2024’s Data Protection Milestones

December 2024

Each year sees significant developments across the data protection landscape. I’ve asked industry insiders for their ONE most significant data protection or ePrivacy related milestone of 2024. Interestingly, everyone offered a different take. And all of these milestones will remain significant well into 2025.

UK GENERAL ELECTION AND DATA BILLS

Chris Combemale, Chair of the Data and Marketing Association

The most significant event for me was the General Election. For three years the DMA worked hard with the former government to ensure key reforms were included in the DPDI Bill, including certainty around legitimate interest as a lawful basis for direct marketing. At the time the election was called, DPDI was in the final stages of passage in the House of Lords. The DMA campaigned throughout the election to persuade the new government to pick up the mantle, including a joint letter to all political parties from the DMA, Tech UK and other members of the Business Advisory Group which I chaired. Our efforts paid off and the Data (Use and Access) Bill is now at Committee Stage in the House of Lords. DUA brings forward the best parts of DPDI while dropping the most controversial reforms, salvaging years of work and creating a better Bill that will transform public services, contribute to growth in the economy and maintain high levels of data protection.

Simon Blanchard, Data Protection Consultant, DPN Associates

The DUA Bill includes plans for Smart Data Schemes which allow consumers and businesses to safely share personal information with regulated and authorised third parties, for example, to generate personalised market comparisons. There are plans to create a framework for trusted identity verification services which could simplify processes like starting a new job, renting a home, as well as registering births and deaths. For me it’s significant there are now no plans to dilute accountability obligations under UK GDPR (e.g. remove the Data Protection Officer role and no changes to DPIA and RoPA requirements). DUA will give a statutory footing for many commonly used practices regarding Data Subject Access Requests. Certain legitimate interests will become ‘recognised’, such as national security, safeguarding and emergency response. The Bill’s progress is definitely one to watch in 2025. Updated DPN Legitimate Interests Guidance v3

DOORS OPENED TO EU PRIVACY ‘CLASS ACTIONS’

Fedelma Good, Data Protection and ePrivacy Consultant

Top of my list was definitely going to be the news Australia had introduced a law banning social media use for under 16s, not least because of all the attendant concerns that have been expressed it will actually backfire, driving teenagers to the dark web, or making them feel more isolated. Well, at least this was top of my list right up until the announcement on 3rd December that the privacy rights group noyb had been approved in Austria and Ireland – but with validity throughout the EU – as a so-called ‘Qualified Entity’ to bring collective redress actions in courts throughout the European Union. I would really love to have a crystal ball to be able to see if a few years from now we will see Max Schrem’s, chair of nyob, comment that “So far, collective redress is not really on the radar of many – but it has the potential to be a game changer,” as the understatement of the decade.

AI & DATA PROTECTION COMPLIANCE

Steve Wood, Consultant and Researcher, Privacy X and former Deputy Commissioner, ICO

In 2024 our community has dug deeper into the key implications of AI for data protection compliance. We’ve seen a range of consultations from data protection regulators globally. Addressing issues such as whether large language models are classed as personal data, when legitimate interests can apply as a lawful basis, how data subjects’ rights apply to AI models and what safeguards to mitigate DP risks. Given the pivotal role the EU GDPR plays in global data protection governance the key event for me will come right at the end of the year, just before the 23 December (some Xmas holiday reading!) when the EDPB will release their GDPR Article 64(2) Opinion and AI models, requested by the Irish Data Protection Authority. The Opinion will provide a significant regulatory framing for the approach companies need to take to AI governance for the coming years, noting the breadth of application of the GDPR compared to the focus of the EU AI Act on high-risk systems.

GLOBAL ADOPTION OF DATA PROTECTION PRINCIPLES

Robert Bond, Senior Counsel, Privacy Partnership Law

The one most significant data protection event in 2024 for me was the number of countries around the world who were passing and updating their data protection law significantly influenced by the GDPR. From Kenya to Sri Lanka, from Australia to Saudi Arabia and from China to many States in the USA, the similarities around data protection principles, data subject rights and data transfer restrictions are considerable. Whilst these global developments may not apply to smaller organisations, in the case of multinationals, the ROI for all the hard work invested in complying with the GDPR is that complying with data protection laws in other parts of the world is getting somewhat easier.

UNLAWFUL INTERNATIONAL DATA TRANSFERS

Eduardo Ustaran, Partner Hogan Lovells International LLP

An issue which has returned as a top priority for regulators is cross-border data transfers. Due to geopolitical tensions, the resulting increase in surveillance and the populist appeal of data localisation, the legal restrictions on international data transfers have attracted implacable scrutiny and enforcement. A worrying concern in this area is that there seems to be no room for a balanced assessment of the risk in practice, as the mere possibility of access to data by law enforcement or intelligence agencies is leading regulators to conclude that such transfers are unlawful. This regulatory line of thinking poses a real test for everyone seeking to apply a pragmatic, risk-based approach to legitimising global data flows.

CASE LAW & THE DEFINITION OF ‘PROCESSING’

Claire Robson, Governance Director, Chartered Insurance Institute

An interesting development in case law came in the decision of the Court of Appeal in Farley v Paymaster (trading as Equiniti), a case about infringement of data protection rights in postal misdirection. Over 450 current and former police officers took action against their pension administrator, after statements were sent to out-of-date addresses. The High Court dismissed many of the claims, stating there was not enough evidence to show the post (pension benefits statements) had been seen by a third party, so no processing had occurred. The Court of Appeal overturned this, granting permission for claimants to appeal. It felt there was prospect of success in claiming processing had taken place through extraction of the information from the database, electronic transfer of data to the paper document, along with the mistaken address and was not necessary to rely on a third party reading the statement. An interesting one for Data Controllers to watch in how this develops and what it means for the definition of, and limits to ‘processing’.

