Google’s FLoCs are dead, long live Topics (for now)

February 2022

How does the introduction Topics change advertising targeting?

The story so far

Google has been working on a solution to replace third-party cookies for advertising for some time. Although other browsers such as Mozilla Firefox and Safari have deprecated the use of third-party cookies a while ago, Google only made its announcement in 2019. 

Meanwhile, and with some fanfare, they came up with the idea of FLoCs – Federated Learning of Cohorts. Available details on what this involved were limited but in essence, Google was going to use algorithms to categorise data about individual users browsing patterns to create a range of interest-based groups which could be used for targeting. 

What happened next? 

Things did not progress as rapidly as expected. There were a series of delays and hold-ups with many speculating about the cause: 

  1. Many parties including major publishers were concerned about the conflict of interest and the fact that Google was still harvesting vast quantities of data. 
  2. Various anti-trust bodies including The Competitions and Markets Authority in the UK got involved and determined that FLoCs were potentially anti-competitive. 
  3. The Data Protection community in many territories expressed concern about FLoCs for being too intrusive and non-compliant. 

In Summer 2021, Google announced a delay to the launch of FLoCs. Not only did this cast doubt over it’s future but it also provided a stay of execution for those who were still reliant on third-party cookies for their targeting. There ensued a period of silence for 6 months.

Parallel technology developments for advertisers

Over the last few years, a number of alternative solutions have emerged which take advantage of recent technology to allow personal data to stay on your device rather than be collected centrally. 

In parallel, contextual advertising solutions are being adopted that are focussed on context and interest. A notable, but not only, example is Permutive which uses context to create advertising target audiences and has been introduced by a series of major publishers. 

The advent of Topics by Google

Eventually, in January 2022, Google announced Topics, and guess what? It’s using edge computing techniques as well as focusing targeting efforts on context. 

Does this mean that Google is just catching up with some of the more innovative organisations? Have Google decided that they wish to be more respectful of privacy concerns? Have they decided to walk away from the face-off with anti-competition bodies across USA and Europe? 

What does Topics do?

To quote Google extensively:

“With Topics, your browser determines a handful of topics, like “Fitness” or “Travel & Transportation,” that represent your top interests for that week based on your browsing history. 

Topics are kept for only three weeks and old topics are deleted. Topics are selected entirely on your device without involving any external servers, including Google servers. When you visit a participating site, Topics picks just three topics, one topic from each of the past three weeks, to share with the site and its advertising partners. 

Topics enables browsers to give you meaningful transparency and control over this data, and in Chrome, we’re building user controls that let you see the topics, remove any you don’t like or disable the feature completely.”

How does this differ from FLoCs?

Superficially it appears that Topics allows for meaningful transparency and control of personal data whilst serving ads that are based on your browsing interests: 

  1. Topics share far less data about the user – it simply shares an interest in topics
  2. No data is stored centrally – the targeting occurs in the browser when you visit sites 
  3. The user can curate the topics that are used for targeting 
  4. Topics provide the user with more clarity over how their data is being used through the browser settings
  5. Data is deleted after 3 weeks rather than retained 

What does it mean for advertisers? 

If Topics does see the light of day, this is a major change in the way that Google is approaching the targeting of advertising with a significant shift towards a privacy-friendly solution with a continuing focus on interests. If no investigations have been carried out by advertisers into using context as a basis for targeting, now seems like a good time to get started. 

Practically, the deadline for deprecating third-party cookies on Chrome is late 2023. This deadline may or may not move. Google will need the time to ensure that this alternative is well tested and is successful for targeting. 

Successfully leveraging contextual advertising? 

Successful contextual advertising relies on using your compliantly collected first-party data to create segments and profiles. These can then be used to target new prospects using context as the basis for targeting rather than behaviour. Such solutions often rely on data remaining on an individual’s device until the point when they start to consume relevant content – known as edge computing. Back to the future for some of us old enough to remember media buying without any technology!

Google Analytics Processing Data in US – is this a problem?

