The latest court ruling issued by the Court of Justice of the European Union (CJEU) on 1 October 2019 is loud and clear. It stipulates that an active, explicit and informed opt-in is required before setting cookies or collecting other personal data. Tacit consent is no longer valid. This means that the popular phrase “If you continue surfing now, you agree to your data being processed”, which still appears, can no longer be used.

Until now, many online marketing operators have taken advantage in a cavalier fashion of the lack of any clear regulation. Incredible amounts of data have been collected in an effort to keep an ever closer eye on website visitors. This triggered a situation where digital channels have been littered with ads, spam, bots and cookies. Therefore in 2016, the European Union imposed the General Data Protection Regulation (GDPR) as an attempt to curb this activity. This stipulates that companies must list all files containing personal data. But it was only scandals such as those involving the company Cambridge Analytica, which was supposed to have influenced the US presidential election using Facebook data, that made a wider public aware of the careless or even criminal manner in which data is often handled.

In many places, there was great dismay after the verdict, because warnings are now possible in the opinion of some courts and will increase as a result of this clear verdict. For this reason, every website operator should immediately address this issue and, as a first step, acquire a suitable consent management platform (CMP) which prevents cookies being set before user consent is given and clearly documents opt-ins.

Until now, there were three different ways to obtain consent from website visitors:

• Direct, explicit consent: This method involves explicit consent being given by the user – usually by clicking on an “Agreed” button.
• Implicit consent: In this case, consent is given if the user scrolls down the landing page or clicks another button on the landing page.
• Indirect consent: In this case, consent is considered to have been granted at the moment when the user accesses another page on the same website.

These various methods have a major influence on the respective opt-in rates. Since the GDPR was published, website operators have had plenty of time to try out the methods. However, the years since 2016 have largely passed without any action being taken. In most cases, people have hidden behind dubious legal opinions, looked for loopholes in the law and left users with very limited options to choose from.

The game of legal hide-and-seek is moving to the next stage for many companies, but the CJEU ruling leaves some issues unresolved:

• Could the setting of cookies be justified on other legal grounds, for example, based on legitimate interests (Article 6(1)(f) of the GDPR)?
• Who is responsible for setting third-party cookies under data protection law?
• When are so-called “necessary” cookies available which do not require separate consent (Article 5(3) of the ePrivacy Directive)?
• Do users have to actively agree to individual online marketing service providers or at least service provider groups (categories, for example, “analysis”)? This question is of paramount importance. Naming all the service providers involved in the online marketing ecosystem would be a virtually unachievable task.

Does this mean that we can quietly wait until the company’s lawyer or the external data protection consultant has been turned down by a warning or a new court ruling on these matters?

Impact of the CJEU judgment on online marketing

Contrary to what usually happens, marketing managers must act now! Carrying out marketing activities with traditional, cookie-based methods is now very difficult. Anyone implementing the CJEU’s cookie ruling needs to keep their eye on more things than before. Cookies requiring consent must no longer be set before consent is given. According to the law, consent must be active, informed, explicit, specific, voluntary and documented. The process for amending and deleting given consent must also be as simple for the user as that for giving consent.

The impact of the ruling will soon become apparent to many marketing managers, who are now trying to switch from implicit to explicit consent. Commanders Act found in a study that implicit consent has so far reached up to 95% approval, while explicit consent has reached only 37%. In other words, anyone who relies on tracking cookies and is only now switching to explicit consent may lose quite a considerable proportion of their online marketing data unless this activity is professionally supported.

Do Not Track features in the browser and ad blockers make life even more difficult for online advertisers. Google wants to equip the new version of its Chrome browser with special features to protect against cookies and trackers. The browser already has an extension which allows users to set an expiry date for their personal data.

With “Intelligent Tracking Prevention” (ITP), for example, Apple has implemented an anti-cookie strategy in its Safari browser which near enough nips targeted advertising in the bud.
Version 2.2 of its ITP feature reduces the duration of tracking cookies from 30 days to 24 hours. ITP is a program which is integrated into the Safari browser to protect against user tracking. Many CMP providers still rely on local storage, i.e. the option to store data on the user’s computer. But from ITP version 2.3 onwards, this should also be prevented, according to Apple.

