Some people might have believed that the whole GDPR topic (General Data Protection Regulation) was already yesterday’s news, that the GDPR had had its 15 minutes of glory before being consigned to the archives. Rightly so: organisations based within the European Union (EU) – or those processing personal data belonging to EU citizens – saw the application of the GDPR on 25 May 2018 as a key deadline, in other words, an event with a before and an after. In fact, the GDPR ushered in a whole host of new features and developments, along with new and reinforced rights, including the right to access, the right to rectification, the right to erasure and the right to data portability, without forgetting consent. Without forgetting… well, nearly.
In alignment with the GDPR, the process of storing cookies or activating any other tracking mechanism will be subject to obtaining consent that is freely given, specific, informed and unambiguous. Basically, CNIL is taking a hard line. Therefore, interpreting the user’s decision to continue browsing the website as a sign of consent or using pre-ticked “Accept all” boxes will be relegated to history. By July 2020, the idea will be to give users a balanced and informed choice so that they can agree or refuse to give their consent with the same degree of ease. What impact will this have on the process of obtaining consent? It is hard to predict how the situation will evolve at a time when only 37% of consent is collected in an explicit manner according to the second edition of the Commanders Act Privacy Barometer. But it is already clear that this new way of “presenting” consent will give users a lot more food for thought…
Although Europe plainly set the tone with the GDPR, it is far from being the only one in today’s world that has rolled out a series of measures to protect personal data. In the USA, California waded into the topic with the “California Consumer Privacy Act” (CCPA). Since it was adopted in June 2018, the bill has inspired a dozen other states and could also give the federal government a few ideas. The CCPA’s scope of application is more restricted than the GDPR for several reasons:
Due to become effective in 2020, the CCPA is not an “American GDPR”. It hardly makes any reference to the concept of consent, which is actually not a prerequisite for collecting personal data. However, the CCPA is on the same page as the GDPR, since it enshrines the principle of transparency and milestones, bearing in mind that California actually has the world’s fifth largest economy. Consequently, the Act will influence the major corporations in the digital economy to change their practices.
There is no way that you can talk about personal data protection without mentioning China’s standpoint, because not only does the country have 1.4 billion inhabitants, but it also has a fast-developing digital ecosystem attracting scores of foreign businesses. Although China had taken various steps over time to protect personal data, those measures mostly only concerned specific cases, such as telecoms firms and public institutions.
The situation changed on 1 June 2017 when China enacted a cybersecurity law. The law contains 79 articles and bears a number of similarities to the GDPR, since it refers to the need to establish rules on how personal data are collected and used, and those rules must specify the aims pursued.
It is also worth noting that the law covers the storage of personal data and data transfers outside China. Although the dividing line between the challenges of digital sovereignty and personal data protection is blurred, the Act covers the principle of explicitly informing data subjects if their data are going to be collected. This gives the impression that Europe’s best practices are a good match for China’s data protection needs.
This list is far from exhaustive and confirms that more and more countries around the world are considering personal data to be sensitive material whose collection and use require a framework. Brands will need to learn how to build trust in this ever-changing landscape.
From Europe to China including the United States, managing consent is now subject to strict guidelines – or soon will be. This new set of regulations will inevitably prompt users to increasingly weigh up the value of their consent. This is not the only variable that is changing in the equation for marketing directors. Things are also happening in the technology world…
Apple has set its sights on championing personal data protection and set the tone as early as 2017 with an initial version of its Intelligent Tracking Prevention feature. Embedded in its Safari browser, this cookie filtering mechanism has clearly become tougher over time. Whereas the initial version limited the lifecycle for third-party cookies to 24 hours, subsequent versions have practically reduced that figure to zero. Remember that a third-party cookie is associated with a different domain to the site being visited. In other words, these cookies can be used to track visitors from one site to the next. What that actually means is that without these cookies, retargeting and programmatic advertising become so hazardous that some marketing professionals have banished Safari from their campaigns.
The latest version of ITP to date (2.2) goes further still by attacking first-party cookies, i.e. those associated directly with a website. The measure targets a specific type of first-party cookie that is sometimes used to bypass the restrictions on third-party cookies. With ITP 2.2, these cookies can only be tracked for 24 hours, which is (too) short for monitoring a user’s journey, especially with a view to assigning them to users. This is not a trivial matter for a browser with close to a 30% share of the mobile market.
Marketers are facing a real dead end with the prospect of first-party cookies being deleted in Safari after 24 hours. To give you some idea of the impact, when first-party cookies are erased, a tool such as Google Analytics cannot aggregate two sessions for the same user if the interval between both sessions is more than 24 hours. That is a problem, which explains why Commanders Act incorporated the Phoenix module into its TagCommander TMS in October 2019. This technology saves cookies in a cookie server, so that they can be retained for more than 24 hours (up to 13 months in practice). When applied to TrustCommander, the Commanders Act CMP, Phoenix spares users the well-known inconvenience of being prompted to give their consent for each session, since a CMP cookie has every chance of being deleted by Safari by default.
Firefox Version 76 was released with the Enhanced Tracking Protection (ETP) functionality. This mechanism is designed to block third-party cookies. Note that Facebook comes in for special treatment, since Firefox prevents the social network from tracking a user’s journey via the Share and Like buttons on other websites.
So where does Chrome stand in all this? The response is expected with a certain amount of trepidation, given the market share owned by Google’s browser. One thing is for sure: the firm is working on a privacy framework, and a rough draft was published in the summer. This document is presented as a proposal to give everyone something to think about, but it portrays Google as a global hub for collecting consent, which is definitely stoking fears. Google is already changing how users can manage their settings by making the feature more prominent and legible in the latest version of Chrome.
What can you take away from the spate of new regulatory frameworks and technical constraints?
More generally, the idea is gaining traction that managing consent is no longer a topic that marketing professionals can simply delegate to the legal or technical operations department, but a cornerstone of the marketing strategy.