With the announced tightening of the GDPR in France and the emergence of similar initiatives overseas, Commanders Act offers a consent management solution that is safe, customisable and scalable.

Thanks to the development of this personal data protection application, launched in 2012 and natively integrated in the Commanders Act Platform, marketers can further advance towards transparent, personalised marketing that heeds consumers’ expectations.

With the tightening of the GDPR (General Data Protection Regulation) in France and the enforcement of similar directives throughout the world, TrustCommander is positioned as the solution best suited for ensuring rigorous and personalised compliance in terms of consent mechanisms and data protection. As such, it provides businesses with an optimal response to the legal, technological and marketing challenges inherent in gaining consent.

TrustCommander: allowing personalised management of consent mechanisms

Representing an optimised version of its Privacy offering, the TrustCommander Consent Management Platform (CMP) from Commanders Act was developed with a view to simplifying and optimising organisations’ compliance with the GDPR. Available as a standalone application or integrated in the TagCommander tag management platform, TrustCommander now supports all consent mechanisms while offering users many options for custom design.

TrustCommander can be used to carry out A/B testing in order to test several consent mechanism versions and assess – based on complete statistics – which one generates the most positive consents. “TrustCommander is the only CMP on the market to be exempted from consent by the CNIL [France’s data protection authority] to produce statistics that are completely anonymous and compartmentalised,” explains Michael Froment, CEO & Co-founder of Commanders Act. “This means that we are able to provide exhaustive statistics, including opt-outs, to calculate a truly tangible user consent rate.”

With TrustCommander, businesses can thus be assured of being compliant with the law for gaining informed and explicit consent, while having access to accurate data on the impact of the selected mechanism and design on their consent rate.

“One of the major issues of consent lies with the user experience,” adds Michael Froment. “Fully complying with the law without sacrificing user experience is a guarantee of buy-in not only for businesses, but also for consumers. Compliance should not be synonymous with uniformity.”

Heightened security in terms of data protection

Compliance, however, must go hand in hand with security. TrustCommander offers additional features to consent that can strengthen the security of the data for the use of which the company has obtained user consent. The CMP thus includes a firewall to block the sharing of this data which the company wants to exclude from its properties. This security applies irrespective of the call mechanism and irrespective of the call rank.

This system serves to strengthen governance and, in particular, to prevent personal data leakage to unreliable service providers. The AdOps and TagOps teams benefit from satisfactory security. “The challenge is all the greater since the GDPR, via the CNIL, now requires the companies concerned to publicly communicate on data leakage, in particular that of primary data,” points out Michael Froment. As such, TrustCommander provides organisations with an additional layer of security in terms of personal data protection.”

Anticipating to adapt to future developments

While the CNIL has already announced a tightening of the rules surrounding the GDPR’s enforcement, other similar initiatives are cropping up around the world. In California, the California Consumer Privacy Act (CCPA) will come into force in January 2020; in the United Kingdom, the Information Commissioner’s Office (ICO) published a guideline in July 2019 on the use of cookies (Guidance on the Use of Cookies and Similar Technologies). For increasingly extended organisations, this means that they will ultimately have to be compliant with all of these local regulations… which is already possible with TrustCommander.

“Our solutions are flexible enough to meet not only the CNIL’s future recommendations, but also all the configurations imposed by these new local regulations,” explains Michael Froment. “The notion of consent is becoming global, and it is up to us, as a CMP provider, to anticipate these changes and to allow users to simply and effectively respond to these major issues that lie at the junction between legal, technological and marketing aspects.”

The phenomenon of cookies disappearing from websites is a long story that started when tracking made its appearance, without forgetting browsers, add-ons, antiviruses and PC cleaner software giving users chance to delete or block cookies. But with the advent of the GDPR and a host of complaints flooding in from web users, CNIL (France’s data protection authority) and service providers, including Google, Facebook and Apple, are now on the same page in their efforts to remove this lucrative character string once and for all. Only third-party cookies will be affected by this new development, and Commanders Act has already pioneered solutions to continue taking advantage of accepted cookies that are actually useful.