Consequences

This situation has many different consequences for online marketing managers. It will make performance tracking more difficult unless it is considered a legitimate interest (Article 6 GDPR). In addition, it makes recognizing users of certain browsers (Safari, Firefox) more difficult, as it does web analysis, which lacks precision. More than this, some forms of online marketing (retargeting, real-time bidding, affiliate marketing) are not only made complicated, but even impossible. This significantly reduces the data advantages which the online channel has over offline channels.

According to a recent study by the World Advertising Research Center (WARC), 61.4% of the global digital advertising budget will go to Google and Facebook alone. This leaves online marketing managers with only few options for action in terms of using audiences in a different way. At the same time, the younger age group of 12- to 17-year-olds is turning away from Facebook, as the analysis company eMarketer has confirmed. Their number will decrease by 9.1% year-on-year, resulting in a loss of around 170,600 users. This age group’s refusal to use Facebook is expected to continue in the coming years.

Conversely, this means that the shortage of stock at Google and Facebook, as well as more providers bidding for this stock, with fewer alternatives available, will dramatically increase the costs of reach marketing and performance marketing.

Consequences for the digital economy

These developments entail the following consequences. EU operators are losing touch with the US and China – which is also due to a lack of growth prospects and privacy issues they are facing (no more API access for EU operators to data from the Big Tech companies). The only option still left to them is to sue Google, Amazon, Facebook, Apple and Microsoft (under antitrust law), but this involves lengthy litigation and meagre prospects of success.

When it comes to ePrivacy, politicians are still reluctant to make clear rules and statements – especially when it comes to the EU-US Privacy Shield. The EU-US Privacy Shield Framework provides companies with a tool for transferring personal data from the European Union to the United States in a way that is compatible with EU law.

As early as autumn 2018, the European Parliament called on the European Commission to review the agreement. In this regard, EU companies may soon face high risks if they still rely on SaaS providers whose servers are located in the US.

Tips and tricks for achieving the best opt-in solution

Tip 1: Think big!

Think big when it comes to the consent banner. The average consent rate is 65% (across all consent types), but there are variations both up and down. The differences between desktops, smartphones and tablets can be explained primarily by the size of the banner. This automatically takes up more space on smartphone and tablet screens. Thirty-seven per cent of all opt-in banners were displayed on a desktop computer, 51% on smartphones and 12% on tablets. As a result, the approval rate for smartphones is 76%, while the rates for tablet and desktop computers only reach 59% and 56% respectively.

Tip 2: Don’t hide your content

The correlation between banner size and opt-in rate is, of course, limited. As soon as the page content is no longer visible behind or under the banner, users tend to cancel their visit instead of giving their consent. This behaviour is particularly pronounced when the banner in the form of a pop-up greys out and covers the entire background, i.e. the contents of the page.

Tip 3: Nobody cares about privacy statements and cookies

Website visitors see the message requesting consent on average 1.8 times before making a decision. This average rate always remains the same, regardless of the final decision (opt-in or opt-out) or the consent method used (direct, indirect or implicit). In other words, users halt their decision-making process the first time they see the banner or pop-up. Just 0.1% of visitors – yes, you have read the figure correctly! – go one step further in a two-step process and look at the privacy statement or more detailed information about the cookies used. However, this percentage is expected to increase in the coming months as more users deal with the issue of data protection.

Tip 4: Keep a close eye on your visitors and industry

Every industry has its own methods of obtaining consent. Legislation (the ePrivacy Regulation is currently under negotiation), technology (e.g. browsers deployed) and user behaviour are in a constant state of flux. They can contribute to design decisions previously made being reconsidered and possibly adapted in the coming months.

Tip 5: Carry out a test!

Carry out an A/B test with the consent banner, with slightly amended functionalities or text each time. Don’t change too much at once in the two variants so as not to make it difficult to measure the effectiveness of individual metrics in a clear way. The A/B test will enable you to find out how to achieve the highest possible opt-in rates.

