Should the EU pivot on cookie consents?

I’m Alan Chapell. I’ve been working at the intersection of privacy, competition, advertising and music for decades and I’m now a pundit writing for The Monopoly Report. I’m hosting another ASK ME ANYTHING session this Friday, May 30 at 11:30am EDT.

Our latest Monopoly Report podcast is out with part 2 of my interview with Dennis Buchheim of Think Media where we talk about the future of addressability and how to create ad standards which are both principled and fair…. and all the political stuff w/in the ad space that makes those things challenging. 

Privacy & Competition by the Bay

I spent last week in San Francisco at the NAI summit - talking about the synergies between antitrust and privacy law in the ads space with Deputy Assistant Attorney General Mark Hamer. Mark leads the DOJ antitrust efforts against Google in the ad tech case and gave a fascinating overview of how effective antitrust enforcement can have a positive impact on a marketplace. While Mark was careful not to spill the beans on the specifics of DOJ’s cases against Google, he came off as a man who is dedicated to his end goal - and confident that he and his team will succeed.

There’s definitely a new group of sheriffs on the antitrust beat in the U.S. You want proof? Look no further than FTC Commissioner Mark Meador’s recent article. It’s worth a read. In my view, Commissioner Meador’s piece comes off as a clear repudiation of the pre-2016 era’s laissez faire approach to antitrust enforcement. Criticizing Robert Bork was as unthinkable as critiquing Ronald Reagan just a few years ago.

Yet here we are….

Meanwhile, in Europe…

On day two of the NAI event, I gave the morning keynote - to provide my perspective the privacy challenges we’ve faced for the past two decades as we move towards an era of unprecedented change in ad tech.

I noted that one of the most evergreen regulatory challenges involves the EU approach to cookies. As far back as I can remember, we’ve had a myriad of policymakers in the EU saying that: (a) advertising using cookies are illegal in Europe and/or (b) they require affirmative opt-in consent.

I’m not sure there are many people currently working at EU publishers who can even remember a time where their local regulator wasn’t insisting on consent for cookies. In case you haven’t been working in digital media for 20+ years, here’s some background….

A brief history of EU Cookie Consents

One of the quirks of EU data protection law is that the GDPR is only part of the story. The GDPR “only” places rules around the processing of personal data. It’s Section 5(3) of the ePrivacy Directive that focuses on the use of HTTP cookies and similar tracking technologies. The ePrivacy Directive dates back to 2002 and has effectively been updated at least twice. With each update, one or more entities in the EU have declared that targeted ads are illegal and/or that they require a consent:

• 2002 - ePrivacy Directive enacted - cookies required consent, but default browser settings (i.e., allowing cookies) could be valid consent (just don’t tell regulators)

• 2009 - ePrivacy was updated to clarify that advertising cookies require consent. Due to the nature of EU directives, there remained some inconsistency around how consent was interpreted across EU member states.

• 2018 - ePrivacy’s definition of consent was updated so that the GDPR gold-standard consent was required for the placement of cookies.

After all this time, and all those warnings, one might think that one of three things would have happened: EITHER (1) the marketplace would be generally in compliance, (2) EU regulators would start issuing fines against pubs, or (3) SOMEONE over there would ask whether the current ruleset was actually working.

But outside of a few fines against Google and others in big tech, the above didn’t happen. Rather, the EU has opted for door #4.

EU Regulators keep sending compliance warnings

Over the past couple of months, three different EU data protection regulators conducted cookie compliance sweeps or issued the same ‘ol cookie guidance to their marketplace:

(1) Germany – Hamburg data protection authority, Swept 1,000 websites and found a bunch of the sites failing to adequately disclose and obtain consent for third-party trackers.

(2) Netherlands – the Dutch Data Protection Authority (AP) notified 50 organizations that they must adjust their misleading cookie banner or to stop intrusively tracking their visitors or else they’d face an investigation and potential fines.

(3) Norway - the Datatilsynet issued guidance on how to obtain consent for the use of cookies and similar technologies in line with data protection regulations.

But that’s just in the past month or so. I’ve forgotten how many different times EU regulators have told the marketplace in no uncertain terms that cookies require a consent. And yet, they continue find a significant percentage of website operators out of compliance with the rules. That’s not patience - it’s madness.

Nonetheless, many Publishers remain out of compliance

We are exactly seven years into the GDPR and EU regulators are still doing cookie sweeps and issuing non-compliance warnings. And that ignores the fact that many regulators (e.g., France, Italy, Netherlands, UK) have taken this view going back over two decades.

With that in mind, here are a few (potentially controversial) thoughts:

• If a large percentage of website operators (not to mention mobile apps and CTV pubs) are out of compliance with a law after all this time, perhaps its time to reevaluate the law.

• I recognize that EU data protection regulators might be reluctant to enforce directly against publishers located in their home country for a whole host of reasons.

• Pressuring publishers to adopt more and more stringent consent mechanisms is creating friction on publisher revenues at the very time many of them are struggling with traffic numbers falling off a cliff.

• It’s the publishers’ responsibility to properly configure a CMP in order to get a consent. Coming after ad tech companies because you can’t or won’t come after publishers defies logic.

• Privacy is a fundamental right in Europe, but it shouldn’t be the ONLY consideration. Lots of bad stuff can happen if publishers (particularly news publishers) are no longer around to inform the population because they can’t keep the lights on.

• Before you dismiss me as some dumb American who doesn’t understand EU data protection - consider these questions: To what degree are all those consent boxes protecting consumers? To what degree are they just annoying them? Is it possible that there’s a better way to achieve the larger privacy aims?

• I’ve intentionally not weighed in on the IAB EU TCF kerfuffle with Belgium- at least not on these pages - because the entire controversy comes off as another group of smart people deliberately talking past one another.

It’s time to rethink the cookie consent rules

I keep hearing discussions of revamping the GDPR. I hope for the sake of the publishing industry that this revamp includes the ePrivacy Directive. As of today, the hyper focus on “consent for everything” that permeates the EU data protection ruleset is undermining its ability to foster a vibrant marketplace for news and premium content.

After two decades, it’s time to admit that the status quo of consent just isn’t working.

__________________________________________________________________________

If there’s an area that you want to see covered on these pages, if you agree/disagree with something I’ve written, if you want tell me you dig my music, or if you just want to yell at me, please reach out to me on LinkedIn or in the comments below.