The phenomenon of cookies disappearing from websites is a long story that started when tracking made its appearance, without forgetting browsers, add-ons, antiviruses and PC cleaner software giving users chance to delete or block cookies. But with the advent of the GDPR and a host of complaints flooding in from web users, CNIL (France’s data protection authority) and service providers, including Google, Facebook and Apple, are now on the same page in their efforts to remove this lucrative character string once and for all. Only third-party cookies will be affected by this new development, and Commanders Act has already pioneered solutions to continue taking advantage of accepted cookies that are actually useful.
Cookies have received a lot of bad press in industrial circles, but such is the confusion that some degree of clarification is required. These character strings are used to store a number of read options and technical settings from one visit to another, such as the right language version of a website corresponding to the user’s preferences, so that pages are displayed more quickly. These cookies are known as “first-party” cookies, since they are associated with the website’s domain name. “Third-party” cookies are not related to the website’s domain name, but are generated by third-party services, advertising and marketing in most cases. Third-party cookies are the type that next-generation web browsers are looking to wipe out. In 2018, 21% of the complaints filed with CNIL mainly concerned online marketing.
Major steps have since been taken. For example, CNIL and Europe have decided to wage war on trackers, which encompass cookies. For instance, if users do not explicitly give their consent to store cookies, website owners cannot install them and collect data. But objectives are even more ambitious and also concern fingerprinting. This term refers to the process whereby a browser collects (tracks) information about a user’s device, such as the IP address and other parameters in order to build up a unique fingerprint.
To overcome the problem of trackers, CNIL set out a number of guidelines in the summer and will publish a recommendation in January 2020 on both this particular topic and the GDPR, which will remain valid until July 2020, i.e. tomorrow. This information will make up for the late release and implementation of the ePrivacy Regulation. This spells the end of the soft opt-in, namely the process where web users give their consent simply by continuing to navigate on a website.
To be more precise, the GDPR is the data protection regulation that requires companies to list all the files containing personal data. It needs to take a wide-ranging approach to incorporate digital technologies, which are a highly specific component and which have just been detailed in the European ePrivacy Regulation. An initial directive on the same scale has existed since 2012. But ePrivacy will be just like the GDPR. The new version will be a general regulation. From an EU law perspective, the difference between a directive and a general regulation is that directives are legislative acts that Member States incorporate into their own law systems. They are guidelines provided by Europe, but each country decides how to interpret and enforce them. A general regulation applies in its entirely to all Member States.
Note that cookies are personal data and are covered fully by the definition provided in Article 4 of the GDPR, which considers online identifiers (in this case, persistent cookies that are only associated with the device) as direct or indirect references to the natural person. The ePrivacy Regulation will specify the Telecoms Package in the technically complex world of digital technologies and telecoms, which corresponds to a set of directives that radically changed the legal framework for electronic communications.
However, a distinction should be made between technical cookies, which are fully authorised and required for a website to function correctly, and tracking cookies that are associated with targeted advertising. The law is only interested in the second type. Their operation is clearly in the firing line of the new rules and will require explicit consent from the web user for each processing activity performed.
Greater traffic on mobile phones
In addition to the various regulations, several factors are casting a threat over the existence of third-party cookies. The first is that, according to a Médiamétrie survey in 2018 on “The Internet year in France”, over 50% of web traffic is generated by mobile devices, such as tablets and smartphones (cookies cannot be exploited on iOS devices). The future of cookies has never been so clouded in uncertainty with this trend towards internet mobility. If users cannot be tracked, advertisers will scrap the budgets that they currently devote to web user targeting, or they will need to tackle the challenge of targeting mobile device users. Let’s not forget the popularity of ad blockers, which can either be off-the-shelf software programs or browser add-ons.
As for Google, the company is going to equip the new version of its Chrome browser with anti-cookie and anti-tracker functionality after including an add-on allowing users to give an expiry date for their personal data. Apple has done likewise by reducing the cookie lifespan from 30 days to 24 hours with version 2.2 of its ITP (Intelligent Tracking Prevention), a program designed to prevent companies from tracking users, which has been built into Safari. Finally, Microsoft wants to build new controls into its Chromium-based Edge browser to ensure greater privacy protection. Remember that Chromium is a free web browser that is used as the backbone for many other browsers, some of which are open source and others are proprietary, like Google Chrome. Microsoft is developing a privacy dashboard with options for configuring tracking by websites.
Commanders Act solutions
Faced with the changes constantly sweeping legislation, Commanders Act can draw on the extensive tracking expertise that it has acquired over the years, which includes domain delegation. A customer delegates a subdomain of its website to Commanders Act, which will operate that site. This means transforming third-party cookies into “first-party” cookies. Since these types of cookie are not affected by the latest regulations, they will continue feeding useful visitor-related information to customers. The second solution applies to servers. Instead of the identifier and data transiting via the user’s browser, they are sent by the server delivering the content. The user’s consent is still required to use this method.
Therefore, Commanders Act has developed two solutions that comply with the latest regulations and respect users’ consent, and which are capable of adapting to changes in national and European legislation. These solutions represent a long-term prospect for customers based on the business expertise from which Commanders Act draws its strength, the first value proposition being tag management, tracking and information feeds to partners.