Tips for selecting providers on consent management platforms (CMPs)

There are different CMPs and procedures for obtaining consent.

In the technological approach, cookies are usually suppressed retrospectively, while tags are suppressed in advance. Consent is stored via cookies (first- or third-party), local storage, data layer and server. Consent can be obtained through various ways: explicit or implicit, direct or indirect, and before or after the pageload. The conceivable button options are opt-in, opt-out and a neutral approach.

The Consent Management Platform should meet some basic criteria. It must enable privacy banners, privacy centres and provider and cookie categories to be created, managed and adapted. In addition, user consent and consent types must be documented in detail. Not to mention that the system should be able to meet the following criteria:

Checklists before purchasing a CMP:

• Adjustments to banner designs, texts and buttons (WYSIWYG editor)
• Control by country and language settings
• Consent metrics (details, KPIs, comparison of different banner variants)
• A/B tests to optimise consent banners
• Consent at different levels (provider, cookie)
• Cookie crawler (detection of piggybacking)
• White- and blacklisting of cookies/providers
• Deleting/renewing consent after a certain period of time

Technical requirements:

• Secure suppression of unauthorised cookies before consent (TAG-based)
• Multi-CDN or self-hosting for displaying banners
• Export function or API for transferring consent to third-party systems
• Plug-in or native integration with tag management systems
• Privacy Centre integration into privacy statements
• IAB compliance (for advertising on publisher pages and Google)
• Support and technical documentation

The legal requirements must ensure that storage takes place on ISO-certified EU servers. There should also be ePrivacy certification (or a similar scheme). In the case of security processes, managers must focus on incident management and disaster recovery, while in the case of contractual components, the focus is on a service level agreement (SLA), data protection based on technical and organisational measures (TOM), order data processing (ODP) and privacy by design.

Furthermore, CMPs must be combined with tag management systems. This is the only way to set cookies after the opt-in process and to categorise them clearly.

The consent issue will long be a fixture on the to-do list for marketing directors. What is the course of action? Although some professionals are tempted to use tactics to bypass the issue, others are taking a more strategic approach.

On the ground level

The short-term reflex: the temptation to circumvent

Although the opt-in is valid for 13 months (in other words, a legitimately accepted cookie may have such a lifecycle), legislation currently fails to mention anything about the opt-out validity period. That is all it took for organisations to see an opportunity, namely to ask for consent from visitors who have already opted out whenever they visit the site. Or how to invent the digital era’s very own version of nuisance calling…

This is not the only tactic that bypass fans are resorting to. For example, they can opt for a paginated display of the different cookie categories in an attempt to bore visitors and encourage them to accept everything as quickly as possible. In our eyes, this behaviour is akin to a headlong rush that is not only ineffective but capable of harming the company’s brand image. Consent collection practices are evidently one of the criteria for assessing how much (or how little) trust can be placed in a brand. There is also the danger of underestimating the “consent culture” that will progressively spread among the community of web users. Users will not be fooled by these tactics for long.

The long-term investment: the return of the login and authentication method

Many brands are shying away from such circumvention tactics and have instead opted to overhaul their digital strategy by incorporating consent collection and management. That explains why login screens are popping back up on websites, even those without a transaction space (an e-commerce account, for example). Better still, alliances are being forged in various sectors of activity to give users a single login for several different brands and websites. Media groups in particular are at the leading edge of this movement. For instance, Le Geste, a French association of online editors, is working with a dozen media outlets to roll out a single login system. Login and privacy initiatives are also cropping up in Germany (where Axel Springer is fiercely against the platforms) and Portugal.

In fact, letting users sign in and access content and services offers a number of advantages. Although the login method does not eliminate the need to obtain consent when using cookies for guest users, it allows for a two-speed system, such as by using few cookies for anonymous visitors (which simplifies the opt-in screen) and taking a more detailed approach for authenticated visitors. Logging in gives identified users the opportunity to fine-tune the terms of the “contract” and how their data are used.