January 2022

Austrian DPA has found that continuous use of Google Analytics violates GDPR

Once again, Google is under fire from a regulator in Europe. This time in Austria. 

The Centre for Digital Rights (noyb), which is based in Austria and led by Max Schrems, filed 101 model complaints following the Schrems II decision in 2020. 

Following the complaint about Google Analytics, the Austrian regulator has determined that the continuous use of Google Analytics violates GDPR: 

“The Austrian Data Protection Authority (DSB) has decided on a model case by noyb that the continuous use of Google Analytics violates the GDPR. This is the first decision on the 101 model complaints filed by noyb  in the wake of the so-called “Schrems II” decision. In 2020, the Court of Justice (CJEU) decided that the use of US providers violates the GDPR, as US surveillance laws require US providers like Google or Facebook to provide personal details to US authorities. Similar decisions are expected in other EU member states, as regulators have cooperated on these cases in an EDPB “task force”. It seems the Austrian DSB decision is the first to be issued.”  Source noyb

What does Google Analytics do?

Google Analytics operates by using cookies to capture information about website visitors. Google Analytics is free to use and it’s ideal for businesses who want to know more about:

  • Who visits their website
  • How their website is used
  • What’s popular on their website, and what’s not
  • Whether visitors return to their website

What information does Google capture?

You are likely to see a range of Google cookies that do different jobs. Here’s a short list showing some possible cookies that might be used:

  • _ga: Used to distinguish users and retained for 2 years
  • _gtd: used to distinguish users and retained for 24 hours
  • _gat: Used to throttle request rate and retained for 1 minute
  • AMP_TOKEN: Contains a token that can be used to retrieve a Client ID from AMP Client ID service and retained from 30 seconds to 1 year
  • _gac_<property-id>: Contains campaign related data for the user. This is used when Google Analytics and Google Ads are connected and retained for 90 days

These cookies range from simple identification to remarketing and advertising cookies which allows you to track and remarket individuals through Google Ads. The more one strays into using this data for remarketing, the more intrusive the data capture becomes. 

What does this mean in reality?

Since the advent of GDPR, the burden to demonstrate that consent has been freely given has become greater. 

In the UK, when the ICO published their cookie (and other technologies) guidance in 2019, many large websites became instantly non-compliant. The requirement to demonstrate that consent had been freely given had become stronger. 

The ICO also clearly highlighted that Performance Cookies (such as Google Analytics) required consent to be used. 

Since 2019, companies have used a variety of methods to notify users about the existence of Google Analytics cookies. Some compliant, some less so. 

It is also clear that many have taken a risk-based approach to what they should do. The ICO’s own guidance provides a level of ambiguity on the topic:

The ICO cannot exclude the possibility of formal action in any area. However, it is unlikely that priority for any formal action would be given to uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals. The ICO will consider whether you can demonstrate that you have done everything you can to clearly inform users about the cookies in question and to provide them with clear details of how to make choices. Source: ICO

What are the issues?

  1. Google is a data processor unless you enable data sharing with Google Ads at which point you become a shared controller – ensuring that your privacy policies reflect these differing relationships is important. 
  2. Google stores most data in USA – since Privacy Shield became illegal this has presented some problems. Google is relying on SCC’s but the main concern is that the US has surveillance laws that require companies such as Google to provide US Intelligence agencies with access to their data. 
  3. Google does use data to improve their services. For a user, this can sometimes seem creepy. 

What could Google or US government do?

A rather obvious solution would be for Google to move the processing of EU data outside the US to server centres in Europe where the US government cannot exercise the same surveillance rights as in the US. 

Alternatively, the US government could introduce better protection for private citizens. Although this was unthinkable under the previous presidential regime, it may be conceivable under Biden/Harris. It still feels like a long shot. 

Realistically it’s quicker and more realistic for the Google’s of this world to set up data centres in Europe. Saas providers such as Salesforce addressed this issue years ago and it feels like it’s about time Google and Facebook did too. 

What should you do? 