Cookies have received a lot of bad press in industrial circles, but such is the confusion that some degree of clarification is required. These character strings are used to store a number of read options and technical settings from one visit to another, such as the right language version of a website corresponding to the user’s preferences, so that pages are displayed more quickly. These cookies are known as “first-party” cookies, since they are associated with the website’s domain name. “Third-party” cookies are not related to the website’s domain name, but are generated by third-party services, advertising and marketing in most cases. Third-party cookies are the type that next-generation web browsers are looking to wipe out. In 2018, 21% of the complaints filed with CNIL mainly concerned online marketing.

Major steps have since been taken. For example, CNIL and Europe have decided to wage war on trackers, which encompass cookies. For instance, if users do not explicitly give their consent to store cookies, website owners cannot install them and collect data. But objectives are even more ambitious and also concern fingerprinting. This term refers to the process whereby a browser collects (tracks) information about a user’s device, such as the IP address and other parameters in order to build up a unique fingerprint.

To overcome the problem of trackers, CNIL set out a number of guidelines in the summer and will publish a recommendation in January 2020 on both this particular topic and the GDPR, which will remain valid until July 2020, i.e. tomorrow.  This information will make up for the late release and implementation of the ePrivacy Regulation. This spells the end of the soft opt-in, namely the process where web users give their consent simply by continuing to navigate on a website.

To be more precise, the GDPR is the data protection regulation that requires companies to list all the files containing personal data. It needs to take a wide-ranging approach to incorporate digital technologies, which are a highly specific component and which have just been detailed in the European ePrivacy Regulation. An initial directive on the same scale has existed since 2012. But ePrivacy will be just like the GDPR. The new version will be a general regulation. From an EU law perspective, the difference between a directive and a general regulation is that directives are legislative acts that Member States incorporate into their own law systems. They are guidelines provided by Europe, but each country decides how to interpret and enforce them. A general regulation applies in its entirely to all Member States.

Note that cookies are personal data and are covered fully by the definition provided in Article 4 of the GDPR, which considers online identifiers (in this case, persistent cookies that are only associated with the device) as direct or indirect references to the natural person. The ePrivacy Regulation will specify the Telecoms Package in the technically complex world of digital technologies and telecoms, which corresponds to a set of directives that radically changed the legal framework for electronic communications.

However, a distinction should be made between technical cookies, which are fully authorised and required for a website to function correctly, and tracking cookies that are associated with targeted advertising. The law is only interested in the second type. Their operation is clearly in the firing line of the new rules and will require explicit consent from the web user for each processing activity performed.

Greater traffic on mobile phones

In addition to the various regulations, several factors are casting a threat over the existence of third-party cookies. The first is that, according to a Médiamétrie survey in 2018 on “The Internet year in France”, over 50% of web traffic is generated by mobile devices, such as tablets and smartphones (cookies cannot be exploited on iOS devices). The future of cookies has never been so clouded in uncertainty with this trend towards internet mobility. If users cannot be tracked, advertisers will scrap the budgets that they currently devote to web user targeting, or they will need to tackle the challenge of targeting mobile device users. Let’s not forget the popularity of ad blockers, which can either be off-the-shelf software programs or browser add-ons.

For example, Apple has implemented an anti-cookie policy in Safari that has practically killed off ad targeting. Most trading desks are abandoning browsers, and the media are seeing their revenue crumble as a result. Trading desks are platforms that use data and technology to help advertisers buy traffic through digital media.

As for Google, the company is going to equip the new version of its Chrome browser with anti-cookie and anti-tracker functionality after including an add-on allowing users to give an expiry date for their personal data. Apple has done likewise by reducing the cookie lifespan from 30 days to 24 hours with version 2.2 of its ITP (Intelligent Tracking Prevention), a program designed to prevent companies from tracking users, which has been built into Safari. Finally, Microsoft wants to build new controls into its Chromium-based Edge browser to ensure greater privacy protection. Remember that Chromium is a free web browser that is used as the backbone for many other browsers, some of which are open source and others are proprietary, like Google Chrome. Microsoft is developing a privacy dashboard with options for configuring tracking by websites.