LACK OF ICO ENFORCEMENT

Emma Butler, Data Protection Consultant, Creative Privacy

For me, sadly, the most significant event of 2024 has been the decline of data protection enforcement. Yes, we have seen fines for marketing breaches and some enforcement notices, but there has been a long list of serious compliance breaches with significant impacts on people that have only received a reprimand. This leads me to wonder how bad it has to get before there is serious enforcement action to change behaviours. I have seen a corresponding lessening of the importance of compliance among organisations in terms of increased risk appetites for non-compliance, and feeling they can ‘get away with’ practices because ‘everyone else is doing it’ and they see no consequences from the ICO. I have also noticed a decrease in DPO / senior roles and more combining of the DP role with other functions, as well as low salaries for the roles that exist. Not a vintage year.

REJECT ALL COOKIES

For my part, a significant change this year has been the ‘reject all’ button springing up on so many UK websites. Giving people a clear option to reject all non-essential cookies. (Albeit this is certainly not universal and I’m not sure clicking ‘reject all’ always works in practice). This change followed an ICO warning late in 2023 to the operators of some of the country’s most popular websites, demanding compliance with the cookie rules. Particularly focused on advertising/targeting cookies, website operators were told they had to make it as easy to reject all, as it is to accept all. We then saw some websites moving to the controversial consent or pay model; which gives users a choice 1) pay for an ad-free service 2) consent to cookies, or 3) walk away. I’ll be watching closely for the ICO’s hotly awaited views on the legitimacy of this approach. I’m also pleased it looks like the DUA Bill will pave the way for first party website analytics cookies to be permitted without consent.

As you can see, from the DUA Bill to AI, global privacy laws to data transfers and the real possibility of EU ‘class actions’, these milestones are likely to keep the industry busy well into 2025 and beyond. And we’ll continue to keep you updated of the most significant developments as they happen.

Cookie reprimand and more ICO investigations

September 2024

How to get to grips with your cookies and similar technologies

Following warnings issued to companies operating some of the UK’s most popular websites in relation to their use of advertising cookies, the ICO has issued a reprimand to a leading betting website. It’s also announced an investigation into a company which has failed to take action to meet cookie compliance requirements.

Bonne Terre Ltd, training as Sky Betting and Gaming, received a reprimand for ‘unlawfully processing people’s data through advertising cookies without their consent’. Third-party tracking technologies including cookies were dropped by the SkyBet website onto use devices, which collected personal data (e.g. device id and unique identifiers).

While the site had a cookie notification (pop-up) and a consent management platform (CMP), the ICO investigation found certain cookies were dropped onto user devices before visitors interacted with the CMP. This meant visitors’ personal information was being processed and made available to AdTech vendors without the visitors’ knowledge or prior consent.

In my experience this is often an area organisations often get wrong; cookies and other trackers being deployed onto user devices immediately, regardless of the CMP.

The ICO also looked into whether Sky Betting and Gaming were deliberately misusing people’s personal information to target vulnerable gamblers, but found no evidence of deliberate misuse. As a result of the ICO investigation, Sky Betting and Gaming made changes in March 2023 to make sure people could reject all advertising cookies before their personal information was shared down the AdTech supply chain.

Along with this reprimand the ICO has announced it will be investigating a gossip website; Tattle Life. Despite receiving an ICO warning, Tattle Life is said to have failed to engage.

What is the ICO’s key concern

The ICO is focusing on meeting the requirement to give users a fair choice over whether they are tracked for advertising purposes. Along with not dropping non-essential cookies on a user’s device automatically regardless of whether they have given their consent, the ICO stresses organisations must make it as easy for users to ‘reject all’ as it is to ‘accept all’.  To be clear, websites can still display adverts when users reject tracking, just not ones which are tailored to the person’s browsing habits.

Our 5 steps for compliant cookies

So, how can we make sure we’re following the rules when we deploy cookies and other similar technologies? Here are some straight-forward steps to take:

1. Audit: Do a cookie audit. If you don’t know what cookies your website is using you can’t even start to be compliant. Run a diagnostic scan to discover exactly what cookies and similar technologies are currently deployed on your website(s). Establish what they are being used for, which are provided by third party providers and which involve the sharing of data with the third party (for example Google, Meta, etc).

2. Spring clean: Get rid of the cookies you no longer need. This might sound obvious, but you’d be surprised how often we find long-forgotten cookies lurking on websites, serving no purpose yet still needlessly sharing data with third parties! You might need to check with your colleagues which are still used.

3. Categorise: Categorise your cookies – what are they used for?

  • Strictly necessary (essential) cookies – these are vital for the website to operate. For example, a cookie which helps keep the website secure, or a cookie which allows items to be added to a cart in an online store.
  • Analytics/Statistics/Performance cookies – for example, cookies which allow you to monitor and improve the site performance.
  • Functional cookies – cookies which enable a site to remember user preferences and settings, to enhance their experience on your website.
  • Advertising/Targeting cookies – allowing visitors to be followed from one website to another so tailored advertising can be displayed, or to target the most relevant advertising on your own website.