  1. Make sure you have correctly set up your cookie banner on your website. Technically, visitors should opt-in to Google Analytics and this permission should be captured before any processing takes place
  2. Provide a clear explanation of what data you are collecting and what that data is used for in an accessible cookie notice supported by a coherent privacy policy. 
  3. Make sure you describe all the Google cookies you are using – from simple tracking through to remarketing and advertising. Ideally each cookie would be included including the technical details, duration and purpose.
  4. If you use Google Analytics a number of settings have been introduced that help protect privacy:
    • Turn on the IP anonymising tool. It removes the last three characters of the IP address and renders the address meaningless. 
    • Make use of the data deletion tool – this is a bulk delete tool and can’t be used for one user
    • Introduce data retention policies – there is a default setting of 26 months before data is deleted but maybe you can delete data sooner. 
    • Consider the use of alternative tracking tools that do not rely on the use of cookies or transferring data overseas. A quick search resulted in a non-exhaustive list of analytics tools that don’t rely on cookies. There will be other suppliers: 
      • Fathom
      • Plausible
      • Simple Analytics
      • Insights
      • Matomo

In conclusion

  • At the moment, this finding by Austrian DPA does not apply in the UK. However it’s possible other DPAs may follow suit. 
  • Having said that, there are plenty of lessons to learn about how to work with Google Analytics and other US-based companies who insist on holding data in the US
  • It’s essential that your cookie notice and privacy policy clearly set out what tools are being used and what data is being processed. This is particularly important if you are linking Google Analytics to Google Ads for remarketing. 
  • Given that the world is slowly turning against cookies, maybe now is the time to start looking at less intrusive performance tracking solutions. 

 

ICO Opinion on Ad Tech – Old wine in a new bottle?

December 2021

Does the ICO Opinion piece tell us anything new?

The ICO has published an “Opinion” which can be interpreted as a shot across the bows for any Ad Tech company who is planning to launch their new targeting solutions for the post-third-party cookie world. 

If these companies thought new targeting solutions would get waved through because they don’t involve third-party cookies, it’s clear that Google’s difficulties with their Sandbox solution say otherwise. 

Google is currently knee-deep in discussions with both Competition and Marketing Authority (CMA) and ICO to come up with a targeting solution that is fair to consumers whilst also avoiding the accusation of being anti-competitive. 

In the ICO’s opinion piece they set out the clear parameters for developing these solutions in a privacy-friendly manner. You won’t be too surprised to hear all the usual concerns being re-heated in this discussion. To quote the ICO:

  1. Engineer data protection requirements by default into the design of the initiative
  2. Offer users the choice of receiving adverts without tracking, profiling, or targeting based on personal data. 
  3. Be transparent about how and why personal data is processed across the ecosystem and who is responsible for that processing
  4. Articulate the specific purposes for processing personal data and demonstrate how this is fair, lawful, and transparent
  5. Address existing privacy risks and mitigate any new privacy risks that the proposals introduce

This opinion piece is the latest publication from the ICO in a relatively long-running piece of work on the use of cookies and similar technologies for the processing of personal data in online advertising. In their original report in 2019, the ICO reported a wide range of concerns with the following which needed to be rectified:

  • Legal requirements on cookie use;
  • Lawfulness, fairness, and transparency;
  • Security;
  • Controllership arrangements;
  • Data retention;
  • Risk assessments; and
  • Application of data protection by design principles. 

You can read the back story here

The state of play in 2021

Since the ICO has started its investigations in 2019, the market has continued to develop new ways of targeting advertising that does not rely on third-party cookies. The net result is that the world has moved to a less intrusive way of tracking which has been welcomed by ICO. Some examples include: 

  • With Google Chrome’s announcement re: cookies, there is an expectation that third-party cookies will be phased out by end of 2022. 
  • There have been increases in the transparency of online tracking – notably Apple’s “App Tracking Transparency” ATT
  • There are new mechanisms being developed to help individuals indicate their privacy preferences simply and effectively
  • Browser developers are introducing tracking prevention in their software.  A notable example is the Google Privacy Sandbox which will enable targeting with alternative technologies.

How should we interpret this opinion piece?