Commanders Act solutions

Faced with the changes constantly sweeping legislation, Commanders Act can draw on the extensive tracking expertise that it has acquired over the years, which includes domain delegation. A customer delegates a subdomain of its website to Commanders Act, which will operate that site. This means transforming third-party cookies into “first-party” cookies. Since these types of cookie are not affected by the latest regulations, they will continue feeding useful visitor-related information to customers. The second solution applies to servers. Instead of the identifier and data transiting via the user’s browser, they are sent by the server delivering the content. The user’s consent is still required to use this method.

Therefore, Commanders Act has developed two solutions that comply with the latest regulations and respect users’ consent, and which are capable of adapting to changes in national and European legislation. These solutions represent a long-term prospect for customers based on the business expertise from which Commanders Act draws its strength, the first value proposition being tag management, tracking and information feeds to partners.

ITP, or Intelligent Tracking Prevention, is a feature that Apple has added to its Safari browser to protect web users’ personal data from being misused. This development has major repercussions for marketers and analysts.

Several years ago, web users decided to take back control of the data that they deliberately or inadvertently left behind when browsing on the Internet. Since then, lawmakers, rebellious users and the image that GAFAM is looking to promote have changed the situation and spawned ITP.

What does ITP do?

This feature has been built into the Safari browser and aims to protect the privacy of Apple users by limiting the extent to which they can be tracked across different sites. What that actually means is that the cookies used to track visitors (stored in JavaScript) are now restricted to 24 hours (implemented in the iOS 12.3 and macOS Mojave 10.14.5 updates), irrespective of the landing page.

For example, once 24 hours have elapsed between two sessions, ITP Version 2.2 will prevent users from being recognised from one session to the next. The customer journey for Apple users, representing a market share of approximately 7% on desktops and over 25% on mobile devices, has therefore been broken. There is no way to identify the campaign that drove users to their decision to purchase or the partner with the greatest impact on converting the prospect.

ITP 2.2 has set its sights on a specific type of cookie, namely first-party cookies. These cookies are associated with the domain name of the page on which the code is placed for the tag used to audit a website. There are two types: true and false. False cookies are those that use a JavaScript trick to make the browser believe that the cookie is associated with the domain visited by the user.

True cookies are first-party cookies that are stored and processed in full accordance with the rules, either by the actual website or a technology with domain delegation. This is what Commanders Act is offering with its domain delegation service.

ITP is clearly targeting “false” first-party cookies.

The consequences

Advertisers may lose between 15% and 30% of the traffic with Safari, and that figure could reach 100% with Chrome and Firefox. Furthermore, in accordance with the European Directive known as the “Telecoms Package”, web users must be informed and provide their consent before trackers are stored. They must be given the option of refusing to be tracked when visiting a website or using an application. Therefore, vendors are required to ask users for their prior consent. Consent is valid for no more than 13 months. However, some trackers are exempt from the obligation to obtain consent. Analysing web users is now much more complicated. Today, there are some analytics solutions that are exempt from obtaining consent, since they satisfy the following conditions laid down by CNIL, France’s data protection authority: cookies must only be used to produce anonymous visitor statistics on the site in question and must not be cross-referenced with other processing operations (customer file, visits to other sites, etc.).

The IP address must be anonymised if collected. The cookies created must not be retained for more than 13 months after the first visit.
Do not forget that ITP 2.2 reduces this retention time to 24 hours.

Therefore, Commanders Act has developed “Tracking First Party” to tackle this new version of ITP. The principle is straightforward. Customers entrust a subdomain of their website to Commanders Act in the form of a domain delegation. False cookies become first-party cookies and are no longer blocked by Internet Tracking Prevention. Analytical data are collected after the initial 24-hour time limit laid down by ITP, and targeted advertisements can be displayed on the user’s website if they remain on the current domain.

This solution can prevent marketers and advertisers losing knowledge and information about the web/mobile user over time, regardless of their browser, due to ITP 2.2 or the other measures taken.