TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

DPO Confessional | Cookies and consent at the IAPP Related reading: Data-processing agreements from 30,000 feet

rss_feed

""

Today, the IAPP launched a new cookie notice and cookie consent tool. The process of creating this notice and tool took several months and involved a cross-departmental team with members from marketing, privacy/legal, and (most significantly) IT. We thought it might be interesting to hear about the IAPP’s analysis and operational steps taken in creating its cookie notice and building the consent tool. Hopefully, there are takeaways for your organization.

Legal analysis

The European Union’s General Data Protection Regulation says nothing, directly, about “cookies” — small data files stored by a website on a user’s computer or mobile device. It does, however, say quite a bit about consent, including listing it as one of the lawful bases for data processing under Article 6; defining it in Article 4 as any “freely given, specific, informed and unambiguous indication of a data subject’s wishes”; and requiring in Article 7 that it be presented separate from other matters in “an intelligible and easily accessible form, using clear and plain language.”

It’s the ePrivacy Directive that addresses cookies directly, requiring in Article 5(3) that (under member state law) organizations obtain prior informed consent for storage or for access to information stored on a user’s terminal equipment (e.g. websites must ask users if they agree to accept cookies, web beacons, etc., before they are placed). “Strictly necessary” cookies and those used solely for carrying out communication transmission are exempt from the consent requirement.

Prior to the GDPR, valid “consent” under the ePrivacy Directive — as implemented in member states’ laws — was widely interpreted to be met with a visible pop-up notice announcing the use of cookies, followed by the user’s continued use of the site. Whether this was legally sufficient was never officially challenged, but, post-GDPR, it is no longer popular to assume implied consent from ongoing use of the website. Instead, given GDPR’s requirement of “specific, informed, and unambiguous indication” of consent, many organizations are requiring users to affirmatively interact with the cookie banner, if not use a consent tool, too.

The cookie consent recipe

We’re not afraid to admit that the first places we went for guidance were other organization’s websites. Indeed, we assume that privacy professionals may look to the IAPP’s example to model best practices.

FieldFisher law partner Phil Lee’s blog on “GDPR + e-Privacy = :-(“ provides an excellent background of the law, policy, and practice of cookie consent, while also underscoring the uncertainty surrounding this issue post-GDPR and pre-ePrivacy Regulation. For that reason, we looked to the fieldfisher.com site for insights. We also looked to the U.K. Information Commissioner’s Office website, as well as to other leading data protection law firms’ and data protection authorities’ websites.

In general, there seems to be a three-part recipe for modern cookie consent:

  • Cookie notice: Separate from the privacy notice, this policy describes what cookies are used and why, how long they are stored, and how a user can manage them (if at all).
  • Cookie consent tool: This tool allows a site visitor to quickly turn off (or on) cookies, depending on their preferences. Its icon is often visible persistently on each web page.
  • Cookie banner: It pops up prominently and announces the site’s use of cookies, including links to the notice and the tool. This requires user interaction to disappear, ideally an indication of “I accept” rather than clicking an “x” to close.

Many cooks in the kitchen

Creating the three-part package is not the DPO’s job alone. Far from it. Like almost everything in privacy, following the cookie consent recipe requires participation from many people representing different departments and disciplines.

At the IAPP, we pulled together a team from marketing, privacy/legal, and IT. We had to fully understand, as a preliminary matter, which cookies are set by use of the iapp.org website (first party cookies) and which cookies (if any) are set by third parties when a user visits our site. We also needed a better understanding of how Google Analytics works and what aspects of the web traffic analysis process can be anonymized.

In particular, we wanted to ensure that data like IP addresses would not be stored in Google Analytics even after the user has accepted the placement of cookies. Fortunately, Google provides a mechanism for anonymizing IP addresses before any storage or processing take place. But this feature is not enabled by default and did require some configuration.

The IAPP — like many organizations — also uses marketing software that gathers data from website users to help the IAPP understand users’ interests in our content, products, and services. These tools were easy to identify.