A lot of what has been included is information from the 2019 reports. In effect, it’s a summary of previous activities plus additional material to bring you up to date. Although it is a rather long piece, there is some clear guidance for the way forward for developers of new solutions. 

Furthermore, it is bluntly warning technology firms that they are in the ICO’s sights: 

“In general, the Commissioner’s view is that these developments are not yet sufficiently mature to assess in detail. They have not shown how they demonstrate participants’ compliance with the law, or how they result in better data protection outcomes compared to the existing ecosystem” Source: ICO

Data protection by design is paramount – no excuses for non-compliance this time

The ICO opinion clearly flags to developers that they will accept no excuses for developing non-compliant solutions. In the past, there have been difficulties because the Ad Tech solutions have been in place for some time with the data protection guidance being retrofitted to an existing ecosystem. 

With the demise of third-party cookies and the advent of a variety of new solutions, there can be no excuse for ensuring that privacy is engineered into the design of the solutions. 

It explicitly highlights the need to respect the interests, rights, and freedoms of individuals. Developers need to evidence that these considerations have been taken into account.  

Users must be given a real choice

In the first instance, users must be given the ability to receive adverts without tracking, profiling, or targeting based on personal data. There must be meaningful control and developers must demonstrate that there is user choice through the data lifecycle. 

Accountability – show your homework

There is an expectation that there will be transparency around how and why personal data is processed and who is responsible for that processing. In the current ecosystem, this is largely impossible to achieve and there is no transparency across the supply chain. 

Articulate the purpose of processing data

Each new solution should describe the purpose of processing personal data and demonstrate how this is fair, lawful, and transparent. Can suppliers assess the necessity and proportionality of this processing? The 2019 report highlighted that the processing appeared excessive relative to the outcomes achieved. How will processors change their ways? 

Addressing risk and reducing harm

As a start, it’s important to articulate the privacy risks, likely through a DPIA, but also explain how those risks will be mitigated. The previous ICO reports indicated their disappointment with the low volume of DPIAs produced by Ad Tech providers. This needed to change. 

To conclude with a useful developer checklist

The ICO provides a checklist of how to apply these principles in practice. You can probably jump to this section if you really want to know what is expected: 

  1. Demonstrate and explain the design choices.
  2. Be fair and transparent about the benefits.
  3. Minimise data collection and further processing.
  4. Protect users and give them meaningful control.
  5. Embed the principle of necessity and proportionality.
  6. Maintain lawfulness, risk assessments, and information rights.
  7. Consider the use of special category data.

The ICO is very clear that the industry must change. There is no appetite to approve solutions that fundamentally adopt the same flawed ways of working. There is also a clear acknowledgment that some solutions are potentially anti-competitive so a partnership with the CMA will continue. You have been warned!

How did a trade union fall foul of the marketing rules?

November 2021

Unite the Union has been fined £45K over its telemarketing practices

The Information Commissioner’s Office (‘ICO’) has issued a fine to Unite the Union for what it describes as a ‘serious contravention’ of the Privacy and Electronic Communications Regulations 2003 (commonly known as ‘PECR’).

This action follows 27 complaints from individuals who had registered with the Telephone Preference Service (TPS) but received calls from Unite regarding life insurance – services provided to Unite members by a third-party insurer.

Unite believed these calls did not fall within the scope of the direct marketing rules.

What is the Telephone Preference Service?

The Telephone Preference Service (TPS) is the UK’s official ‘Do Not Call’ register for landlines and mobile telephone numbers. It allows individuals and businesses to opt out of receiving unsolicited live sales and marketing calls.

There is also a register for businesses telephone numbers, called the Corporate Telephone Preference Service (CTPS).

What does PECR require?

Regulation 21 of PECR requires a business to have gained prior consent before making unsolicited telemarketing calls promoting a product or service to phone numbers registered with the Telephone Preference Service Ltd (TPS).

Therefore any telemarketing calls to TPS registered numbers without valid consent will contravene PECR requirements.

The ICO’s findings

The ICO asked Unite to provide evidence of consent for these marketing calls. But Unite argued these were not marketing calls and were to let members know about services and benefits they were entitled too.