4. Collect consent: The law tells us you need to collect consent for all cookies and similar technologies which are not ‘strictly necessary’ before cookies are dropped onto the users device. To achieve this, you may wish to select a specialist Consent Management Platform to handle notifications and consents for you, as a website ‘plug in’.

There are many CMPs on the market, some of which are free. Beware that not all of them meet the UK/EU cookie requirements, so care is required when selecting the right one. If you use sub-domains on your website, deploy a high number of cookies or you want to exercise some creativity with how it looks, your likely to need a paid solution.

5. Notify website users: Provide a clear notification about the cookies and similar technologies you deploy. This should include:

  • the cookies you intend to use;
  • the purposes they will be used for
  • any third parties who may also process information stored in or accessed from the user’s device; and
  • the duration of any cookies you wish to set.

There are two approaches to this. You can let the CMP handle both the notification (pop-up) and the provision of more detailed information about cookies, or you can use the CMP for the pop-up and provide a separate more detailed cookie notice.

What are cookies and similar technologies?

Cookies are small pieces of information, which are used when users visit websites. The user’s software (for example, their web browser) can store cookies and send them back to the website the next time they visits.

The cookie rules also apply to any other technologies which stores or accesses information on a user’s device. For example, similar technologies could include, web beacons, scripts, tracking pixels and plugins.

What the law says

Contrary to what we often read in the papers, GDPR does not give us the rules for cookies and similar technologies. In the UK the rules are set out in the Privacy and Electronic Communications Regulations (PECR) which are derived from the EU ePrivacy Directive. The specific requirements vary by country, so think about which countries your site users visit from. Many EU countries have their own rules, all based on the same EU Directive but in the real world they have their own nuances.

In simple terms, you can’t ‘drop’ a file on a user’s device or gain access to information stored on their device unless:

a) You have provided clear and comprehensive information about your purposes for doing this, and
b) You have collected the consent of the user.

There is an exemption for strictly necessary cookies only. The cookie rules apply regardless of whether you’re processing personal data or not, i.e. these rule also apply to the automated collection of anonymised data.

Some points worth noting from ICO guidance

  • Consent needs to meet the requirements under GDPR for it to be a specific, informed, indication of someone’s wishes given by a clear affirmative action.
  • You must inform users about what cookies you use and what they do before they give their consent.
  • Where third-party cookies are used, you must clearly and specifically name who these third parties are and what they will do with the information collected.
  • Users must be given control over non-essential cookies, and should be able to continue to use your website if they don’t give consent.

It’s worth noting the ICO has determined analytics cookies are NOT essential and require consent. However, this is not always the case in other European countries. For example, the French regulator CNIL does not mandate the collection of consent for analytics cookies. They consider these cookies can be used under Legitimate Interests, which means they still require websites to notify users and give them the opportunity to object (opt-out).

The future and alternative solutions for cookies

In both the UK and in the European Union there’s a concerted desire to simplify the rules and remove the necessity for everyone to be faced with a barrage of cookie pop-ups on every website they visit. As yet however, a suitable solution has not been agreed.

Instead of using third-party cookies to help target advertising, there are a growing number of contextual advertising solutions, which are less intrusive, and a growing interest in more privacy friend Edge Computing Solutions.

However, there’s a sense these alternatives are not yet fully tried and tested. So we’ve seen a move by some organisations (particularly publishers) to a consent or pay model.

Google abandons plans to phase out third-party cookies

In big news for both digital advertising and online privacy Google has announced it won’t be phasing out third-party cookies.

Google had been working on ways to phase out third-party tracking cookies from it’s Chrome browser for 4 years. The idea was that instead of user’s personal data being shared with hundreds of third-party advertisers, Google would take control and do the tracking within the Chrome browser.

The so-called ‘Privacy Sandbox’ is Google’s initiative to develop technologies that protect privacy while also providing tools for digital businesses. But they’ve faced numerous challenges in developing an acceptable alternative to third party cookies which satisfies all parties involved. The advertising sector has been nervous about the effectiveness of the initiatives and their impact on campaign performance. On the other side of the equation Data Protection Authorities have and raised concerns around privacy and transparency. This very delicate balancing act now appears to have fallen from its tightrope!

Google has now decided to keep third party cookies, but give users enhanced privacy options, which could apply across all their Google browsing. In all of this let’s also remember 3rd party cookies cannot be used in Safari or Firefox.

What does this mean for advertisers and publishers?

Over recent years, enlightened advertisers have been looking to start to diversify their activities to reduce reliance on third-party cookies. Life after cookies

Some advertisers may feel a sense of relief this long-running saga is over (for the time being), and revenue streams which were in question before this announcement now look healthier. But there may also be frustration at the time and effort spent looking for privacy-friendly advertising solutions with limited success.
The Privacy Sandbox will continue to evolve and given time may still yield more benefits for advertisers and publishers, as well as consumers and regulators.

Publishers may see changes in how they monetise their content with ads. The emphasis could shift towards leveraging first-party relationships and potentially new advertising models yet to emerge from Google’s Privacy Sandbox.

What does this mean for consumers?

Consumers are increasingly seeking control over their personal data and how they are tracked online. In our daily browsing we face a plethora of cookie banners of differing types – some far less clear and transparent than others.
Whilst there’s a genuine weariness of cookie banners, there’s also been an increase in users choosing to opt out of cookies used for tracking and ad targeting. We may be set for more of the same in the short term. Although regulators may decide now is the time to start to enforce against non-compliant use of cookies.

