Requiem for a Cookie: The Beginning of the End for Current AdTech Models
Last week while Americans were preoccupied with carving turkey and baking pies, the privacy world was aflutter with a string of developments in Europe that may drastically affect the future of worldwide website usage and global advertising technology as we currently know it. In short, due to some of the recent positions taken by regulators, "tracking" techniques and cookies as we know them may quickly be saddled with extra compliance requirements. First, the country of Germany is preparing for its new cookie law to take effect on December 1, 2021. The Telekommunikation-Telemedien-Datenschutzgesetz (TTDSG) [1] should appear familiar to many, as it applies the 2009 EU ePrivacy Directive (EDP) or "cookie directive" to Germany and includes a new consent requirement that is consistent with the EDP. Critically, Section 24 of the TTDSG requires that cookies may only be used on a website if the website-visitor has given his or her informed and clear consent. As organizations finalize establishing the proper cookie consent mechanisms to ensure compliance, however, other recent developments within Europe may yet have an even more existential effect on cookies. On November 23, 2021, the European Parliament Committee on Internal Market and Consumer Protection (IMCO) voted 42-2 to approve the Digital Markets Act (DMA). Aimed at large social media companies, the DMA seeks to "ensure that [large online] platforms behave in a fair way online." [2] The DMA identifies certain large online platforms as "gatekeepers" and the text states that a gatekeeper shall, "for its own commercial purposes, and the placement of third-party advertising in its own services, refrain from combining personal data for the purpose of delivering targeted or micro-targeted advertising," except if there is a "clear, explicit, renewed, informed consent," in line with the General Data Protection Regulation. [3] If the DMA is adopted as currently written, noncompliance with the DMA may include penalties of fines between 4% to 20% of worldwide revenue in the next financial year. [4] The EU Parliament is scheduled to vote on the DMA this December, but the resounding and almost unanimous committee vote in favor of the DMA represents a bold step towards a fundamental shift in how regulators may assess advertising technology techniques and third party cookies. The most pointed attack at current digital advertising techniques by far, however, was released on November 25, 2021, when the United Kingdom's Information Commissioner's Office (ICO) published its opinion report on "[d]ata protection and privacy expectations for online advertising proposals." [5] Specifically written "to provide further regulatory clarity on the data protection expectations that [new advertising technology proposals] should meet," the ICO makes clear that "[t]he Commissioner supports the shift to less intrusive approaches to online advertising," and "welcomes efforts" to "move away from the current methods of online tracking and profiling practices." [6] While the ICO acknowledges certain notable browser and software developments that limit the ways users are tracked online, the ICO certainly pulls no punches when it comes to its ultimate goal:
The evolution of cookies and their use for targeted advertising is a cautionary tale of the risks of repurposing technology without also building in safeguards to protect against misuse and harm. Their deprecation is a positive step. [7]
The ICO similarly analyzes and comments on certain notable developments involved with online consent management. Most notably, the ICO analyzed the Global Privacy Control (GPC), a "proposed specification that will allow individuals to notify online services of their privacy preferences." [8] However, because the GPC's draft specification only states that it will convey a "'general request' concerning the sale or sharing of personal data," the ICO concluded that "GPC does not at this time appear to offer a means by which user preferences can be expressed in a way that fully aligns with UK data protection requirements." [9] This stands in stark contrast to trends elsewhere in the world, especially California, where GPC has been accepted as a valid form of opting out. The underlying basis for this difference in view may be based on a multitude of factors (perhaps the UK's opt-in regime vs. California's opt-out approach to cookies is the most significant factor here), but this difference nonetheless reiterates the difficulty companies have in implementing global programs that allow for a universal approach to tracking. The ICO's report continues to evaluate different developments related to user preferences and ultimately establishes "the Commissioner's expectations" for new advertising technologies, proposing a set of principles that represent the minimum expectations. In short, any new advertising technology proposal must provide users with the following:- Data protection by design;
- User choice;
- Accountability;
- Purpose; and
- Reducing harm. [10]
Print and share
Authors
Explore more in
Perkins on Privacy
Perkins on Privacy keeps you informed about the latest developments in privacy and data security law. Our insights are provided by Perkins Coie's Privacy & Security practice, recognized by Chambers as a leading firm in the field.