Regulations spawning left, right and centre

GDPR: welcome to season 2

Some people might have believed that the whole GDPR topic (General Data Protection Regulation) was already yesterday’s news, that the GDPR had had its 15 minutes of glory before being consigned to the archives. Rightly so: organisations based within the European Union (EU) – or those processing personal data belonging to EU citizens – saw the application of the GDPR on 25 May 2018 as a key deadline, in other words, an event with a before and an after. In fact, the GDPR ushered in a whole host of new features and developments, along with new and reinforced rights, including the right to access, the right to rectification, the right to erasure and the right to data portability, without forgetting consent. Without forgetting… well, nearly.

In terms of digital technologies, although organisations redesigned their consent screens and banners to coincide with the 25 May 2018 deadline, real-life practice is still quite far removed from the principles of the GDPR. The reason is simple. The text contains loopholes and especially a grey area surrounding the actual implementation of the GDPR, which has enabled a number of companies to content themselves with the soft opt-in. This means consent that is not based on an explicit action by the user, i.e. a user is considered to have given consent simply by continuing to navigate on a website. This practice will be outlawed in July 2020. In the meantime, France’s data protection authority (CNIL) will abandon its highly tolerant approach and issue a definitive recommendation on the use of cookies, which will permanently supersede its recommendation of 2013. CNIL published the first guidelines during the summer of 2019, so the key principles are already public knowledge.

In alignment with the GDPR, the process of storing cookies or activating any other tracking mechanism will be subject to obtaining consent that is freely given, specific, informed and unambiguous. Basically, CNIL is taking a hard line. Therefore, interpreting the user’s decision to continue browsing the website as a sign of consent or using pre-ticked “Accept all” boxes will be relegated to history. By July 2020, the idea will be to give users a balanced and informed choice so that they can agree or refuse to give their consent with the same degree of ease. What impact will this have on the process of obtaining consent? It is hard to predict how the situation will evolve at a time when only 37% of consent is collected in an explicit manner according to the second edition of the Commanders Act Privacy Barometer. But it is already clear that this new way of “presenting” consent will give users a lot more food for thought…

CCPA: California writes consent into the law books

Although Europe plainly set the tone with the GDPR, it is far from being the only one in today’s world that has rolled out a series of measures to protect personal data. In the USA, California waded into the topic with the “California Consumer Privacy Act” (CCPA). Since it was adopted in June 2018, the bill has inspired a dozen other states and could also give the federal government a few ideas. The CCPA’s scope of application is more restricted than the GDPR for several reasons:

• It focuses on the rights of Californian consumers, whereas the GDPR protects European citizens
• Even though it grants rights (access, portability and erasure), the CCPA is still based on opt-out
• It applies to businesses in the state that meet one of the following conditions: annual revenue over $20 million, purchase or sale of personal information from at least 50,000 consumers, and over 50% of annual revenue from selling customers’ personal information.
• Finally, the CCPA brings penalties of up to $7,500 for each violation (note that the GDPR imposes fines of up to 4% of the total annual turnover).

Due to become effective in 2020, the CCPA is not an “American GDPR”. It hardly makes any reference to the concept of consent, which is actually not a prerequisite for collecting personal data. However, the CCPA is on the same page as the GDPR, since it enshrines the principle of transparency and milestones, bearing in mind that California actually has the world’s fifth largest economy. Consequently, the Act will influence the major corporations in the digital economy to change their practices.

China: the other perspective on personal data

There is no way that you can talk about personal data protection without mentioning China’s standpoint, because not only does the country have 1.4 billion inhabitants, but it also has a fast-developing digital ecosystem attracting scores of foreign businesses. Although China had taken various steps over time to protect personal data, those measures mostly only concerned specific cases, such as telecoms firms and public institutions.

The situation changed on 1 June 2017 when China enacted a cybersecurity law. The law contains 79 articles and bears a number of similarities to the GDPR, since it refers to the need to establish rules on how personal data are collected and used, and those rules must specify the aims pursued.

It is also worth noting that the law covers the storage of personal data and data transfers outside China. Although the dividing line between the challenges of digital sovereignty and personal data protection is blurred, the Act covers the principle of explicitly informing data subjects if their data are going to be collected. This gives the impression that Europe’s best practices are a good match for China’s data protection needs.