Charles Ping, Managing Director, Europe at Winterberry Group says the road ahead is not straight-forward:

“Google’s decision to take a different path on the elimination of third-party cookies is an acknowledgment that this stuff is really hard. Making unilateral changes when you have Google’s level of market dominance will always create winners and losers, and the most recent CMA report demonstrated the journey set out in early 2020 had become a Sisyphean task.

However, the success of the mooted solution to give consumers choice, whilst delivering a degree of “cover” to Google that has been absent in recent times, won’t be plain sailing. We have learnt through many years of data collection statements and through the improving opt in rates in world of Apple’s App Tracking Transparency (ATT), that the type of questions asked and how they are actually presented will make a massive difference to the outcome. The devil, as always, is in the detail, but giving consumers choice is, in principle, a great move forward”

Cookies – Consent or Pay?

March 2024

UK and EU data protection regulators are grappling with the compliance of the so-called ‘consent or pay’ model, also known as ‘pay or okay’. Put simply, this model means accessing online content or services is dependent on users either consenting to being tracked for advertising purposes (using cookies or similar technologies), or paying for access without tracking and ads.

This model – and the varying approaches to it – raises questions about whether this can be fair, and whether consent can be ‘freely given’. But it also touches on far more than data protection. It speaks to acceptable business practices, competition models, consumer protection laws, accessible credible journalism and more.

Ad-funded online content and services

‘Consent or pay’ is one of a number of solutions intended to address issues surrounding online advertising and its use of cookies. None of them, it has to be said, are perfect.

This is all coming to a head as data protection regulators in Europe and the UK push for compliance with cookie laws (e.g. PECR in the UK). For example, the UK’s ICO says for the necessary consent to be valid website operators must make sure it’s as easy for people to ‘Reject all’ advertising cookies as it is to ‘Accept all’. More UK companies to be targeted for non-compliant cookies

This causes a problem. As increasing numbers click ‘Reject all’, advertising revenues will take a significant hit. And advertising matters. When a US Senator asked Mark Zuckerberg how Facebook remained free, he famously and simply answered; “We run ads”.

It’s a point that can be made more broadly – we’ve all enjoyed a vast amount of free online content and services because of personalised advertising. Lots of the content and services we routinely access online are ad-funded and rely on a large percentage of users accepting cookies to target these ads. It’s why we can waste time (or relax) playing online games for free.

Online content and service providers have to pay people to create content, run websites, create apps and so on. Commercial businesses also want to turn a profit. The balance lies between the quality, value and integrity of the content they offer, and the advertising revenues which can be gained by personalised advertising.

We’ve all been tracked and served adverts as we browse the internet. Personalised ads mean we have a better chance of being shown ads for products and services which match our interests and needs. Yes, some of this activity is annoying, trades on our habits and may sometimes even be downright harmful. That isn’t to say all of it is problematic; again, this is a question of balance. Regulators have to tread a delicate line between protecting end-users without hampering business from offering us fair products, content and services.

We may not want to be tracked, but online publishers and service providers can’t be expected to provide something for nothing. Businesses aren’t under any obligation to provide us with stuff completely for free.

Which brings us back to the concept of ‘consent or pay’. This concept hit the headlines last year when Meta introduced a payment option to users of Facebook and Instagram in the EU (not in the UK), offering an ad-free experience for a fee. This is currently the subject of complaints by consumer rights groups in Europe. Meanwhile the ‘consent or pay’ approach has been adopted by some of Germany’s major newspapers, and others.

Just pay

Another option is for all content to be put behind a pay wall. For example, in the UK you have to subscribe and pay to read online articles published by the Telegraph, The Times and the Spectator magazine. Often a limited number of free articles are provided before you have to pay.

Cookie free solutions

Other cookie-less ad solutions are being rapidly developed, such as contextual advertising. You can read more about the options here: Life after cookies

But with solutions which don’t use third-party tracking cookies still in their infancy, and concerns they won’t be able to produce the same return on investment as cookie-driven advertising, there’s a need to plug the funding gap fast.

‘Consent or pay’ – compliant or not compliant?

In the UK, the ICO hasn’t decreed whether ‘consent or pay’ is a fair approach or not. It’s asked for feedback, and in doing so set out its initial ‘view’.

While stating UK data protection law doesn’t prohibit ‘consent or pay’, the Regulator says organisations must focus on people’s interests, rights and freedoms, making sure people are fully aware of their options in order to make free and informed choices. It’s worth noting that in the EU, ‘consent or pay’ is not prohibited either.

The ICO has set out four areas which need to be addressed when adopting this model, and has asked for feedback on any other factors which should be taken into account.

1. Imbalance of power

The ICO says consent for advertising will not be freely given in situations where people have little or no choice about whether to use a service or not. This could be where the provider is a public service or has a ‘position of market power’.

2. Equivalence of services

If the ad-free service bundles in other additional ‘premium’ extras, this could affect the validity of consent for the ad-funded service.

3. Appropriate fee

Consent for targeted advertising is, in the ICO’s view, unlikely to be freely given if the alternative is an “unreasonably high fee”. The Regulator is suggesting the fee should be set at a level which gives people a realistic choice between the options.

4. Privacy by design

Any consent request choices should be presented equally and fairly. The ICO says people should be given clear, understandable information about each option. Consent for advertising is unlikely to be freely given if people don’t understand how their personal information is going to be used.