Another upside to the login system is that by maintaining a user session, it can compensate for the mechanisms that reduce the cookies’ scope of action, as we saw earlier. In addition, a direct connection with the audience is an effective way of fleshing out the company’s first-party data. This concern is clearly a trending issue…

The essentials

Work on how consent is worded

Or how to restore collaboration between marketing and legal departments

Whether or not opting for a login system, a new form of collaboration would be desirable between the marketing and legal teams. As it currently stands, the legal team has too often been lumbered with the job of wording consent, probably based on the idea that just like the standard terms and conditions of sale, nobody will bother spending too much time poring over these few lines.

This attitude is easily understandable, given that consent rates hover around the 90% mark when organisations go for the soft opt-in approach. But as we have seen, the situation will have changed by July 2020, insofar as users will need to take an affirmative action to give their consent. It will take more than a purely legal text to motivate users to do so. The contract formed when collecting consent must now be developed by both the legal and marketing teams to garner support from users. The aim is to use the clearest possible language to describe the value of their consent and the brand’s commitments. Each organisation needs to find its own wording…

Migrating from consent management to preference management

Or how to turn consent into a user experience

Since consent is no longer a matter of asking web users to nod their head in front of a screen of pre-ticked boxes, it would seem logical to look at the collection process as an integral part of the user experience, not something that should merely be used to obtain consent, but also to give visitors the possibility of defining all their preferences. Do they agree to receive web push notifications? Do they want to see ads on social networks? Do they want to receive an email summarising the latest news? How often?

It can be seen with these examples that managing preferences can be especially exhaustive and “useful” if users are logged in. In any case, the way ahead seems to be all mapped out with privacy centres (the page where users can see their consents) turning into preference centres. A preference centre is a place where all visitors have an insight into their touchpoints and the information that they have agreed or refused to share. It is also a place where users do not typically venture, but merely to control their relationship with the brand.

Create a consent scenario

Or how to boost collaboration between marketing and martech

Since soft consent is a thing of the past, each organisation needs to get ready to offer a much more explicit form of consent collection, while bracing itself for a significant fall in the opt-in rate. But to what extent? The latest edition of the Commanders Act Privacy Barometer offers a number of clues.

Close to 32% of the sites in the study cling to a super-soft form of opt-in (consent is validated as soon as users scroll or click on an element) and 31% maintain a soft opt-in approach (consent is validated when users visit a second page). That is why the consent rate in such industries as “Fashion & Retail” and “Travel” fluctuate between 66% and 91%! These rates are in strong contrast to the finance sector, which tends to follow a strict consent approach (explicitly clicking on an Agree button) and which has an average opt-in rate of… 29%. That figure provides a glimpse of what website editors can expect with the end of the soft consent tactic.

With opt-in rates reduced by a third or half, creating consent scenarios is becoming a real issue. There are no taboo questions. Should we ask for consent on the first page visited? If users opt out, should we ask them the same question each time they visit the site? If they give partial consent, can we really chase them up? In practice, there is every likelihood that the process of collecting and completing consent will gradually gravitate towards marketing automation with conditioned scenarios and testing. A fully-fledged discipline? In any case, it is an area where each organisation will need to develop its experience.

Supervise consent

Or how to get equipped for taking action

Because it is part of the user experience and because it determines the ability to build customer intimacy and activate digital strategies, the consent collection process requires accurate tracking with dedicated KPIs (Key Performance Indicators), and rightly so, since plenty of questions marks are raised:

• What is the global opt-in rate?
• How are opt-ins divided between categories (analytics, retargeting, emailing, etc.)?
• What about between the different screens and messages proposed? Which ones are the best at converting?
• How much traffic is flowing to the Privacy Centre?

These invaluable data can be leveraged to continually improve the consent process and fine-tune the contract of trust with the audience.

Find out more about our CMP – TrustCommander

Takeaway

Since consent is going to be around for a long time, circumvention attempts are doomed to failure. It is in brands’ best interests to transform consent into an integral part of the user experience. For a successful consent process, close collaboration is required between the legal, technical and marketing teams.