In their view the calls were made in accordance with their internal ‘Rule Book’. This required Unite to “notify members of the services and benefits that fall within their union membership and any changes to those terms.”

The ICO rejected this and found Unite had contravened PECR on the basis that Unite’s own rules cannot override the statutory protection provided under PECR.

In conclusion, the ICO found that in the 12 months to 11th March 2020, Unite had used a public telecommunications service to make 57,665 unsolicited telemarketing calls to people whose telephone number was registered on TPS.

Whilst individuals were told how to opt-out, they were not provided with the option to give opt-in consent to specific means of communication (such as telemarketing calls) relating to specific types of services or benefits. The ICO also noted the insurance services promoted in the calls were provided by a third-party insurer.

The ICO found that the consent Unite relied on was insufficient, as it provided broad information to data subjects, rather than the specific detail required under Regulation 21 of PECR. They highlighted multiple violations of under Regulation 21 over the 12-month period, which resulted in 27 complaints.

Not deliberate

The ICO took the view Unite had not deliberately set out to contravene PECR. However the ICO’s enforcement notice states Unite was ‘negligent’ and failed to take reasonable steps to prevent the contravention.

The ICO also concluded Unite had access to sufficient financial resources to pay the fine without causing undue financial hardship and that it’s findings were not affected by the current COVID-19 pandemic.

What can we learn from this?

Controllers who conduct telemarketing either in-house or via a third party service provider (like Unite did) should remember that consent is required for any calls made to numbers registered on the TPS.

I would add that consent may not necessarily be required for telemarketing calls to individuals who have NOT registered for TPS or CTPS. Legitimate Interests may be used as an alternative lawful basis, provided the relevant conditions can be met. DPN would advise controllers who wish to consider this lawful basis to conduct a Legitimate Interest Assessment (LIA).

Membership organisations should recognise that they cannot override the requirements under PECR (or any other data protection law, for that matter) by adopting membership rules which are in conflict the protections the law provides to individuals.

Like any marketing activity involving personal data, care is required to make sure the relevant legal obligations and requirements are satisfied.

 

If you would like help to ensure your marketing is compliance, please Contact Us.

Why have cookies become such a muddle?

October 2021

What are the challenges and what next for cookie compliance

Some history

It is 10 years since the original EU Directive was adopted which gave individuals the right to refuse the use cookies that reduced their online privacy.

Back then, people talked a lot about “implied consent” which meant that gaining consent from individuals didn’t seem so hard. Pre-ticked boxes were everywhere. 

Roll on 10 years and two major changes have occurred:

1. The explosion of programmatic advertising which makes heavy use of third-party cookies to segment and target individuals.

2. The introduction of GDPR which strengthened the level of consent required to use cookies. This must be freely given – no more pre-ticked boxes!

The ICO “cookie” guidance

To support the introduction of GDPR level consent, the ICO published its “cookie” guidance in 2019. In this context, “cookies” is short for cookies and similar technologies.

In this guidance it was made clear unambiguous consent was required for all cookies except essential cookies (i.e. the ones that make your site work properly). 

To be clear, this meant tools such as Google Analytics required consent to process an individual’s data.

Rather unhelpfully, at a macro level, the rather benign anonymised Google Analytics data was bundled together with the rather less benign collection of data carried out by the large Ad Tech providers to target advertising. 

For those wanting to use anonymised analytics data there was a caveat in the guidance which stated: 

The ICO cannot exclude the possibility of formal action in any area. However, it is unlikely that priority for any formal action would be given to uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals. The ICO will consider whether you can demonstrate that you have done everything you can to clearly inform users about the cookies in question and to provide them with clear details of how to make choices. 

For example, the ICO is unlikely to prioritise first party cookies used for analytics purposes where these have a low privacy risk, or those that merely support the accessibility of sites and services, for regulatory action. 

I’ve had a few conversations with clients about whether data processed by Google Analytics is first- or third-party data. I’m inclined to say it’s the former. It’s not used for anything else by Google and they clearly indicate they are a data processor in this capacity. 

