of customer relationships, even in countries where compliance is less restrictive as in Europe. 

We look forward to the new e-Privacy regulation being in place, but in the meantime our role as a CMP is to help clients comply with their local realities. We try to make things as simple as possible for them.

Data Ethics

In fact, we all agreed in this panel that beyond the legislative aspect of things, what matters is to be doing “the right thing”, and to implement “good”, ethical consent management. Companies need to understand that the real debate here is not about compliance, but about building trust - trust with consumers, and with all the other actors in the chain. Good consent management is putting the customers in control, telling them what is being done with their data, why, letting them make a choice, and letting them change their minds. 

It was pointed out that cookie banners are still very complex and often lead to what is called “cookie fatigue” for consumers. The best practice would be to offer three options: “Accept all”, “Deny all”, “Configure”. But what we mainly see today is “Accept all” and “Configure”. This opacity is pushed by marketing teams who need consent for statistics and analytics and therefore heavily rely on consent. But have cookie consent and transparency lost their power? I believe a lot of progress has been made towards making cookie consent effective. From a technological standpoint, it is undeniable: if a user says “no” to cookies, it works. But now brands are afraid for their analytics, and it therefore becomes a business issue.

I find it very interesting to see opinions evolving on the question of consent. Many questions are raised such as “should I offer the option to refuse on the first page? How should I layer the information? Up to what granular extent should I display this information?” I think all these things should be done to make the user experience as easy as possible: if you can make it happen, why wouldn’t you?  

However, publishers should think about how and when they display cookie consent. For instance, not all cookies need to be dropped on the first page: maybe you need your analytics cookies, but you don’t need retargeting cookies right on the home page. The tendency is to immediately collect consent for every cookie, even before the user lands on your website. As a professional, I don’t find this very intuitive. And as a user, it bothers me. So from a technological standpoint, I’d like to see some progress here. 

But, consent is now effective, and that’s a massive plus for users and companies, as it brings more security to the whole system.

Privacy and Brand Value

 What I probably find most important to convey is the idea that being ethical isn’t just about “doing the right thing”, but it is also an opportunity to build more trust with your customers and develop your brand experience. 

Indeed, from a brand perspective, the cookie banner is the first thing a user will see on your website, so you should think carefully about how to display the message and how it fits with the overall UX. It is not one size fits all, and that is why I don’t think putting cookie consent in a browser is a good idea, as businesses will not have the freedom to interact with their users in their own specific ways. It is impossible to bring in elements of brand experience in a generic, browser-level experience. I hope brands will bring in UX and UI learnings in the consent workflow, and I expect a lot of creativity around cookie consent in the next months, mainly as brands will have to ask for real consent and give the ability to users to say “no”. Brands will simply have to be more creative, and understand privacy as a powerful customer relationship tool, and not just an element of compliance. 

Think of Apple. They are the most valuable brand in the world, and privacy is their Number 1 selling point. It is not a coincidence. Every brand should ask themselves: how does privacy fit into my customer relationship? We need to start thinking about privacy beyond compliance, and fit it into a company’s purpose, just like it has been done for sustainability. It is very exciting, as more and more companies are developing their own data ethics principles and their own positioning around data usage. Privacy isn’t just a legal issue, it is a brand issue.  

However, let’s not forget that depending on who you are, cookies can have a big impact on your business. If you are an e-commerce merchant and your acquisition depends for 50% on retargeting, then there is a clear link between your ability to sell products and to drop cookies. Likewise, if you are a media outlet, your monetisation almost entirely depends on personalised advertising, which carries around twice as much value as non-personalised advertising, so there is a link here too. These businesses have a different perspective on cookie consent, how to implement it and present the messaging. Didomi is here to accompany all types of publishers, and make sure they can link cookie consent to their brand value.  

Romain Gauthier