But hidden in our association management system were cookies we don’t place and didn’t initially understand. Investigation of the “AddThis” cookie suite revealed that they are part of a fixed package that the IAPP cannot turn off independently, and that they interact with users’ social media content often at the user’s election. As we wrote the cookie notice and built the tool, therefore, we had to decide how to characterize these cookies (as social media plug-ins, some of which are exempted from consent, or as advertising cookies — which clearly aren’t exempted — that the user will have to affirmatively reject through a series of steps). We debated and elected the latter.

Our cookie notice went through multiple drafts as we worked to make complicated technical language more readily accessible, to eliminate extraneous or even erroneous information about the cookies’ personal data collection and storage, and to ultimately simplify the notice without sacrificing transparency.

We also had to select a cookie tool that fit our needs and settled on Cookie Control v8 by Civic. The tool is set to hold preferences for 90 days before asking the user to refresh them.

Final copy and display ultimately required marketing department input for brand consistency and website placement.

Biggest challenges

Finding and labeling all the cookies was one major challenge. So was pulling together multiple players and keeping the project on schedule. For this, we assigned a project manager from IT to continuously confirm that each player was advancing the project. Making the project an IT priority was also a challenge, but one resolved by leadership’s declaration that data protection — and our cookie notice in particular — are vitally important to the IAPP’s relationship with its members and its global brand. That helped elevate the cookie project over competing ones.

There were technical challenges as well. Configuring the tool to work correctly on our site required a measure of custom coding and plenty of testing. Although we opted to start with Civic’s Cookie Control package rather than build a tool from scratch, we couldn’t use any of its ready-made CMS plugins due to the complexities of our systems. Similarly, because we use Google Tag Manager as a single tool for setting both analytical and marketing cookies, there were additional configuration changes needed to allow users to pick and choose which types of cookies they would accept.

The final step before launch was achieving sign-off from the highest levels of management. This turned out not to be challenging because of the prior work by many parties and the deliberate, collaborative process.

What remains is to see how the tool affects our users’ experience and our marketing and analytics capabilities. Will it hinder our insights into our site users’ interests, thereby depleting our capacity to anticipate their needs? Will most users click “I agree” without clicking on the tool? Will anyone — other than privacy pros looking for a sample — actually read the cookie notice?

Let us know what you think by submitting comments below or reaching out to us directly.

13 Comments

If you want to comment on this post, you need to login.

  • comment Stefanie Deuber • Aug 3, 2018
    thank you! this is very helpful (and makes me feel better as my organization struggled thru the same challenges)
  • comment Xavier Le Hericy • Aug 3, 2018
    I'll second Stefanie's comment.  I also much appreciated the distinction you made between the different types of cookies, although the nerd in me would have like to see a list of the cookies in each category.
  • comment A. A. Jullien • Aug 3, 2018
    Some marketing teams [probably mine will be included...] use products that implement pixel tracking which I believe should also be disclosed or explicitly turned off by IT teams.  Here's a nice definition:  
    
    A tracking pixel (also called 1x1 pixel or pixel tag) is a graphic with dimensions of 1x1 pixels that is loaded when a user visits a website or opens an email, and is used to track certain user activities. With a tracking pixel, advertisers can acquire data for online marketing, web analysis or email marketing.
    
