The IAPP has upgraded its cookies management tool. This change will allow the IAPP to more seamlessly manage cookies through the tool’s cookie-detection features. The IAPP is maintaining the opt-in features for first-party analytics and marketing cookies for site visitors from the European Union and United Kingdom but is now offering an opt-out experience for site visitors from all other regions.

Test and learn

Prior to the implementation of the EU General Data Protection Regulation in the summer of 2018, the IAPP’s website — like most other websites — offered a cookie banner that provided notice of cookies with consent implied by the visitors’ continued navigation. Given the GDPR’s definition of “consent” as affirmative (opt-in with no pre-ticked boxes), the IAPP customized its cookie tool to offer this feature to all site visitors for first-party analytics cookies (we use Google Analytics) and marketing cookies that connect site visits from a person’s clicks in emailed newsletters (we use Marketo for bulk email).

We observed that most site visitors continued to ignore the banner. Because the global default was to not set these cookies without affirmative consent, the IAPP’s site analytics were severely affected. To be blunt, as an organization focused on delivering meaningful content to our members, principally via our website, our web analytics have been effectively useless in helping our content teams determine which types and topics of content members and visitors find most useful.

We also found that maintaining the tool put significant strain on our technology department, given that we had heavily customized the tool in 2018. In the intervening 24 months, the tool underwent significant upgrades and development, and the IAPP evolved its own appetite to respond to privacy regulations consistent with the jurisdictions in which our customers live.

The cookie tool now allows for the detection of a website visitor’s geolocation by IP address (set to country level). This data is detected at the browser level when the user first hits the website but is not stored. If the user’s location is detected as EU or U.K., the user sees the “GDPR” version of the cookie tool, which does not place performance or marketing cookies unless the user hits a global consent “Accept” button in the banner. Consistent with the CNIL’s recent guidelines, the user is also offered a global “Don’t Accept” option in the banner, as well as the opportunity to review and set cookie preferences (opt-in) at a more granular layer within the tool.

Site visitors from outside the EU/U.K. are also provided with a banner that allows them to “Accept” cookies globally or manage them at a second layer granularly where they can opt-out of either performance or marketing cookies or both.

The “GDPR” version and the “non-GDPR” version both set strictly necessary cookies without consent.

First-party analytics cookies

Wrestling with the role of first-party analytics cookies is not a topic arising solely after May 2018. Prior to the GDPR’s effective date, in response to various member states’ implementation of the ePrivacy Directive, the Article 29 Working Party opinion 194 addressed concerns relating to first-party analytics cookies. It noted they “are not likely to create a privacy risk when they are used by websites that already provide clear information about these cookies in their privacy policy as well as adequate privacy safeguards. Such safeguards are expected to include a user-friendly mechanism to opt-out from any data collection and comprehensive anonymization mechanisms.”

The IAPP maintains an updated tool for following regulators’ post-GDPR cookie guidance, which demonstrates that some data protection regulators, such as France's Commission nationale de l'informatique et des libertés, have extensively analyzed the role of first-party analytics cookies for website publishers and signaled their comfort with the use of these cookies without requiring prior opt-in consent provided the data collected live with the website publisher only (are not shared with third parties and do not track across sites).

Nonetheless, as this comfort level is not consistent across all EU member states, the IAPP is maintaining a universal opt-in standard for first-party analytics cookies for all site visitors from the EU and U.K.

Small business impact

Privacy regulation in the United States has traditionally affected only certain sectors, principally health care and financial services. As a comprehensive data protection regulation and one that applies extraterritorially, the GDPR forced companies doing business in the EU and U.K. to adjust their data-processing practices, regardless of sector or size. Its Article 7 “Conditions for consent” implicated the ePrivacy Directive and member state laws implementing it, forcing a corresponding cookies compliance lift on companies adjusting to the GDPR.

The business implications were and are significant. Even several years after developing GDPR compliance systems and practices, the IAPP could not call itself “fully compliant” and, indeed, perhaps no one should. In the IAPP-EY 2019 Privacy Governance Report, 31% of U.S. respondents reported they were “moderately” compliant with the GDPR, and only one in four (27%) claimed to be “very compliant.”

One reason for this is the complexity of the regulation and the evolving guidelines on how to interpret and apply it. For instance, the IAPP cookie guidance was updated as recently as October 2020.

The other reason for this is the role of technology in cookie compliance. Reinstalling the cookie tool has involved between 250 and 300 hours of IAPP personnel time in 2020 alone. This is not because the tool isn’t intuitive. It’s simply a complex project with multiple decision points, involving team members from across the organization (information technology, marketing, website design, privacy, management, etcetera).

The IAPP anticipates that the updated cookie tool will improve our website’s content and navigation as we grow to better understand how our visitors interact with the site.

We’ll be sure to let you know.