Another key consideration is how people can exercise their right to withdraw their consent. The ICO reiterates it must be as easy for people to withdraw their consent as it is to give it. Organisations also need to make sure users can withdraw their consent without detriment. This may be a tricky circle to square.

In all of this there’s an important point – whilst consent must be ‘freely given’ under EU/UK data protection law, this doesn’t translate into meaning people must get content and services free too. The ‘consent or pay’ model, essentially offers a choice between pay with your data, or pay with your money.

Etienne Drouard is a Partner at Hogan Lovells (Paris) and his view is; “The very nature of consent is being offered an informed choice. ‘Pay or OK’ ( ‘Pay or Consent’) is, per se, a valid alternative. It requires a case-by-case and multi-disciplinary analysis. Not a ban.”

Have your say – UK ICO Call for Feedback on Consent or Pay

Time to plan ahead

Fedelma Good, Data Protection and ePrivacy Consultant, and former board member of the UK Data & Marketing Association, urges advertisers and publishers to plan ahead; “To say that online advertising is entering a period of turmoil is putting it mildly. Combining the issues of ‘consent or pay’ with Google’s cookie deprecation plans and you have an environment of uncertainty which advertisers and publishers alike will ignore at their peril. My advice to anyone reading this article is not only to track developments in these areas carefully, but perhaps more importantly to make sure you understand your own circumstances and options and plan ahead.”

Privacy and consumer rights groups

It’s clear privacy and consumer rights groups are pushing for change. Back in 2021 cookie banners were the focus, with the privacy rights group noyb.eu firing off hundreds of complaints to companies for using ‘unlawful banners’. The group developed software to recognise various types of unlawful banners and automatically generate complaints.

Max Schrems, Chair of noyb said: “A whole industry of consultants and designers develop crazy click labyrinths to ensure imaginary consent rates. Frustrating people into clicking ‘okay’ is a clear violation of the GDPR’s principles. Under the law, companies must facilitate users to express their choice and design systems fairly. Companies openly admit that only 3% of all users actually want to accept cookies, but more than 90% can be nudged into clicking the ‘agree’ button.”

Now the attention has turned to ‘consent or pay’, Meta’s use of this model has led to eight consumer rights groups filing complaints with different data European data protection authorities. The claims focus on concerns Meta makes it impossible for consumer to know how the processing changes if they choose one option or another. It’s argued the choice given is meaningless.

The fundamental right to conduct business

There’s a complex balance here between people’s fundamental privacy rights and the fundamental right to conduct business. For publishers and other online services, advertising is a crucial element of conducting business. In the distant past, advertising was expensive.

As Sachiko Scheuing European Privacy Officer at Acxiom & Co Chairwoman, FEDMA succinctly puts it; “Advertising used to be a privilege enjoyed by huge brands. Personalised advertisement democratised advertising to SMEs and start-ups.”

The growth of the internet and the advent of personalised advertising technologies has undoubtedly made digital advertising affordable and effective for smaller businesses and not-for-profits.

Well-established brands are more likely to be able to put up a paywall. People already trust their content, or enjoy their service and are prepared to pay. There’s a risk lesser-known brands and start-ups won’t be able to compete.

Is credible journalism under threat?

A Data Protection Officer at one premium UK publisher, who wishes to remain anonymous, fears the drive for cookie compliance risks damaging the ability to produce high quality journalism.

“In the face of unprecedented industry challenges, as more content is consumed on social media platforms, the vital ad revenues that support public interest journalism are under threat from cookie compliance, of all things. It seems like data regulators either don’t understand, or don’t care, about the damage they’re already inflicting on the news media’s ability to invest in journalism.

If publishers comply and implement “reject all” they lose ad revenue through decimated consent rates. If they fight their corner, they face enforcement action. Either way, publishers are emptying already dwindling coffers on legal fees, or buying novel consent or pay solutions.

Unless legislative change comes quickly, or the regulators realise that cookie compliance should not be an enforcement priority, local and national publishers may disappear, just at a time when trusted sources of news have never been more needed.”

Broader societal considerations

There’s a risk as more content hides behind paywalls, we’ll create a world where only those who can afford to pay will be able to access quality, trustworthy content.

‘Consent or Pay’ may be far from perfect, but it does allow people who can’t afford to pay to have equal access to content and online services. Albeit they get tracked, and those who have money to spend can choose to pay and go ad-free.

If the consent or pay model fails, and cookie-less solutions fail to deliver a credible alternative, I fear more decent journalism will go completely behind pay walls . If that’s the only option to plug the funding gap.

I am in my mid-50s and can afford to pay. My son, in his late teens, can’t. I worry poor quality journalism, fake news and AI-generated dross might soon be all he and his generation will be able to access. That’s not to say there isn’t some great user-generated content out there. But it does mean having difficult and honest conversations about regulation and the right of businesses to make a profit in an age of politicised, fraudulent and bogus online content.

Life after cookies

March 2024

“The past is a different country: they do things differently there”.

I’m pretty certain when LP Hartley wrote this wistful line the changing world of advertising, data and privacy weren’t foremost in his mind. However, in five years from now, when all the current arguments surrounding the elimination of third-party cookies are long gone, that’s likely how we’ll view the universal use (and abuse) of a simple text file and the data it unlocked.

From one perspective, life after third-party cookies is very simple.

The majority of media is transacted without third party cookies already. Whether by media type, first-party user preferences, device or regulatory mandates, lots of money already moves around without reference to third-party cookies. As the saying goes “The future is already here, it’s just not very evenly distributed”.

