Third-party cookies have long been “the glue that holds together the independent ad tech world.” Far surpassing their original purpose of giving “memory” to websites, these cookies are heavily relied upon by marketers to analyze and track online users. Indeed, cookie-based targeted advertisements are the reason why websites can sustain their “free” business models. But what’s good for industry has not been good for user privacy—and the tide is starting to turn.
Part one of this two-part series addresses the current legal and regulatory developments impacting the use of third-party cookies in the European Union and United Kingdom. Part two will explore the industry shift away from third-party cookies and their alternatives.
EU legal developments
Negotiations are currently underway for the draft ePrivacy Regulation that will eventually replace the 2002 ePrivacy Directive and better harmonize data protection laws across EU member states. The EU General Data Protection Regulation already requires websites to obtain explicit consent before using cookies, but the ePrivacy Regulation—which was originally intended to be enacted alongside the GDPR back in 2018—could allow for new ways to streamline consent. For instance, the current draft from the EU Council makes cookie walls a possibility, and it would also allow users to whitelist cookie providers at the browser level to reduce the number of consent pop-ups.
Outstanding issues—such as cookie walls—are said to be prolonging an agreement on the Council’s long-awaited draft. Likewise, critics argue the draft “hugely misses the mark,” and Germany’s Federal Commissioner of Data Protection Ulrich Kelber urged the European Parliament and the Commission to “increase … the level of data protection” during negotiations. In short, the specifics of the ePrivacy Regulation remain unclear, but the end result will almost certainly have an impact on cookies—and consent requirements for them may be here to stay.
Moves in Parliament also hint at incorporating restrictions on certain targeted advertising in the incoming Digital Services Act. Christel Schaldemose, the MEP currently steering the DSA through Parliament, supports a ban on behavior-based targeted ads (as opposed to “classic commercial advertisements”). Germany wants users to have the option to visit certain websites without targeted ads. The European Data Protection Board states the DSA should “more strictly” regulate online targeted advertising and recommends “a phase-out leading to a prohibition of targeted advertising on the basis of pervasive tracking.” The Tracking-free Ads Coalition—a group of EU political leaders, organizations and businesses—has been campaigning to end “the pervasive tracking advertising industry that dominates the internet today.” According to Alexandra Geese, an MEP participating in the Coalition, three groups in Parliament (S&D, Greens and Left) currently support shifting the industry to contextual advertising.
At the same time, industry groups have been pushing back. Interactive Advertising Bureau Europe recently launched a campaign to highlight the “serious, far-reaching consequences” these DSA proposals would have on EU consumers and small businesses. A recent report by Corporate Europe Observatory and LobbyControl also shows that adtech giants Google and Facebook are the top two corporate lobby spenders in Brussels. Then again, pro-privacy businesses within the industry have intervened to debunk the economic claims that larger industry members have been using to defend tracking ads. In an open letter to EU regulators expressing their support for a ban, Vivaldi, DuckDuckGo and 12 other businesses argued that surveillance-based advertising is detrimental to the adtech industry because it “seriously undermine[s] competition and … serve[s] to entrench dominant actors’ positions.” These businesses added that the industry “can thrive without privacy-invasive practices,” noting that alternative advertising technologies exist that “can be implemented without significantly affecting revenue.”
Parliament is expected to finalize its position on the DSA before the end of 2021. As it currently stands, MEPs have reportedly compromised by limiting the ban to only behaviorally targeted advertising being used for commercial purposes on minors.
In a parallel proposal to the DSA, the draft Digital Markets Act was recently amended to include a new provision for targeted ads. Large platforms acting as “gatekeepers” will be prohibited from “combining personal data for the purpose of delivering targeted or micro-targeted advertising” unless they receive “clear, explicit, renewed, informed consent.” The DMA also includes the same limited ban on targeted ads for minors as the DSA.
Increased DPA activity
EU data protection authorities have become increasingly more active in this area. Many have recently issued new or revised cookies guidance—including the DPAs of Italy, Malta and Luxembourg—to help companies navigate compliance pressures.
DPAs across the EU have also been busy enforcing cookie compliance. On Aug. 9, Berlin’s DPA launched a large-scale campaign to address “the ongoing deficiencies in the use of tracking tools and third-party services on websites.” Warnings were sent to 50 website operators with noncompliant tracking processes (such as deficient cookie banners), and failure to bring operations into compliance will result in formal investigation procedures by the supervisory authority. Last July, the French Supervisory Authority issued a second round of formal notices to about 40 companies that fail to give users an opportunity to refuse cookies as easily as accepting them.
