Requiem for a Cookie: The Beginning of the End for Current AdTech Models

Last week while Americans were preoccupied with carving turkey and baking pies, the privacy world was aflutter with a string of developments in Europe that may drastically affect the future of worldwide website usage and global advertising technology as we currently know it. In short, due to some of the recent positions taken by regulators, "tracking" techniques and cookies as we know them may quickly be saddled with extra compliance requirements. First, the country of Germany is preparing for its new cookie law to take effect on December 1, 2021. The Telekommunikation-Telemedien-Datenschutzgesetz (TTDSG) [1] should appear familiar to many, as it applies the 2009 EU ePrivacy Directive (EDP) or "cookie directive" to Germany and includes a new consent requirement that is consistent with the EDP. Critically, Section 24 of the TTDSG requires that cookies may only be used on a website if the website-visitor has given his or her informed and clear consent. As organizations finalize establishing the proper cookie consent mechanisms to ensure compliance, however, other recent developments within Europe may yet have an even more existential effect on cookies. On November 23, 2021, the European Parliament Committee on Internal Market and Consumer Protection (IMCO) voted 42-2 to approve the Digital Markets Act (DMA). Aimed at large social media companies, the DMA seeks to "ensure that [large online] platforms behave in a fair way online." [2] The DMA identifies certain large online platforms as "gatekeepers" and the text states that a gatekeeper shall, "for its own commercial purposes, and the placement of third-party advertising in its own services, refrain from combining personal data for the purpose of delivering targeted or micro-targeted advertising," except if there is a "clear, explicit, renewed, informed consent," in line with the General Data Protection Regulation. [3] If the DMA is adopted as currently written, noncompliance with the DMA may include penalties of fines between 4% to 20% of worldwide revenue in the next financial year. [4] The EU Parliament is scheduled to vote on the DMA this December, but the resounding and almost unanimous committee vote in favor of the DMA represents a bold step towards a fundamental shift in how regulators may assess advertising technology techniques and third party cookies. The most pointed attack at current digital advertising techniques by far, however, was released on November 25, 2021, when the United Kingdom's Information Commissioner's Office (ICO) published its opinion report on "[d]ata protection and privacy expectations for online advertising proposals." [5] Specifically written "to provide further regulatory clarity on the data protection expectations that [new advertising technology proposals] should meet," the ICO makes clear that "[t]he Commissioner supports the shift to less intrusive approaches to online advertising," and "welcomes efforts" to "move away from the current methods of online tracking and profiling practices." [6] While the ICO acknowledges certain notable browser and software developments that limit the ways users are tracked online, the ICO certainly pulls no punches when it comes to its ultimate goal:

The evolution of cookies and their use for targeted advertising is a cautionary tale of the risks of repurposing technology without also building in safeguards to protect against misuse and harm. Their deprecation is a positive step. [7]

• Data protection by design;
• User choice;
• Accountability;
• Purpose; and
• Reducing harm. [10]