That’s deliberately rather glib. Some sections of the media still rely upon third-party cookies and not every media owner has an obvious opportunity to build a first-party relationship with consumers. The advantages of an identifier that allows streamlining of experience for consumers whilst delivering audience targeting and optimisation for media owners and advertisers haven’t gone away.

When we look to life after third-party cookies, we need to understand the ways replacement identifiers have evolved to ameliorate the worst aspects of cookies, whilst leaving some advantages in place. One leader I interviewed on this topic back in 2020 said “It’s not the fault of the cookie, it’s what you did with the data” and that’s a useful measure to have in mind when looking at any alternative solutions.

Put very simply, the choices for a brand post the third-party cookie are:

  • Use a different identity approach
  • Buy into use of a walled/fenced garden toolset
  • Use another signal to match between media and audience that isn’t anchored directly to the user, such as contextual.

Alternative identity solutions

The advantage of these is they come with some aspect of permissioning and consumer controls – after the cookie arguments and much legislation in the UK, Europe and US, the industry has learnt these tools are critical. However, it remains a moot point as to whether consumers have much knowledge around any consent or legitimate interest options that are put in front of them – the ICO in the UK is currently clamping down on consent practices. More cookie action

Equally moot is whether the majority of consumers are really that bothered. Much consent gathering is viewed by both parties as an unwanted hurdle in a customer journey. The basic requirements for a consumer to know who has their data, for what purposes and for how long remain, but how to achieve the requisite communication and control is still work in progress.

On a global scale these identity solutions revolve either around a “daisy chain,” using hashed email as the ID link, or use a combination of signals from a device with other attributes to have some certainty around individual identity. Any linkage built with a single identity variable risks being fractured by a single consent withdrawal.

The solutions built on a combination of signals have potentially more durability because they are less dependent on any single signal as the anchor of their fidelity, but many device signals are controlled by browser or operating system vendors, who may obscure or withdraw access to these as Apple has done in recent years.

Walled garden toolset

Much discussion is made around Google’s Privacy Sandbox initiative. This is the ambition from Google to deliver some of the advantages of third-party cookies within the Chrome browser whilst not revealing individual data.

It’s been a much longer journey than envisaged at the start when Google first made their announcement in 2020. Google’s commitment, made under the shadow of the Digital Markets Act, has been that they will not remove third-party cookies from the Chrome ecosystem until the UK competition regulator, the CMA, has approved their plans.

As of March 2024, those closely following the travails of Google, the CMA and the opinions tabled from the IAB Tech Lab (amongst others) would be hard pressed to give a cast iron opinion that the current timescale will be met. Privacy and competitive advantage have become inextricably intertwined in these arguments, which is fair. However, slicing through this Gordian Knot was probably not on the CMA or Google’s agenda when they signed up to this process. But that’s about timing, not a permanent stay of execution for the third-party cookie.

Non-user signals

The final approach is to use tools that do not rely on individual level signals. What an individual reads or consumes online says much about them – more than a century of classified advertising is testament to this.

The contextual solutions of 2024 are faster, smarter and better integrated than ever before. They have their downsides – closed loop measurement is a significant challenge hampering some of the campaign optimisations that became common place in the ear of the third-party cookie. And they became common place because they were easy and universal, however, paraphrasing the aphorism, what is measured came to matter, when it should really be the other way round.

And here we come into the greatest change that is being ushered in by the gradual demise of third-party cookies. Measuring what actually matters.

In the late 2010’s when cookies were centre stage as the de facto identifier of choice in media and advertising, their invisible synchronisation gave almost universal, if imperfect, coverage. One simple solution, accessible to all.

As we enter 2024, many alternative identifiers struggle to get much beyond 30% coverage. Contextual solutions can deliver 100% coverage but have their own measurement challenges. This has driven a greater interest in a combination of broad business- and commercial objective-based approaches such as Marketing Mix Modelling (MMM) and attribution-based metrics where appropriate. Advances in data management and analysis have enabled MMM to deliver more frequent insights than the traditional annual deep dive, making it a core component for post cookie media management.

Underpinning any and all of these solutions is the need for first-party data. Whether to build models for customer targeting, collaborate with media and other partners to access first-party data assets or measure more efficiently and effectively, having a structured, accessible and usable set of tools around first-party data is critical to working in the current landscape of solutions.

The growth of cloud storage solutions takes some of the burden away from making this a reality, but the applications used to understand and activate that data asset are many and various. Taking time and advice to build understanding in this area is a knowledge base critical to prospering after the third-part cookie.

Life beyond the third-party cookie is far from fully defined.

Some of the longer-term privacy and competition elements are not that hard to envisage, but exactly how the next 24 months plays out is much, much harder to predict. It’s still really work in progress, especially around measurement and optimisation. For the user of data in advertising and marketing it’s essentially “back to basics”.

Your customer data is more valuable than anyone else’s, so capture and hold it carefully. Test many things in a structured way because the future is about combinations. And know what matters to your business and work out how to measure it properly, not just easily.

ICO Opinion on Ad Tech – Old wine in a new bottle?

December 2021

Does the ICO Opinion piece tell us anything new?

The ICO has published an “Opinion” which can be interpreted as a shot across the bows for any Ad Tech company who is planning to launch their new targeting solutions for the post-third-party cookie world. 

If these companies thought new targeting solutions would get waved through because they don’t involve third-party cookies, it’s clear that Google’s difficulties with their Sandbox solution say otherwise. 

