When the cookie directive passed in 2009, Struan Robertson renownedly wrote about how “breathtakingly stupid” this law was. I argued for better and more responsible marketing processes as international chair for the Digital Analytics Association.

Five years later, as the French Data Protection Authority (DPA), the CNIL, has warned of an Internet cookie sweep, following in the footsteps of the Spanish DPA, digital marketers are finally waking up to the responsibilities lying ahead.

I’ve been a digital analyst for the past 15 years, installing and upgrading trackers, setting up tools and automated dashboards, using APIs to push data from one tool to another. I’ve witnessed a serious lack of processes where access to accounts remained open years after the project had finished, where marketing departments do not understand they might be infringing the tools’ terms of service, where old trackers remain active while tools have been discontinued and where personal data is being picked up without any form of consent. It’s fair to say that when it comes to trackers and analytics tools, digital in general, processes and responsibility chains are horrendously lacking.

If anything, the CNIL’s initiative should be seen as an audit opportunity, a way to turn on the light about online data collection. Such audits allow you to understand what data is being collected—you’d be surprised at how many discontinued tools sectors such as telcos still have active—and also align with the terms and conditions. Of the some 20 million Google Analytics active accounts, my bet would be that less than five percent of companies actually know that this free tool defines itself not only as a processor but also as a data controller: They own the data.

Back in 2009, the UK Information Commissioner's Office (ICO) measured the impact on website traffic if opt-in was required for first-party analytics tools. The ICO called it the cookie cliff: Typically, when opt-in is required, traffic drops to less than five percent of previous measurements. This obviously doesn’t sit well with the board of directors, still living in an eyeball, Mad Men type of world. Explicit opt-in means unique visitors and bounce rates plummet while conversion rates go through the roof. Internal trust in the data is often lost.

Like many counterparts, I’ve spent numerous hours finding a workable balance between basic reporting needs and the recommendations set out by the Spanish DPA: 100-percent compliance remains a high toll to pay. If anything, with first-party analytics tools, they ideally need to become natural born cookie killers, allowing for trackers to delete their data collection records if a visitor chooses to opt-out.

And analytics tool vendors have been paying attention to increasing privacy needs.

As the digital analytics industry is embracing tag-management solutions to install trackers, making their set-up centralized and moving away from hard coding, leading vendors such as Tealium have developed features to adapt to the evolving EU situation as well as to the more U.S.-based do-not-track (DNT) initiative.

On the one hand, consent mechanisms are made available to the website visitor, depending upon the tool setup, centrally managed by the analytics team, in line with EU stances. On the other side, DNT headers can be measured and, once again, depending upon the stance chosen, either respected for all cookies or only for third-party ones, in line with the ideas of “Do Not Track” vs. “Do Not Target.” The California Online Privacy Protection Act requires privacy policies to at least declare how DNT is handled. Some analytics professionals are starting to measure conversion rates of re-targeting tools to see if indeed DNT is in line with what visitors state their privacy preferences would be.

It's not that the cookie directive is worse than DNT or the other way around. If anything, they interestingly complement one another for global companies wishing to set up a unified and privacy-respectful tracking framework. The objective should always be to set up a Magnum-type of tracking mechanism: uniform across the board, still deliciously serving business data needs while respecting privacy.

The CNIL sweep is an opportunity to face reality and start cleaning house related to the trackers used on digital properties, including mobile applications. Such easy audits also allow for internal discussions about which type of data can be collected, processed and transferred onto other systems or tools in SaaS and cloud-based environments. And it shouldn’t stop there: As tools are increasingly allowing for API-based data transfers, where profiling and personalization are becoming the norm, escalation procedures related to data mashing and integrations need to be urgently put in place or rethought.

If not already done, crawl your digital properties for tags and any web beacons sending out data on your companies’ behalf, including LSOs (local shared objects) commonly found in Flash files, often developed by external agencies. Once you know what tags are firing which kinds of cookies, classify them, linking them to legislation (cookie directive, DNT) and their requirements: consent or not, opt-out in privacy policy, etc. Define a common way of working for the regions you’re active in. Update your privacy policy and, if needed, build a cookie policy. Make sure your opt-out links work and your consent tools are in place.

Last but not least, make this a continuous process: Those involved in keeping the policies up-to-date should be aware of any new trackers. Balance thus needs to be found between transparency and practical ways of working.

Misalignment is easy to spot. Example: the BBC iPlayer app, which mentions its terms can be found at www.bbc.com/iplayer/app/terms. That link doesn’t work. It also mentions a privacy and cookies policy available in the help section. While the initial document says users must be over 18, the later privacy policy mentions 16 years of age. It’s a common issue that, for companies active in the U.S., should raise flags under the Children's Online Privacy Protection Act. The cookie policy redirects toward a downloadable app to opt out of tracking. Said Ad-X cookie can only be opted out of if an app is downloaded. Ad-X was acquired by French behavioral targeting company Criteo in July of 2013. An update would be reassuring for a UK-public entity.

Bonus tip: Review your Domain Name System procedures and make sure your data collection and processing is in line with analytics tools terms and conditions as well as their level of compliance; nobody wants to pay €1.2 million for another Phorm.

By the way, the analytics industry has been doing digital fingerprinting for over a decade. But that’s for another article.