Greetings from Portsmouth, New Hampshire!

Sound familiar? It should. I’m spending an extended stay on the other side of the pond at IAPP HQ with colleagues, as well as squeezing in a week vacation with my family who traveled over from Brussels this past weekend. Let’s start gentle here: New Hampshire, sandwiched between Massachusetts and Maine, is quite simply a “nature feast” on its own terms. It’s covered with myriad lakes and rivers and a vast expanse of woodlands, mountains and valleys. It also has the ocean at its eastern perimeter; you couldn’t ask for more from Mother Nature. It’s an outdoor paradise. On another note, from a historical perspective, New Hampshire can also boast that of the 13 original North American colonies, it was the first to declare its independence from England in January 1776 — a full six months before the Declaration of Independence was signed. Perhaps appropriately, the state motto is “Live Free or Die.”

This week in European privacy, the talk about town was the statement issued by the CNIL (28 June) on its website citing online advertising as the top priority for 2019. Having already issued formal notices to four companies in 2018, was this ever in doubt? The CNIL is seemingly planting a stake and sending affirmative signals that it has the adtech business in its sights. For context, it is known that the CNIL has received an important number of individual, as well as collective, complaints (La Quadrature du Net, Privacy International, NOYB) relating to online marketing practices. In 2018 alone, 21% of the complaints received were related to marketing in the broad sense. Furthermore, there has been a growing demand from professionals and companies alike operating in and around the marketing industry for a better understanding of their obligations under the GDPR. 

Add to the complexity that the European online marketing sector is subject to two distinct regulations — the GDPR, as well as the respective member state laws that encompass the ePrivacy Directive — imposing demanding and varied conditions on, for example, consent. As is known, the long-awaited ePrivacy Regulation is still being debated by EU legislators. When that becomes a reality, though unlikely to be adopted before 2020, parts of the ePrivacy Regulation will take precedence over certain provisions in the GDPR. The current state of affairs is causing acute uncertainty for the adtech and related marketing industries.

To support stakeholders in their compliance strategies, the CNIL has drawn up a “two-step” action plan for 2019–20. In July, the CNIL will repeal its 2013 cookie guideline that has become outdated in some respects, particularly in what concerns the expression of consent. The CNIL will then adopt and publish a new set of guidelines that align with the GDPR’s definition of consent and in accordance with the EDPB’s guidelines on consent, which preclude the concept of implied consent. The CNIL will give stakeholders a transitional period of 12 months to allow a reasonable timeframe to comply with the new principles that diverge from the previous recommendations.

A second step will consist of launching a consultation process with stakeholders across the marketing ecosystem and with civil society through their representative organizations to develop new recommendations relating to the operational impact of collecting valid consent as provisioned under the GDPR. It will seek to publish those recommendations for public comment by the end of the year or early 2020 at the latest.

We will all have to sit up straight on this one; it will be a busy end-of-year for those stakeholders concerned.