In addition, the ICO guidance, made clear that inviting users to set cookie preferences in their browser was not considered adequate. 

To put it mildly, businesses were surprised by the hard-line approach taken by the ICO. It wasn’t as if the ICO were slavishly following their EU counterparts – some of the ICO guidance was stronger!

The business response

The upshot was a large swathe of websites became non-compliant overnight, and two years later you will still find a range of approaches to presenting cookie consent. There are four main types:

1. Do nothing: A site has no cookie notice or preference centre at all – increasingly rare but still occurring and clearly non-compliant.

2. Simple cookie notice: A cookie notice plus guidance to setting cookie preferences in the users’ browser. Deemed not compliant by ICO but still used by many.

3. Accept all cookie notice: A cookie notice delivered by a tech provider which sets out the different categories and encourages users to accept or manage their preferences.

4. Accept or Reject cookie notice: A detailed cookie notice, usually provided by a tech provider which sets out the different categories and encourages users to accept, reject or manage their preferences.

There are other permutations – some websites have pre-ticked boxes in the manage preferences section, some websites set cookies before the preferences have been set, the list goes on.  

In short, it’s a muddle and it seems businesses have largely taken a risk-based approach to decide how far to go.

This is obviously dependent on the importance of cookies to each organisation. It’s noticeable that some online retailers have taken quite a flexible view whilst others in highly regulated sectors are tending to be much stricter. 

Are consumers complaining about it? 

From a consumer’s perspective, their main gripe is that they see a wall of cookie notices which they largely ignore in order to get to the website.

However well-meant, the cookie rules have not served their purpose. No one appears to read them. 

There is a further less obvious problem – consumers don’t really understand what they’re signing up for.

There has been plenty of discussion about third-party cookies and how data is widely used for targeting advertising in a non-compliant manner. To date, very little has been done to address those concerns despite the ICO’s ongoing investigation into AdTech. 

Furthermore, if we look at the ICO log of cookie complaints, it remains pretty low at around 450 per quarter in 2021 although it’s increased from around 300 per quarter in 2019. 

Will ePrivacy make any difference? 

It is possible the ePrivacy regulation will soon come into force as negotiations are creeping towards a conclusion. There are a couple of points in this regulation that would certainly help clear the cookie muddle:

1. Allowing for other paths to consent via whitelists in browsers.

2. Allowing limited analytics.

However, as UK is no longer part of EU it’s not necessarily the case that we’ll adopt the new regulation. Having said that, we’ll need to create something to update the very old PECR regulation. The pragmatists amongst us might be minded to adopt ePrivacy when it’s approved. 

What about Elizabeth Denham’s intervention with G7?

In September, Elizabeth Denham attended the G7 summit to call on countries to work together to tackle cookie pop-ups.

In particular, she wanted to have a coordinated approach to enforcement to ensure nefarious activities didn’t go unchecked. 

It’s not entirely clear what she was seeking to achieve. After all, the ICO has come in for quite a lot of criticism not least because GDPR/PECR already provides the necessary legislation for enforcement action but, so far, no-one has been fined. 

And now, the Government reform proposals?

DCMS also highlighted the cookie issues with their data reform proposals highlighting two options:

  • Permitting organisations to use analytics cookies and similar technologies without the user’s consent. In other words, treating them in the same way as ‘strictly necessary’ cookies. It’s worth noting that this proposal is included in the most recent EU ePrivacy draft. (It’s accepted further safeguards would be required to ensure this had a negligible impact on user privacy and any risk of harm. It would also not absolve organisations from providing clear and comprehensive information about cookies and similar technologies).

or

  • Permitting organisations to store information on, or collect information from, a user’s device without their consent for other limited purposes. An example given is that this could include processing necessary for the legitimate interests of controllers where the impact on privacy is likely to be minimal.

What does this all mean?