Regulations spawning left, right and centre

GDPR: welcome to season 2

Some people might have believed that the whole GDPR topic (General Data Protection Regulation) was already yesterday’s news, that the GDPR had had its 15 minutes of glory before being consigned to the archives. Rightly so: organisations based within the European Union (EU) – or those processing personal data belonging to EU citizens – saw the application of the GDPR on 25 May 2018 as a key deadline, in other words, an event with a before and an after. In fact, the GDPR ushered in a whole host of new features and developments, along with new and reinforced rights, including the right to access, the right to rectification, the right to erasure and the right to data portability, without forgetting consent. Without forgetting… well, nearly.

In terms of digital technologies, although organisations redesigned their consent screens and banners to coincide with the 25 May 2018 deadline, real-life practice is still quite far removed from the principles of the GDPR. The reason is simple. The text contains loopholes and especially a grey area surrounding the actual implementation of the GDPR, which has enabled a number of companies to content themselves with the soft opt-in. This means consent that is not based on an explicit action by the user, i.e. a user is considered to have given consent simply by continuing to navigate on a website. This practice will be outlawed in July 2020. In the meantime, France’s data protection authority (CNIL) will abandon its highly tolerant approach and issue a definitive recommendation on the use of cookies, which will permanently supersede its recommendation of 2013. CNIL published the first guidelines during the summer of 2019, so the key principles are already public knowledge.

In alignment with the GDPR, the process of storing cookies or activating any other tracking mechanism will be subject to obtaining consent that is freely given, specific, informed and unambiguous. Basically, CNIL is taking a hard line. Therefore, interpreting the user’s decision to continue browsing the website as a sign of consent or using pre-ticked “Accept all” boxes will be relegated to history. By July 2020, the idea will be to give users a balanced and informed choice so that they can agree or refuse to give their consent with the same degree of ease. What impact will this have on the process of obtaining consent? It is hard to predict how the situation will evolve at a time when only 37% of consent is collected in an explicit manner according to the second edition of the Commanders Act Privacy Barometer. But it is already clear that this new way of “presenting” consent will give users a lot more food for thought…

CCPA: California writes consent into the law books

Although Europe plainly set the tone with the GDPR, it is far from being the only one in today’s world that has rolled out a series of measures to protect personal data. In the USA, California waded into the topic with the “California Consumer Privacy Act” (CCPA). Since it was adopted in June 2018, the bill has inspired a dozen other states and could also give the federal government a few ideas. The CCPA’s scope of application is more restricted than the GDPR for several reasons:

• It focuses on the rights of Californian consumers, whereas the GDPR protects European citizens
• Even though it grants rights (access, portability and erasure), the CCPA is still based on opt-out
• It applies to businesses in the state that meet one of the following conditions: annual revenue over $20 million, purchase or sale of personal information from at least 50,000 consumers, and over 50% of annual revenue from selling customers’ personal information.
• Finally, the CCPA brings penalties of up to $7,500 for each violation (note that the GDPR imposes fines of up to 4% of the total annual turnover).

Due to become effective in 2020, the CCPA is not an “American GDPR”. It hardly makes any reference to the concept of consent, which is actually not a prerequisite for collecting personal data. However, the CCPA is on the same page as the GDPR, since it enshrines the principle of transparency and milestones, bearing in mind that California actually has the world’s fifth largest economy. Consequently, the Act will influence the major corporations in the digital economy to change their practices.

China: the other perspective on personal data

There is no way that you can talk about personal data protection without mentioning China’s standpoint, because not only does the country have 1.4 billion inhabitants, but it also has a fast-developing digital ecosystem attracting scores of foreign businesses. Although China had taken various steps over time to protect personal data, those measures mostly only concerned specific cases, such as telecoms firms and public institutions.

The situation changed on 1 June 2017 when China enacted a cybersecurity law. The law contains 79 articles and bears a number of similarities to the GDPR, since it refers to the need to establish rules on how personal data are collected and used, and those rules must specify the aims pursued.

It is also worth noting that the law covers the storage of personal data and data transfers outside China. Although the dividing line between the challenges of digital sovereignty and personal data protection is blurred, the Act covers the principle of explicitly informing data subjects if their data are going to be collected. This gives the impression that Europe’s best practices are a good match for China’s data protection needs.

