The European Commission's consumer protection department has been coordinating a voluntary initiative to push the digital advertising industry to phase out cookies. The political driver of the initiative is European Commissioner for Justice Didier Reynders, who is also responsible for the data protection portfolio.
The "cookie pledge" initiative has been ongoing since last spring when it was first put on the table at the European Consumer Summit. The idea is to conclude it by presenting the signatories at the next summit in April.
However, whether any stakeholders involved will finally sign the commitments remains to be seen. From the beginning, the cookie pledge was surrounded by some grumbles, starting with a lack of transparency in selecting the participants, following which participation was broadened.
Cookie pledge principles
A consolidated version of the draft pledges was circulated in December 2023 with an opinion from the European Data Protection Board. A new version of the principles, seen by The Privacy Advisor, was circulated 15 Jan. based on EDPB and stakeholder feedback.
The revised draft includes some fine-tuning but maintains the overall structure of the commitments. The initial idea is to minimize the information users must process to consent, introducing a second layer for those who want a more detailed account.
The first layer should include a "reject all" button and information on the website's business model, notably by explaining upfront if the organization obtains revenues from tracking-based advertising, third-party cookies or other types of advertising like contextual ads.
In the second layer, the users could make a more fine-grained selection of controller and purpose, together with a list of the actors with whom the data is shared.
Another attempt to reduce the information burden for users consists of not requiring consent for purposes related to the advertising model, such as measuring the ads' performance, as the consumers have already expressed their preference for this business model.
The relevant pledge states "consent to cookies for advertising purposes should not be necessary for every single tracker." Still, the rationale specifies this pledge should not interfere with stricter obligations in sectorial legislation like the Digital Markets Act.
Perhaps most importantly, the Commission suggests "if tracking-based advertising or paying a fee option are proposed, consumers will always have an additional choice of another less privacy intrusive form of advertising."
This principle is in response to the "pay or OK" model Meta introduced across its platforms following the invalidation of the contact model from Ireland's Data Protection Commissioner based on a binding EDPB decision.
The EDPB opinion on the cookie pledge states consent can only be valid if there is no risk of coercion or significant negative consequences like substantial extra costs if no consent is given.
Thus, giving a less privacy intrusive alternative like contextual advertising is presented as necessary for consent to be deemed valid.
In addition, a pledge that, if applied, might prove highly consequential requires web services to keep tabs on the users that have refused or withdrawn their consent to have their data processed, since "one major reason of the cookie fatigue especially felt by the persons most interested in their privacy is that negative choices are not recorded and need to be repeated each time."
The idea is not for the web service to store the user's unique identifier but to maintain generic information common to all users who have denied consent. Users could be asked for their consent again after a "reasonable period," i.e., one year.
Finally, the Commission would like signatories to explore potential solutions allowing users to set their cookie preferences in advance, notably to refuse certain types of advertising models systematically.
Stakeholder reactions
Several stakeholders shared their reactions under anonymity, given the sensitive nature of the discussion. Overall, private actors expressed concerns with the pledges, while civil society organizations showed some appreciation for the Commission's direction.
Some concerns are industry specific, like the media sector already opposing the principle of centralizing users' preferences at the web browser level in the ePrivacy Regulation because this disintermediation arrangement would further strengthen the hand of Big Tech vis-à-vis publishers.
Another concern raised by the advertising technology industry relates to the fact the Commission does not differentiate among different types of tracking, which might not necessarily be related to the delivery of advertising but, for instance, to measure the ads' performance.
Stakeholders also criticized that the Commission did not take into due consideration the role of advertisers, as their demand ultimately drives the market. In other words, the whole industry would have to follow if the advertisers were on board.
Most importantly, there is no incentive for signing the pledges. Typically, industry-driven initiatives like codes of conduct provide a benefit because, by adhering to them, organizations enjoy a presumption of conformity with the related legislation.
"Though the EDPB has welcomed the objectives of the initiative, there is no guarantee on whether the operationalization of these pledges will ensure compliance with the (General Data Protection Regulation), its interpretation by national (data protection authorities) or the implementation of the ePrivacy Directive by regulators other than the DPAs," Enrico Girotto, head of policy at the Federation of European Data and Marketing, said.
Besides the question of legal compliance, Girotto noted the initiative raises more questions than answers. For instance, it attempts to reduce the information overload while requiring details on the business model; it suggests a less intrusive advertising model whose financial viability for publishers is still up in the air and largely overlooks how the pledges would apply in a business-to-business context.
From soft to hard law
According to one of the stakeholders involved, the way the European Commission has managed the initiative suggests rather than presenting something stakeholders can agree to, like increasing transparency, maximizing participation does not seem to be the priority.
Indeed, in an interview anticipating the initiative in December 2022, Reynders made clear that voluntary commitments are "maybe a first step that is possible to use to see with some actors what is possible to do online. After that pilot phase, we can see if it's needed to come up with a regulation to have a level playing field to impose the best possible practices to all the actors."
Reynders' department is conducting a "fitness check" to assess whether EU consumer law can keep up with digital developments. According to the call for evidence, the initiative touches upon issues such as dark patterns, influencers marketing, addictive use of digital products and personalization practices.
In other words, if the voluntary commitments fail to move the dial or secure enough stakeholder support, the Commission would have an argument next mandate to propose mandatory obligations.
Still, it remains to be seen how much of this initiative is the result of Reynders' personal push or if the Commission's bureaucrats will take ownership of the file, as the Belgian politician is unlikely to stay in his role in the next mandate and has thrown his hat in the ring to lead the Council of Europe.
At the same time, there might be a conflict of competence brewing between the EU Communications Networks, Content and Technology department and Reynders' Justice and Consumers department. The department was responsible for the ePrivacy Regulation, the original "cookie law" that has been languishing for years due to a deadlock related to the thorny issue of data retention.
In other words, the Justice and Consumers department is using the ePrivacy Regulation's moribund status to step into the Connect department remit for the sake of consumer protection. Meanwhile, it has been preparing a replacement for the ePrivacy, laying the groundwork for a future Digital Advertising Act that will necessarily touch on the issue of how personal data is used and processed.
A new EU mandate always comes with reforming the political priorities and reshuffling competencies in the Commission's internal structure. A clearer repartition of responsibilities among EU departments on issues like web cookies, digital ads and, even more broadly, data protection might be in order.