News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

DPO Confessional | Changes in IAPP's cookie tool Related reading: IAPP updates its privacy notice

rss_feed

""

The IAPP has upgraded its cookies management tool. This change will allow the IAPP to more seamlessly manage cookies through the tool’s cookie-detection features. The IAPP is maintaining the opt-in features for first-party analytics and marketing cookies for site visitors from the European Union and United Kingdom but is now offering an opt-out experience for site visitors from all other regions.

Test and learn

Prior to the implementation of the EU General Data Protection Regulation in the summer of 2018, the IAPP’s website — like most other websites — offered a cookie banner that provided notice of cookies with consent implied by the visitors’ continued navigation. Given the GDPR’s definition of “consent” as affirmative (opt-in with no pre-ticked boxes), the IAPP customized its cookie tool to offer this feature to all site visitors for first-party analytics cookies (we use Google Analytics) and marketing cookies that connect site visits from a person’s clicks in emailed newsletters (we use Marketo for bulk email).

We observed that most site visitors continued to ignore the banner. Because the global default was to not set these cookies without affirmative consent, the IAPP’s site analytics were severely affected. To be blunt, as an organization focused on delivering meaningful content to our members, principally via our website, our web analytics have been effectively useless in helping our content teams determine which types and topics of content members and visitors find most useful.

We also found that maintaining the tool put significant strain on our technology department, given that we had heavily customized the tool in 2018. In the intervening 24 months, the tool underwent significant upgrades and development, and the IAPP evolved its own appetite to respond to privacy regulations consistent with the jurisdictions in which our customers live.

The cookie tool now allows for the detection of a website visitor’s geolocation by IP address (set to country level). This data is detected at the browser level when the user first hits the website but is not stored. If the user’s location is detected as EU or U.K., the user sees the “GDPR” version of the cookie tool, which does not place performance or marketing cookies unless the user hits a global consent “Accept” button in the banner. Consistent with the CNIL’s recent guidelines, the user is also offered a global “Don’t Accept” option in the banner, as well as the opportunity to review and set cookie preferences (opt-in) at a more granular layer within the tool.

Site visitors from outside the EU/U.K. are also provided with a banner that allows them to “Accept” cookies globally or manage them at a second layer granularly where they can opt-out of either performance or marketing cookies or both.

The “GDPR” version and the “non-GDPR” version both set strictly necessary cookies without consent.

First-party analytics cookies

Wrestling with the role of first-party analytics cookies is not a topic arising solely after May 2018. Prior to the GDPR’s effective date, in response to various member states’ implementation of the ePrivacy Directive, the Article 29 Working Party opinion 194 addressed concerns relating to first-party analytics cookies. It noted they “are not likely to create a privacy risk when they are used by websites that already provide clear information about these cookies in their privacy policy as well as adequate privacy safeguards. Such safeguards are expected to include a user-friendly mechanism to opt-out from any data collection and comprehensive anonymization mechanisms.”

The IAPP maintains an updated tool for following regulators’ post-GDPR cookie guidance, which demonstrates that some data protection regulators, such as France's Commission nationale de l'informatique et des libertés, have extensively analyzed the role of first-party analytics cookies for website publishers and signaled their comfort with the use of these cookies without requiring prior opt-in consent provided the data collected live with the website publisher only (are not shared with third parties and do not track across sites).

Nonetheless, as this comfort level is not consistent across all EU member states, the IAPP is maintaining a universal opt-in standard for first-party analytics cookies for all site visitors from the EU and U.K.

Small business impact

Privacy regulation in the United States has traditionally affected only certain sectors, principally health care and financial services. As a comprehensive data protection regulation and one that applies extraterritorially, the GDPR forced companies doing business in the EU and U.K. to adjust their data-processing practices, regardless of sector or size. Its Article 7 “Conditions for consent” implicated the ePrivacy Directive and member state laws implementing it, forcing a corresponding cookies compliance lift on companies adjusting to the GDPR.

The business implications were and are significant. Even several years after developing GDPR compliance systems and practices, the IAPP could not call itself “fully compliant” and, indeed, perhaps no one should. In the IAPP-EY 2019 Privacy Governance Report, 31% of U.S. respondents reported they were “moderately” compliant with the GDPR, and only one in four (27%) claimed to be “very compliant.”

One reason for this is the complexity of the regulation and the evolving guidelines on how to interpret and apply it. For instance, the IAPP cookie guidance was updated as recently as October 2020.

The other reason for this is the role of technology in cookie compliance. Reinstalling the cookie tool has involved between 250 and 300 hours of IAPP personnel time in 2020 alone. This is not because the tool isn’t intuitive. It’s simply a complex project with multiple decision points, involving team members from across the organization (information technology, marketing, website design, privacy, management, etcetera).

The IAPP anticipates that the updated cookie tool will improve our website’s content and navigation as we grow to better understand how our visitors interact with the site.

We’ll be sure to let you know.


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Author
Headshot Rita Heimes, CIPP/E, CIPP/US, CIPM IAPP Staff Contributor
Tags
Privacy Law
Privacy Operations Management
Westin Research Center
2 Comments

If you want to comment on this post, you need to login.

  • comment Mila Dimitrova • Nov 16, 2020 
    Have the very same experience with CMP implementation. Thank you for sharing.
  • comment Damyan Todorov • Dec 1, 2020 
    Thank you for sharing. Even such "plain" web functionality highlights the complexity of privacy engineering.
Related Stories
IAPP updates its privacy notice
According to research conducted in late 2019, 80% of respondents have updated their organization’s privacy notice one or more times in the last 12 months. Well, it's time for the IAPP to do it, too. In 2018, the IAPP conducted a major overhaul of its privacy notice to coincide with the implementatio...
Read More queue Save This
How to gain true compliance with cookie requirements
In terms of core requirements, the European Court of Justice made it clear in its 2019 Planet 49 judgment (in line with the EU General Data Protection Regulation and ePrivacy Directive) that for EU website visitors, informed and affirmative consent is required prior to placing all but “essential” co...
Read More queue Save This
CJEU clarifies cookie consent requirements
5
On Tuesday, the Court of Justice of the European Union issued a highly anticipated ruling on the scope of consent requirements with respect to cookie compliance. While the key points of the decision did not come as a big surprise to the privacy community, it will likely require many website operator...
Read More queue Save This
Related Stories
Tags
Privacy Law
Privacy Operations Management
Westin Research Center
Recent Comments