The ePrivacy Regulation is not yet in place, but cookies and other tracking mechanisms are under scrutiny by Data Protection Authorities (DPAs). It is imperative that organizations understand the implications of cookies and respect consent, paying particular attention to how they collect, store and deploy personal data through their web trackers.
As CEO of Didomi, I was recently invited by the Data Protection World Forum (DPWF) to participate in a panel of experts to discuss consent collection and management, and the value publishers can derive from consent and privacy. I had the pleasure of speaking with Catherine Armitage (World Federation of Advertisers), Laurie-Anne Bourdain (Isabel Group) and Andrew Sharp (Securys Limited).
Let’s review the key points of our “Last Thursday in Privacy” debate organised by PrivSec on May 28, 2020.
What is Consent?
What do we mean by consent? The GDPR is becoming the standard and all-encompassing reference for European countries, defining consent in Article 4(11) as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Our job as a CMP is to ensure all three levels of consent are properly accounted for:
- consent storage: to keep a legal proof of consent and to better understand user behaviour thanks to analytics.
- Consent distribution: making sure publishers transfer consent signals correctly to their vendors. CMPs correctly integrate with vendors by deploying standards to transfer these signals.
This third point is the most difficult to implement. There are ways to systematically audit your website to understand the relationship between cookies and vendors. However, a large company may run an audit on day one, but if a team brings in a new marketing partner the next day, they will bring in ten new vendors, who, in turn, each bring in ten more. Consequently, the company will no longer be compliant on day two.
Nonetheless, regular audits are useful, as they reveal who is dropping cookies, and at what rate. They are a great tool for implementing “privacy by design” and leaving a trail.
Harmonizing Consent Legislation
Each country has their own data protection authorities and guidelines, which makes it particularly difficult to be compliant everywhere, all the time. Should companies try to comply with each country’s legislation separately, or apply the strictest possible set of rules for everyone?
I have followed ePrivacy regulation since the very beginning, with all its ups and downs and many surprises. The good news is that I see a consensus emerging around cookie consent in leading EU countries (with the exception of Spain – so far their DPA has defended scrolling as constituting valid consent, although this position seems to be evolving). I believe that, despite apparent fragmentation, there is more harmonisation, and it is easier for EU companies to interpret the law now than it was just six months ago.
We look forward to the new e-Privacy regulation, but, in the meantime, our role as a CMP is to help clients comply with their local realities, and make things as simple as possible for them.
Legislation aside, the panel all agreed that ethical consent management is a number one priority. The real debate is not about compliance, but building trust – trust with consumers, and with all other members of the chain. Good consent management empowers the consumer, it tells them what is being done with their data and why, creates choice, and allows for a change of mind.
It was noted that cookie banners remain complex, which leads to consumers experiencing “cookie fatigue”. The best practice would be to offer three options: “Accept all”, “Deny all”, “Configure”. But what we mainly see today is “Accept all” and “Configure”. This opacity is pushed by marketing teams who need consent for statistics and analytics, thus this becomes a business issue.
Should I offer the option to refuse on the first page? How should I layer the information? How in depth must this information be? My response would be to prioritise easy user experience: if you can, why wouldn’t you?
Publishers should think about how and when they display cookie consent. The tendency is to immediately collect consent for every cookie, even before the user lands on your website. As a professional, I don’t find this intuitive. As a user, it bothers me. So, from a technological standpoint, I’d like to see some progress here.
But, consent is now effective, and that’s a massive plus for users and companies, as it brings more security to the whole system.
Privacy and Brand Value
Importantly, being ethical isn’t just about “doing the right thing”, it is also an opportunity to build trust with customers and develop brand experience.
The cookie banner is the first thing a user sees on your website, so you should think carefully about presentation and overall UX. It is not one size fits all, and this is why I don’t believe in putting cookie consent in a generic browser. I hope brands will combine UX and UI learnings with consent workflow, and I expect increasing innovation in the coming months, as consent will have to be asked for, alongside the ability to say “no”. Brands will simply have to be more creative, and understand privacy as a powerful customer relationship tool, not just an element of compliance.
Think of Apple. They are the most valuable brand in the world, and privacy is their Number 1 selling point. This is not a coincidence. Privacy isn’t just a legal issue, it is a brand issue.
However, depending on who you are, cookies can have a big impact on your business. If you are an e-commerce merchant and your acquisition depends 50% on retargeting, then there is a clear link between dropping cookies and selling products. Likewise, if you are a media outlet, your monetisation almost entirely depends on personalised advertising, which carries around twice as much value as non-personalised advertising. Didomi is here to accompany all types of publishers, linking cookie consent to brand value.
By Romain Gauthier, Co-Founder and CEO at Didomi
Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.
Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.