  • Sooner or later, something will happen although it’s not entirely clear who will make the first move – ePrivacy or UK government reforms seem the likeliest. 
  • The ePrivacy Regulation will eventually be approved and would address some of the muddle. It would make sense, but its adoption in the UK may become a largely political decision. 
  • In the meantime, it seems that users consider cookies a nuisance rather than really causing any harm.
  • Arguably the main cookie culprits are those using cookies for “nefarious” activities and are collecting third-party data. With Google stopping support for third-party cookies in 2023, this problem effectively goes away.
  • Businesses could help themselves. Many set cookies every time you visit a website. There is no rule to say that it’s required every visit and the barrage would be diminished if a sensible time frame was agreed. 
  • There is silence from the ICO when it comes to enforcement. Now that Covid is becoming less of an issue perhaps a few fines might make people comply? 

Using cookies – why should you bother to get match fit?

April 2021

In 2019, with new guidance, the ICO confirmed GDPR level consent is required for the placing of cookies (unless ‘strictly necessary’). In the same year, the ICO launched their investigation into AdTech and Real Time Bidding.

With the pandemic the data protection focus has been elsewhere but now, things are moving again:

  • French CNIL fined Google and Amazon fined €135m for failing to obtain consent
  • The ICO restarted its investigations into AdTech
  • The Spanish DPA fined Iberia for failing to allow for the option to reject cookies

Yet, in early 2020, a research study by from MIT/UCL/Aarhus Universities indicated only 1 in 10 UK websites were compliant!

What does this all mean, and should we care?

The cookie basics

Does your website have a cookie pop-up? Do you have a clear Cookie Notice explaining how you use cookies and similar technologies? Are you collecting consent for the cookies you use?

We’ve all seen the deluge of cookie notifications, some are strictly compliant, others aren’t, and plenty are downright confusing.

Not only that, but should we be thinking about more than just cookies? What about pixels, scripts, fingerprinting and plugins?

What does ‘good’ look like?

In the ICO’s updated Cookie Guidance published in 2019, the Regulator confirmed GDPR standard consent is required for the placing of cookies or similar technology, unless ‘strictly necessary’.

A lot of information can be captured with a cookie including IP addresses and device IDs. These are deemed to be personal data. The guidance says the following;

  • users should take a clear and positive action to consent to non-essential cookies
  • pre-ticked boxes or sliders defaulted to ‘on’ shouldn’t be used for non-essential cookies
  • non-essential cookies shouldn’t be dropped before you gain consent
  • websites and apps should tell users clearly what cookies will be set and what they do
  • it must be clear what third party cookies you use

In short, the ICO says people should be given control and it isn’t sufficient to tell them to go and change their browser settings.

‘Strictly necessary’, is strictly interpreted

Consent is not required for cookies that are ‘strictly necessary’, but these should be essential to the service you’re providing. The ICO has deemed analytics cookies to be non-essential.

(Interestingly there’s some discrepancy across European regulators on this point, the French CNIL does not take such a strict interpretation on analytics).

Where’s the harm?

In the same guidance document, the ICO also states:

The ICO cannot exclude the possibility of formal action in any area. However, it is unlikely that priority for any formal action would be given to uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals.

This sentence has been interpreted by some to mean analytics which cause low level intrusiveness, where a risk assessment has taken place and where measures have been taken to minimise harm, may be considered acceptable. Confused yet?

Where does Adtech fit in?

Also in 2019, the ICO launched a review into adtech and Real Time Bidding. This was designed to understand how the complexity of the adtech ecosystem presents a threat to the rights and freedoms of individuals.

It was particularly focussed on the compliant use of cookies – particularly 3rd party cookies. This review was paused during the pandemic but is up and running again now.

The more third-party cookies you deploy and the more sophisticated technology you use, the greater the risk of complaints to highlight your non-compliance.

In reality, though, the adtech cookie show has moved on. It’s likely 3rd party cookies will disappear by themselves as the browser companies stop supporting them. Google’s announcement to stop supporting third party cookies on Chrome in 2022 sounded the dead knell.

What do the public think?

Inevitably people have mixed feelings about cookies. There is increased public awareness about how we are tracked through websites, and some people are becoming savvier about how their data might be being used and shared.

