TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Are You Ready for the Cookie Auditing Onslaught? For One, Fingerprinting Won’t Be a Workaround Related reading: From the PSR21 keynote stage: Federal privacy law could cure many woes




As the final weeks of summer set in, and kids reluctantly get ready to go back to school, another important change is on the horizon, and if cookie consent is on your work list, you better pay attention.

Starting in October, the French data protection authority (the CNIL) will commence auditing websites, and for the first time ever, it will be able to do so remotely. This was the focus at a panel discussion on Thursday, hosted by Ghostery Enterprise and moderated by its Chief Privacy Officer Todd Ruback, CIPP/US, CIPP/E, CIPT. 

“What was once a hot topic, over time it ceased being a hot topic,” said Hogan Lovells Partner Eduardo Ustaran, CIPP/E. “But now it’s becoming hot again. Cookie consent is a key area of attention and is back on the worry list of many organizations.”

Are businesses cutting corners with their cookie policies?

“That will be revealed soon,” Ustaran said, adding in his analysis, “Indeed, people are cutting corners.”

Quantifying how many organizations are cutting corners is part of the goal of the CNIL, when, next month, it will initiate its “Cookie Sweep Days.” Set to take place between September 15 and 19, the sweep aims to garner a global view of privacy issues around the use of cookies and share the results with other EU data protection authorities (DPAs).

According to the CNIL’s Vincent Toubiana, the sweep is not an official audit, but it may cause one. The real enforcement, however, will take place in October when the CNIL, for one, will start auditing websites.

Toubiana said the agency will first look at what types of cookies and trackers are set on a given website and, importantly, that includes HTTP cookies, Flash cookies and fingerprinting. Toubiana also said the CNIL will look at the purposes for which cookies are being used. For example, is the site editor aware of all the cookies that are set on its website? And are there any cookies that require consent?

More specifically, if cookies on a website do require consent, the CNIL will look at whether a consent mechanism is readily available. Are cookies dropped prior to a user expressing consent? And how does a user express that consent? These will be questions the CNIL will be asking.

Ustaran said one of the biggest problems website operators are struggling with involves the timing of notice and the dropping of cookies. “My gut feeling is that those banners (that provide cookie notice) appear simultaneously as cookies being dropped” onto a user’s device, he said. “Effectively, there is not real choice; you see notice, but you are not taking any action before the cookies are dropped. The sequence should be notice, then consent, then the cookies drop.”

He added, “This is probably the most difficult area from a practical perspective.”

Toubiana also shared some common pitfalls in the cookie consent ecosystem. He said simply informing users is not enough. Users need to take some sort of positive action. Plus, relying on browser settings will not get operators off the hook. He also stressed that device fingerprinting, as a way of replacing cookies, is not a way around the regulations. He said the “cookie regulation” is, in fact, technology-agnostic and “switching to fingerprinting won’t solve the issue at all.”

The consequences for noncompliance are not a walk in the park, either. Organizations could face fines of up to 150,000 euros with the possibility of a published sanction. And, as Toubiana pointed out, enforcement is a continuous process. The auditing that will officially kick off in October will continue over the year.

Will organizations that are scrambling right now be given any warning? Yes, but the warning may be public. Those that are warned, however, will have time to reach compliance prior to being fined. To help, the CNIL also offers a toolbox for website operators, including cookie visualization tools, exempted audience measurement tools, cookie-consent scripts for Google Analytics and “privacy-friendly” social widgets.

And why all this attention now, years after the Cookie Directive?

Ustaran said there are two main reasons.

“I think all reasonable regulators will say this directive has been out there for a while, so come on guys, get your act together,” he said. And secondly, “We are all seeing a reliance on profiling, online behavioral advertising—it’s now or never. Either it’s enforced now or ignored forever.”

He added, “The next six months will be crucial.”

1 Comment

If you want to comment on this post, you need to login.

  • comment Mike • Aug 22, 2014
    There has been fully working technology for websites to easily comply with the e-privacy Directive for over 3 years. CookieQ, introduced in May 2011, always correctly supported prior consent. It did this by directly managing 1st party cookies and DOM storage, and used tag management to selectively enable 3rd party cookies and cookie-less tracking technologies like Local Data Objects and fingerprinting. Our subsequent development of the web based dashboard for instantaneous configuration, multiple language support, built in forensic website auditing showing all cookies and other trackers, granular consent control, and other features has made the tool of choice by websites across Europe, including those of Fortune 100 companies. Because we do not collect PII, and are not part of the advertising ecosystem, companies can be sure that their data is never shared with competitors.