Amazon is being hit with a record 746 million euros fine and corresponding practice revisions by Luxemburg’s DPA for its targeted ad system. Last year, France’s DPA fined Amazon ($42 million) and Google ($120 million) for automatically dropping cookies without user consent.
Moreover, the IAB Europe’s Transparency and Consent Framework—a consent pop-up system relied upon by the bulk of Europe’s online advertising industry (including Google) to obtain user consent to ad targeting—has been found in breach of the EU GDPR. Investigations by the Belgian DPA revealed the TCF’s failure to comply with transparency, fairness and accountability, and lawful processing GDPR principles. The Belgian DPA recently circulated its draft ruling amongst fellow EU DPAs for review. According to a Nov. 5 statement by IAB Europe, the breach findings may be “remedied within six months following the … final ruling,” but nothing is for certain until the draft ruling is reviewed and a final decision issued. Even so, a finding that the dominant consent framework is unlawful may likely bolster the arguments in the EU Parliament for including a ban on behavior-based targeted ads in the DSA.
Other pressures
Alongside the uptick in regulatory activity, there has been significant privacy activism in this space. For example, None of Your Business, a nonprofit founded by Max Schrems, aims to assess the GDPR compliance of 10,000 websites in Europe and has already filed more than 400 formal complaints against cookie consent breaches. In response to NYOB’s forced-enforcement project, the EDPB formed a cookie banner taskforce to coordinate responses across supervisory authorities.
And apart from dealing with the Belgian DPA, IAB Europe has been cracking down on consent management platforms for dropping cookies without user consent.
Class-action lawsuits concerning tracking and cookie consent are also on the rise, such as the cases against TikTok, Oracle and Salesforce. Rather than having to deal with the backlogs DPAs are currently facing, class actions go to court immediately. But seeking redress in court may have its own hurdles. The U.K. Supreme Court’s recent refusal of damages for unlawful data processing in a class action against Google — who allegedly circumvented the Safari browser’s privacy protections to track millions of iPhone users between 2011 and 2012 — will likely influence other similar lawsuits in the U.K.
The U.K.’s post-Brexit plans
Meanwhile, the U.K. has been preoccupied with separating itself from EU standards through efforts to reshape domestic data protection rules. Seizing on the opportunity to responsibly deregulate, the country’s proposed data reforms aim to “keep people’s data safe and secure, while ushering in a new golden age of growth and innovation.” Perhaps not surprisingly, one of the key proposals is to rework U.K. rules governing the use of cookies.
More specifically, the government’s Department of Culture, Media and Sport is considering two proposals to make cookie consent rules less burdensome in its "Data: a new direction" consultation paper. Under the first proposal, organizations would no longer need to obtain user consent to use analytics cookies (also known as ‘web audience measurements’) and similar technologies. The second proposal would allow the use of cookies without consent “for other limited purposes.” The DCMS said this could include processing that is necessary for a controller’s legitimate interests “where the impact on the privacy of the individual is likely to be minimal.” Going a step further, the DCMS also put forth a more radical “alternative approach” to remove prior consent requirements for all types of cookies.
The U.K.’s Information Commissioner’s Office responded in support of the DCMS’s review, but noted “the devil will be in the detail.” The ICO seems supportive of both proposals so long as “appropriate safeguards” are in place. Furthermore, the ICO recommended considering “legislating against the use of cookie walls, which require users to ‘accept’ tracking as the price of entrance,” to help shift current market practices.
The public consultation closed on Nov. 19. Most of the details remain up in the air for now, but the DCMS’s proposed cookie consent reforms certainly diverge from current EU standards — the question is, to what extent? Once implemented, organizations may be faced with two very different data protection regimes in Europe. However, the EU’s adequacy decisions for the U.K. expire in 2025, so the U.K. government may also be considering whether a substantial deviation from the EU is worth jeopardizing its renewal.
Additionally, in September, outgoing Information Commissioner Elizabeth Denham called on her G7 DPA counterparts to help fix the current ‘cookie fatigue’ problem, stating the current consent system needs a complete overhaul. Denham suggested shifting to browser-level controls to supplant individual website pop-ups. It’s possible Denham’s replacement, John Edwards, will continue these efforts with the other G7 DPAs given his “openness to working with other countries.”
Conclusion
Many of these European developments are still in the works, but it’s clear the third-party cookies landscape is undergoing significant changes. Nevertheless, reform efforts and discussions about overhauling the cookie consent system may be premature considering the adtech industry’s ongoing phase-out of third-party cookies — an overhaul in itself — which will be discussed in the second part of this series.
Photo by Alessio Zaccaria on Unsplash