Anyone can use a cookie scanner and check what cookies your website uses, and check whether you’re being open and upfront about what you do or not.

Equally there are others who really couldn’t care less.

What steps to take

Practically speaking it makes sense to share with consumers which cookies are deployed as well as what they are used for. Anyone without a cookie banner now needs to get their house in order. How rigorous your cookie notice is, is a matter of judgement, as well as a careful risk assessment.

In reality, businesses often find it hard to get organised with cookies because no one team manages them. In the short to medium term here are some pragmatic actions:

  • Understand what cookies are being placed on your website(s) – are they still used?
  • Make sure you have one central point to co-ordinate the management of cookies across the business
  • Categorise your cookies, so you can separate your strictly necessaries from your non-essentials
  • For any 3rd party cookies or other technologies make sure you have some oversight over what happens to the data that is captured from your site
  • For each cookie, review the retention periods and decide how long they should be kept for – some are defaulted to a surprisingly long time
  • Make sure your cookie notice is clear and up to date
  • Decide what level of technology is needed to manage your cookie consent – there are plenty of free consent platforms for small businesses so price is no reason not to

In conclusion providing no help for consumers to understand what cookies are used should be a thing of the past. How you interpret the ICO guidance is a matter of judgement and a risk assessment. So long as you carry out that assessment and are able to explain your decisions you are in a stronger position than if you did nothing.

Seven Step Ad Tech Guide from DMA and ISBA

May 2020

The DMA and ISBA guide for marketers and advertisers to help navigate through the complexity of handling personal data in Ad Tech.

This guide was written in response to the ICO’s Ad Tech Update which looked into how data was used in auction style Real Time Bidding.

The ICO had identified a number of concerns relating to the protection of the rights of data subjects through the use of Real Time Bidding (RTB) in the programmatic delivery of digital advertising.

As background for the uninitiated, the majority of digital advertising is delivered programmatically (through automation) via a variety of methods including Real Time Bidding (RTB).

RTB is defined as the delivery of programmatic advertising by a real-time auction method. To support this process, there are a myriad of technology solutions (Ad Tech) providers who enable advertisers to identify and target recipients of advertising delivered in real time.

The guide written in collaboration with the DPN and PwC UK, aims to support UK businesses actively engaged in the programmatic delivery of digital advertising to ensure they protect the rights of data subjects.

It is a practical guide to the seven steps participants can take to ensure they adhere to the legal requirements and demonstrate their understanding of the regulator’s concerns. The DMA and ISBA were able to consult with ICO during the development of the guide.

It’s designed as a reference with clearly defined sections allowing readers to read the whole document or dip in as the need arises. Where suppliers are mentioned these are noted as examples and are not recommendations.

This guidance is divided into seven clear steps:

1. Education and Understanding – a comprehensive introduction to cookies and programmatic advertising with a detailed glossary of terms.

2. Special Category Data – the ICO highlighted the importance of treating special category data with care and this section steps you through its definition and usage.

3. Understanding the Data Journey – a key challenge is being able to track how data is captured and who processes it. This section explains how to complete a Record of Processing Activities as well as introducing the IAB’s Transparency and Consent Framework.

4. Conduct a DPIA (Data Protection Impact Assessment) – the ICO noted the limited use of DPIAs in Ad Tech. This section sets out to explain what it is, when to use it as well as some pointers to what questions to ask.

5. Audit the Supply Chain – the ICO highlighted that you cannot rely on contracts to provide assurance around the use of personal data. This section provides audit check lists and questions you need answered when auditing suppliers.

6. Measure Advertising Effectiveness – the ICO have queried whether it’s necessary to use all the data collected through Ad Tech platforms. This section provides links to reference materials for improving insights into advertising effectiveness to allow for a proportionate approach to using personal data.

7. Alternatives to Third Party Cookies – what does a post third-party cookie world look like? This section provides some suggestions about alternative methods of targeting including the adoption of contextual targeting. It also provides references to some industry initiatives which are exploring different ways of targeting in a less intrusive manner.

See the full 7 Step Ad Tech Guide