Google is currently knee-deep in discussions with both Competition and Marketing Authority (CMA) and ICO to come up with a targeting solution that is fair to consumers whilst also avoiding the accusation of being anti-competitive. 

In the ICO’s opinion piece they set out the clear parameters for developing these solutions in a privacy-friendly manner. You won’t be too surprised to hear all the usual concerns being re-heated in this discussion. To quote the ICO:

  1. Engineer data protection requirements by default into the design of the initiative
  2. Offer users the choice of receiving adverts without tracking, profiling, or targeting based on personal data. 
  3. Be transparent about how and why personal data is processed across the ecosystem and who is responsible for that processing
  4. Articulate the specific purposes for processing personal data and demonstrate how this is fair, lawful, and transparent
  5. Address existing privacy risks and mitigate any new privacy risks that the proposals introduce

This opinion piece is the latest publication from the ICO in a relatively long-running piece of work on the use of cookies and similar technologies for the processing of personal data in online advertising. In their original report in 2019, the ICO reported a wide range of concerns with the following which needed to be rectified:

  • Legal requirements on cookie use;
  • Lawfulness, fairness, and transparency;
  • Security;
  • Controllership arrangements;
  • Data retention;
  • Risk assessments; and
  • Application of data protection by design principles. 

You can read the back story here

The state of play in 2021

Since the ICO has started its investigations in 2019, the market has continued to develop new ways of targeting advertising that does not rely on third-party cookies. The net result is that the world has moved to a less intrusive way of tracking which has been welcomed by ICO. Some examples include: 

  • With Google Chrome’s announcement re: cookies, there is an expectation that third-party cookies will be phased out by end of 2022. 
  • There have been increases in the transparency of online tracking – notably Apple’s “App Tracking Transparency” ATT
  • There are new mechanisms being developed to help individuals indicate their privacy preferences simply and effectively
  • Browser developers are introducing tracking prevention in their software.  A notable example is the Google Privacy Sandbox which will enable targeting with alternative technologies.

How should we interpret this opinion piece?

A lot of what has been included is information from the 2019 reports. In effect, it’s a summary of previous activities plus additional material to bring you up to date. Although it is a rather long piece, there is some clear guidance for the way forward for developers of new solutions. 

Furthermore, it is bluntly warning technology firms that they are in the ICO’s sights: 

“In general, the Commissioner’s view is that these developments are not yet sufficiently mature to assess in detail. They have not shown how they demonstrate participants’ compliance with the law, or how they result in better data protection outcomes compared to the existing ecosystem” Source: ICO

Data protection by design is paramount – no excuses for non-compliance this time

The ICO opinion clearly flags to developers that they will accept no excuses for developing non-compliant solutions. In the past, there have been difficulties because the Ad Tech solutions have been in place for some time with the data protection guidance being retrofitted to an existing ecosystem. 

With the demise of third-party cookies and the advent of a variety of new solutions, there can be no excuse for ensuring that privacy is engineered into the design of the solutions. 

It explicitly highlights the need to respect the interests, rights, and freedoms of individuals. Developers need to evidence that these considerations have been taken into account.  

Users must be given a real choice

In the first instance, users must be given the ability to receive adverts without tracking, profiling, or targeting based on personal data. There must be meaningful control and developers must demonstrate that there is user choice through the data lifecycle. 

Accountability – show your homework

There is an expectation that there will be transparency around how and why personal data is processed and who is responsible for that processing. In the current ecosystem, this is largely impossible to achieve and there is no transparency across the supply chain. 

Articulate the purpose of processing data

Each new solution should describe the purpose of processing personal data and demonstrate how this is fair, lawful, and transparent. Can suppliers assess the necessity and proportionality of this processing? The 2019 report highlighted that the processing appeared excessive relative to the outcomes achieved. How will processors change their ways? 

Addressing risk and reducing harm

As a start, it’s important to articulate the privacy risks, likely through a DPIA, but also explain how those risks will be mitigated. The previous ICO reports indicated their disappointment with the low volume of DPIAs produced by Ad Tech providers. This needed to change. 

To conclude with a useful developer checklist

The ICO provides a checklist of how to apply these principles in practice. You can probably jump to this section if you really want to know what is expected: 

  1. Demonstrate and explain the design choices.
  2. Be fair and transparent about the benefits.
  3. Minimise data collection and further processing.
  4. Protect users and give them meaningful control.
  5. Embed the principle of necessity and proportionality.
  6. Maintain lawfulness, risk assessments, and information rights.
  7. Consider the use of special category data.

The ICO is very clear that the industry must change. There is no appetite to approve solutions that fundamentally adopt the same flawed ways of working. There is also a clear acknowledgment that some solutions are potentially anti-competitive so a partnership with the CMA will continue. You have been warned!

How did a trade union fall foul of the marketing rules?

November 2021

Unite the Union has been fined £45K over its telemarketing practices

The Information Commissioner’s Office (‘ICO’) has issued a fine to Unite the Union for what it describes as a ‘serious contravention’ of the Privacy and Electronic Communications Regulations 2003 (commonly known as ‘PECR’).

This action follows 27 complaints from individuals who had registered with the Telephone Preference Service (TPS) but received calls from Unite regarding life insurance – services provided to Unite members by a third-party insurer.

Unite believed these calls did not fall within the scope of the direct marketing rules.

What is the Telephone Preference Service?

The Telephone Preference Service (TPS) is the UK’s official ‘Do Not Call’ register for landlines and mobile telephone numbers. It allows individuals and businesses to opt out of receiving unsolicited live sales and marketing calls.