    The cookie vendors are out there doing all types of variations!  These functions are often discovered when reviewing Master Service Agreements, and writing a unique statement of work.  The Devil is in the Details!
  • comment Pernille Tranberg • Aug 4, 2018
    Didn't you consider have NO third party cookies at all on your website? I see an emerging trend that websites who listen to their users (think of how big adblocking is) or just want to protect their users, they abandon third party cookies. Edulab.com who has a portal for children www.matematikfessor.dk don't have thirdparty cookies - including no so-me-plugins - to protect children. The same with LEGO.com and all their sites aimed at children. We don't have it at dataethics.eu either (I know it CAN happen without your knowledge but we try to keep an eye on it). Most people don't share content via plugins anyway (but share in other ways like via the browser or directly with the URL) and there are many good alternatives to Google Analytics, so it is possible. And cookies.... aren't they becoming old school, belonging to an internet business model that many of us don't like?
  • comment Jay Libove • Aug 4, 2018
    From the perspective of a privacy-sensitive (IAPP member since 2007...) user, who installs lots of ad-blocking and privacy-protective browser technology add-ons, I notice that the cookie control tool chosen by the IAPP works a bit better than most, though I do think that the blockers that I use cause a problem alluded to by Pernille Tranberg in a comment a short while ago - that using any 3rd party cookie at all runs afoul of the strongest pro-privacy settings, causing cookie consent tools to become a nuisance. Oracle's is among the worst, taking a long time to finally fail due to its insistent reliance on 3rd party cookies. (Another, I don't know by whom, gives a must-click-off-one-by-one extremely long list of 3rd parties; that has to fail the intent if not the letter of the GDPR by making the privacy choice experience much too cumbersome). The IAPP's tool is quick and easy. However, I do think that my blockers cause it to re-appear much more often than it should.
  • comment Andor Demarteau • Aug 6, 2018
    I haven't come across the new cookie banner yet. I hope that all the non-necessary (non-functional) cookies are switched off by default.
    And yes that includes all analytics stuff as well.
    Interestingly something I spot going wrong with a lot of websites having cookie controls.
    Here the privacy-by-default (article 25 GDPR) clearly shows the benefit for the site visitors I believe.
  • comment Andor Demarteau • Aug 6, 2018
    Additional notice, specifically on the event registration bit: assuming that that software is fully hosted or hosted as processor on behalf of the IAPP as controller, the opt-out for the (a)social media cookies there is not sufficient and in breach of the E-Privacy directive / GDPR consent mechanism.
    Good to see though the marketing and analytics cookies are off by default (as they should be).
  • comment Justin Snow • Aug 6, 2018
    Does iapp plan on making this tool available for it's members to use in their organisations?
  • comment Stephen Schoepke • Aug 6, 2018
    Pernille, thank you for sharing this valuable perspective and feedback. As an engineer, I love black-and-white answers as they are the easiest to build for. But to respond to your question, removing all third-party cookies across the board would not be practical for us since cookies are nearly ubiquitous throughout web-based SaaS platforms—certainly those which allow members to log in, manage preferences, and add items to a shopping cart—most of which require them to function (old school or no). I do have one question for you though, and forgive me if I am misunderstanding: do you not consider the cookies set by Jotform on Data Ethics’ event registration forms to be third-party?
  • comment Stephen Schoepke • Aug 6, 2018
    Justin, the tool we’re using isn’t our IP, so I don’t think we can distribute it to members. Most of the code belongs to Civic with some of our own code to make it work in our specific software environment and to customize its branding and behavior. I do, however, plan to publish another article quite soon exploring the technical challenges of implementing a cookie consent tool and highlighting some of the offerings that are available if you don’t want to build from scratch. In the meantime, I can tell you that Civic does offer a free version of its Cookie Control tool, as well as two inexpensive paid versions, on its website: https://www.civicuk.com/cookie-control
  • comment Christophe Baur • Aug 8, 2018
    Indeed GDPR text says nothing directly about cookies there are many principles developed targeting cookies practice, non-exhaustive list incudes: transparency, purpose limitation, data retention management, consent and privacy-by-design requiring some sort of action from users regarding cookies placement.
    
    Immediately after May 25th I visited the ICO web site and much appreciated the way they manage cookies placement: transparent, easy to read and understand for the audience. 
    
    I am a strong advocate for cookies management and you should remember WEB site and cookies management are your front door and often your first point of contact with potential customers. Demonstrating strong cookies policy and management will help you gain and retain customers through inspired trust.
  • comment Emma Butler • Aug 13, 2018
    Does the Civic tool provide a cookie audit feature, where it identifies all the cookies and other tracking on your websites?
  • comment Stephen Schoepke • Aug 13, 2018
    Emma, Civic does not provide a cookie audit tool. However, I will discuss how to audit your applications for cookies and other tracking technology in an upcoming article for Privacy Tech. Stay tuned!