A global topic spreading at breakneck speed

Although the GDPR and CCPA are making plenty of headlines, the topic of personal data protection has truly become a global issue. Canada is planning to review its Personal Information Protection and Electronic Documents Act in line with Europe’s GDPR, India is putting the finishing touches to its Personal Data Protection Bill, and the UK has published its Guidance on the Use of Cookies and Similar Technologies.

This list is far from exhaustive and confirms that more and more countries around the world are considering personal data to be sensitive material whose collection and use require a framework. Brands will need to learn how to build trust in this ever-changing landscape.

Cookies: bad news awaits

From Europe to China including the United States, managing consent is now subject to strict guidelines – or soon will be. This new set of regulations will inevitably prompt users to increasingly weigh up the value of their consent. This is not the only variable that is changing in the equation for marketing directors. Things are also happening in the technology world…

ITP 2.2: Apple piles on the pressure…

Apple has set its sights on championing personal data protection and set the tone as early as 2017 with an initial version of its Intelligent Tracking Prevention feature. Embedded in its Safari browser, this cookie filtering mechanism has clearly become tougher over time. Whereas the initial version limited the lifecycle for third-party cookies to 24 hours, subsequent versions have practically reduced that figure to zero. Remember that a third-party cookie is associated with a different domain to the site being visited. In other words, these cookies can be used to track visitors from one site to the next. What that actually means is that without these cookies, retargeting and programmatic advertising become so hazardous that some marketing professionals have banished Safari from their campaigns.

The latest version of ITP to date (2.2) goes further still by attacking first-party cookies, i.e. those associated directly with a website. The measure targets a specific type of first-party cookie that is sometimes used to bypass the restrictions on third-party cookies. With ITP 2.2, these cookies can only be tracked for 24 hours, which is (too) short for monitoring a user’s journey, especially with a view to assigning them to users. This is not a trivial matter for a browser with close to a 30% share of the mobile market.

Phoenix from Commanders Act – Or how to extend the cookie lifecycle in Safari

Marketers are facing a real dead end with the prospect of first-party cookies being deleted in Safari after 24 hours. To give you some idea of the impact, when first-party cookies are erased, a tool such as Google Analytics cannot aggregate two sessions for the same user if the interval between both sessions is more than 24 hours. That is a problem, which explains why Commanders Act incorporated the Phoenix module into its TagCommander TMS in October 2019. This technology saves cookies in a cookie server, so that they can be retained for more than 24 hours (up to 13 months in practice). When applied to TrustCommander, the Commanders Act CMP, Phoenix spares users the well-known inconvenience of being prompted to give their consent for each session, since a CMP cookie has every chance of being deleted by Safari by default.

Firefox is also getting involved

Firefox Version 76 was released with the Enhanced Tracking Protection (ETP) functionality. This mechanism is designed to block third-party cookies. Note that Facebook comes in for special treatment, since Firefox prevents the social network from tracking a user’s journey via the Share and Like buttons on other websites.

Chrome: the unknown quantity

So where does Chrome stand in all this? The response is expected with a certain amount of trepidation, given the market share owned by Google’s browser. One thing is for sure: the firm is working on a privacy framework, and a rough draft was published in the summer. This document is presented as a proposal to give everyone something to think about, but it portrays Google as a global hub for collecting consent, which is definitely stoking fears. Google is already changing how users can manage their settings by making the feature more prominent and legible in the latest version of Chrome.

Takeaway

What can you take away from the spate of new regulatory frameworks and technical constraints?

• For most organisations, the topic of collecting consent online is still a major work in progress. The process of moving into alignment with CNIL’s new recommendations by July 2020 will require businesses to take their data collection methods back to the drawing board.
• In the wake of consent, the technical constraints restricting cookies’ scope of action will prompt an investigation into ways of maintaining a stream of data that is of sufficient quality for exploiting.

More generally, the idea is gaining traction that managing consent is no longer a topic that marketing professionals can simply delegate to the legal or technical operations department, but a cornerstone of the marketing strategy.