There is also a register for businesses telephone numbers, called the Corporate Telephone Preference Service (CTPS).

What does PECR require?

Regulation 21 of PECR requires a business to have gained prior consent before making unsolicited telemarketing calls promoting a product or service to phone numbers registered with the Telephone Preference Service Ltd (TPS).

Therefore any telemarketing calls to TPS registered numbers without valid consent will contravene PECR requirements.

The ICO’s findings

The ICO asked Unite to provide evidence of consent for these marketing calls. But Unite argued these were not marketing calls and were to let members know about services and benefits they were entitled too.

In their view the calls were made in accordance with their internal ‘Rule Book’. This required Unite to “notify members of the services and benefits that fall within their union membership and any changes to those terms.”

The ICO rejected this and found Unite had contravened PECR on the basis that Unite’s own rules cannot override the statutory protection provided under PECR.

In conclusion, the ICO found that in the 12 months to 11th March 2020, Unite had used a public telecommunications service to make 57,665 unsolicited telemarketing calls to people whose telephone number was registered on TPS.

Whilst individuals were told how to opt-out, they were not provided with the option to give opt-in consent to specific means of communication (such as telemarketing calls) relating to specific types of services or benefits. The ICO also noted the insurance services promoted in the calls were provided by a third-party insurer.

The ICO found that the consent Unite relied on was insufficient, as it provided broad information to data subjects, rather than the specific detail required under Regulation 21 of PECR. They highlighted multiple violations of under Regulation 21 over the 12-month period, which resulted in 27 complaints.

Not deliberate

The ICO took the view Unite had not deliberately set out to contravene PECR. However the ICO’s enforcement notice states Unite was ‘negligent’ and failed to take reasonable steps to prevent the contravention.

The ICO also concluded Unite had access to sufficient financial resources to pay the fine without causing undue financial hardship and that it’s findings were not affected by the current COVID-19 pandemic.

What can we learn from this?

Controllers who conduct telemarketing either in-house or via a third party service provider (like Unite did) should remember that consent is required for any calls made to numbers registered on the TPS.

I would add that consent may not necessarily be required for telemarketing calls to individuals who have NOT registered for TPS or CTPS. Legitimate Interests may be used as an alternative lawful basis, provided the relevant conditions can be met. DPN would advise controllers who wish to consider this lawful basis to conduct a Legitimate Interest Assessment (LIA).

Membership organisations should recognise that they cannot override the requirements under PECR (or any other data protection law, for that matter) by adopting membership rules which are in conflict the protections the law provides to individuals.

Like any marketing activity involving personal data, care is required to make sure the relevant legal obligations and requirements are satisfied.

 

If you would like help to ensure your marketing is compliance, please Contact Us.

Seven Step Ad Tech Guide from DMA and ISBA

May 2020

The DMA and ISBA guide for marketers and advertisers to help navigate through the complexity of handling personal data in Ad Tech.

This guide was written in response to the ICO’s Ad Tech Update which looked into how data was used in auction style Real Time Bidding.

The ICO had identified a number of concerns relating to the protection of the rights of data subjects through the use of Real Time Bidding (RTB) in the programmatic delivery of digital advertising.

As background for the uninitiated, the majority of digital advertising is delivered programmatically (through automation) via a variety of methods including Real Time Bidding (RTB).

RTB is defined as the delivery of programmatic advertising by a real-time auction method. To support this process, there are a myriad of technology solutions (Ad Tech) providers who enable advertisers to identify and target recipients of advertising delivered in real time.

The guide written in collaboration with the DPN and PwC UK, aims to support UK businesses actively engaged in the programmatic delivery of digital advertising to ensure they protect the rights of data subjects.

It is a practical guide to the seven steps participants can take to ensure they adhere to the legal requirements and demonstrate their understanding of the regulator’s concerns. The DMA and ISBA were able to consult with ICO during the development of the guide.

It’s designed as a reference with clearly defined sections allowing readers to read the whole document or dip in as the need arises. Where suppliers are mentioned these are noted as examples and are not recommendations.

This guidance is divided into seven clear steps:

1. Education and Understanding – a comprehensive introduction to cookies and programmatic advertising with a detailed glossary of terms.

2. Special Category Data – the ICO highlighted the importance of treating special category data with care and this section steps you through its definition and usage.

3. Understanding the Data Journey – a key challenge is being able to track how data is captured and who processes it. This section explains how to complete a Record of Processing Activities as well as introducing the IAB’s Transparency and Consent Framework.

4. Conduct a DPIA (Data Protection Impact Assessment) – the ICO noted the limited use of DPIAs in Ad Tech. This section sets out to explain what it is, when to use it as well as some pointers to what questions to ask.

5. Audit the Supply Chain – the ICO highlighted that you cannot rely on contracts to provide assurance around the use of personal data. This section provides audit check lists and questions you need answered when auditing suppliers.

6. Measure Advertising Effectiveness – the ICO have queried whether it’s necessary to use all the data collected through Ad Tech platforms. This section provides links to reference materials for improving insights into advertising effectiveness to allow for a proportionate approach to using personal data.

7. Alternatives to Third Party Cookies – what does a post third-party cookie world look like? This section provides some suggestions about alternative methods of targeting including the adoption of contextual targeting. It also provides references to some industry initiatives which are exploring different ways of targeting in a less intrusive manner.

See the full 7 Step Ad Tech Guide