A global topic spreading at breakneck speed

Although the GDPR and CCPA are making plenty of headlines, the topic of personal data protection has truly become a global issue. Canada is planning to review its Personal Information Protection and Electronic Documents Act in line with Europe’s GDPR, India is putting the finishing touches to its Personal Data Protection Bill, and the UK has published its Guidance on the Use of Cookies and Similar Technologies.

This list is far from exhaustive and confirms that more and more countries around the world are considering personal data to be sensitive material whose collection and use require a framework. Brands will need to learn how to build trust in this ever-changing landscape.

Cookies: bad news awaits

From Europe to China including the United States, managing consent is now subject to strict guidelines – or soon will be. This new set of regulations will inevitably prompt users to increasingly weigh up the value of their consent. This is not the only variable that is changing in the equation for marketing directors. Things are also happening in the technology world…

ITP 2.2: Apple piles on the pressure…

Apple has set its sights on championing personal data protection and set the tone as early as 2017 with an initial version of its Intelligent Tracking Prevention feature. Embedded in its Safari browser, this cookie filtering mechanism has clearly become tougher over time. Whereas the initial version limited the lifecycle for third-party cookies to 24 hours, subsequent versions have practically reduced that figure to zero. Remember that a third-party cookie is associated with a different domain to the site being visited. In other words, these cookies can be used to track visitors from one site to the next. What that actually means is that without these cookies, retargeting and programmatic advertising become so hazardous that some marketing professionals have banished Safari from their campaigns.

The latest version of ITP to date (2.2) goes further still by attacking first-party cookies, i.e. those associated directly with a website. The measure targets a specific type of first-party cookie that is sometimes used to bypass the restrictions on third-party cookies. With ITP 2.2, these cookies can only be tracked for 24 hours, which is (too) short for monitoring a user’s journey, especially with a view to assigning them to users. This is not a trivial matter for a browser with close to a 30% share of the mobile market.

Phoenix from Commanders Act – Or how to extend the cookie lifecycle in Safari

Marketers are facing a real dead end with the prospect of first-party cookies being deleted in Safari after 24 hours. To give you some idea of the impact, when first-party cookies are erased, a tool such as Google Analytics cannot aggregate two sessions for the same user if the interval between both sessions is more than 24 hours. That is a problem, which explains why Commanders Act incorporated the Phoenix module into its TagCommander TMS in October 2019. This technology saves cookies in a cookie server, so that they can be retained for more than 24 hours (up to 13 months in practice). When applied to TrustCommander, the Commanders Act CMP, Phoenix spares users the well-known inconvenience of being prompted to give their consent for each session, since a CMP cookie has every chance of being deleted by Safari by default.

Firefox is also getting involved

Firefox Version 76 was released with the Enhanced Tracking Protection (ETP) functionality. This mechanism is designed to block third-party cookies. Note that Facebook comes in for special treatment, since Firefox prevents the social network from tracking a user’s journey via the Share and Like buttons on other websites.

Chrome: the unknown quantity

So where does Chrome stand in all this? The response is expected with a certain amount of trepidation, given the market share owned by Google’s browser. One thing is for sure: the firm is working on a privacy framework, and a rough draft was published in the summer. This document is presented as a proposal to give everyone something to think about, but it portrays Google as a global hub for collecting consent, which is definitely stoking fears. Google is already changing how users can manage their settings by making the feature more prominent and legible in the latest version of Chrome.

Takeaway

What can you take away from the spate of new regulatory frameworks and technical constraints?

• For most organisations, the topic of collecting consent online is still a major work in progress. The process of moving into alignment with CNIL’s new recommendations by July 2020 will require businesses to take their data collection methods back to the drawing board.
• In the wake of consent, the technical constraints restricting cookies’ scope of action will prompt an investigation into ways of maintaining a stream of data that is of sufficient quality for exploiting.

More generally, the idea is gaining traction that managing consent is no longer a topic that marketing professionals can simply delegate to the legal or technical operations department, but a cornerstone of the marketing strategy.