Cookies, Consent and Tracking:

What the new CJEU rulings mean and how it could impact your business

Cookies, Consent and Tracking

Join David McInerney, Commercial Manager at Syrenis and Tim Flagg, Founder of Advantagious, as they discuss Cookies, Consent and Tracking: What the new CJEU rulings mean and how it could impact your business. This webinar session was hosted by the Data Protection World Forum on 27th November 2019.

Video transcript

Tom:

Hello everyone and thank you for joining today's webinar on Cookies, Consent and Tracking; what the new CJEU rulings means and how it could impact your business. My name is Tom from Data Protection World Forum and I'm pleased to introduce today's speakers, David McInerney who is the Commercial Manager at Syrenis and Tim Flagg who is the Commercial Lead at Smesh.

David has a background in Commercial Development of Software as a Service (SaaS) Solutions and is responsible for nurturing Syrenis’ global enterprise customers. A significant part of his role is to educate and inform businesses on the changes and challenges of the data privacy landscape and the possible solutions to turns data compliance into data intelligence.

Tim is passionate about making advertising targeted more effective without relying upon cookies. Tim is a co-founder at Smesh using machine learning to create next-generation contextual targeting and brand safety. Tim was co-founder at Advantageous, empowering consumers to take control of their personal data, before that, Tim set up IBM online and an AdTech partnership with the IDM which trained hundreds of professional marketers around the world he's led marketing teams for global brands such as Zipcar, NBC Universal, BBC Worldwide and McCann Erickson, and with the introductions complete, I'll hand over to David's kick-off presentation.

David:

Thank you Tom, good afternoon everybody, and welcome this is the first of a series of webinars that we're planning on running but today's topic as Tom said is about Cookies, Consent and Tracking and what the recent CJEU Rulings mean for you and how it might or could affect your business. Firstly, I'm going to hand over to Tim who's just going to ask a general question and get a poll going so Tim over to you.

Tim:

Thanks a lot again, it's great to be here and thanks for the intro earlier on as well Tom, before we kick off we get into this, I wanted to get a sense of how knowledgeable you all felt you were about recent data protection laws. My background as a marketer is that I've had to get up to speed a lot over the last couple of years on data protection and I think that's something which you know a number of different industries have found that we have to learn we have to actively go out there and be keeping up to date with a rapidly changing series of pieces of legislation coming out. So, just to kick this off it'll be really useful if you can give us your, in a sense, of how you are or how knowledgeable you are about the recent data protection law, and it's fine to be honest you know, we're not going to be publishing this or using this or anything, it's just to get a percentage.

I'll give you a couple more seconds to fill in which those options you feel best represents how you're feeling about data protection laws and I'll show you the results as well. And as I say, this will just help us to be able to tailor what we're going to be talking about later on today and so let’s take a look there. So, okay that's good, I think there's a strong, good and somewhat understanding levels about the data protection laws, and looking at some of the registrants I think we've got a real mix today of people coming from a data protection background, as well as well as people coming from industry, and I'd say that what we're going to try and do today is as David explains more about what the recent ruling means, I'll be trying to jump in and give us a business and a marketing perspective as well and to contextualize that so David was this the kind of results you were expecting? There’s quite a lot of understanding there.

David:

Yeah well that's good, we're not going to get into the technicalities of the legislation I think it's just more of something to spark a conversation or to begin a conversation with people so do you want me to take it back then Tim?

Tim:

Yes please, over to you

David:

So, October 1st I guess was a big day for everybody the Court of Justice published its new ruling and new findings and basically I'm not going to read out all of these slides but basically the legislation it said that a pre-ticked box is no longer valid and that it's the requirement or that you have to have an affirmative consent, to be able to place or prior place cookies on people's domains. So, according to the CJEU the use of a pre-ticked box makes it practically impossible to clarify if somebody's objectively or whether they’ve given actual positive consent, and to give up or access their personal data. And this all falls around the Planet 49 Ruling, where they had a pre-ticked box and I think there was a lottery to enter the website.

The CJEU Rulings states that users must now explicitly consent to the use of cookies, that cookies should be explained so users can make an informed decision. So, nothing over-legal, simple English, easy to understand and for the end user to be able to give positive consent.

Cookies should be default off, unless they are strictly necessary, so the days of being able to pre-tick a box in the same way that you would gather consent under GDPR, and the same ruling applies for cookies prior to you placing them on somebody's browser.

The business impact it's not just about the cookies, the ruling applies to other technologies that you may use across your website and as the custodians or the owners of your website, you ultimately have the responsibility of everything that's on there and everything that you place on somebody's browser. So your first and third party cookies are critical to that, but also tracking mechanisms or additional applications that you might place onto somebody's cookie. So Facebook, YouTube etc, it's your shop front at the end of the day and it's your window to the world and you are ultimately responsible as the website owner in terms of the technologies that you place on people's browsers.

Tim:

So if I could just jump in there as well, I think one of the things that I've found when I've been going into marketing businesses is that there's often a big legacy of tracking technologies which exists on those websites and this is often, you know, that people have just put cookies on to the website and forgotten about them and then that marketing person has left and I mean there's a real sort of audit process which needs to be done on a lot of still very big websites which haven't done this year where there's hundreds of cookies there which nobody really knows what they're doing anymore and I remember walking into companies and asking you know marketing team like do you know what these cookies are and nobody we have a clue but they're still live they're still sending data to an ad tech vendor of some sort who is collecting that and using it so I think almost you know one of the first things there is doing an audit so at least you’re getting a grip of knowing what's on the site.

David:

Absolutely and you know and we come across the same scenarios when we're talking to clients or potential clients, it's the start of your consent journey, when somebody visits your domain for the first time, they'll access your site anonymously and it's an opportunity for a business, or an opportunity for an organization to actually put the right foot forward. You know, if you look 99.9% of websites nobody is compliant. We've produced white papers that show that evidence that out of the top 100, 500 websites we found the messaging is unclear and there is prior placement of cookies without Consent. We’re engaged with organisations who are looking at legislation and looking at particularly with CJ EU Ruling as something that's positive and something that they can they can take a lead or an advantage over their competition because they're laying out their stall if you like, in a sense of, we're open, this is what we're doing, this is why we need to do it well, this is what we're going to do with it, and to give that choice and to offer that messaging in a transparent way which will strengthen their brand and start that consent journey in a very positive and open way. So you know it’s not about it's the cost or the charge or a fine that might be levied by the ICO in the UK for example, it's about the impact to your business in terms of that brand reputation and that as not having that second chance to make that first impression. So we're engaged with the organizations that are looking to market consent, and to do that effectively with their data subjects and as it says on that slide there the cost of not being compliant is far greater than it just being a fine levied by the ICO.

Tim:

David can I just ask you what your experiences there, when you get involved with the C suite have you noticed that there's been a change in the way that they are taking this seriously as an issue now? I mean, I just remember going back a couple of years, it was very hard to get the C Suite to talk about things like data security data privacy even trying to bring together two different legacy databases and merging them so you had one cleansed database which is up to date, but have you found that over the last couple of years now that's really changed and that the C suite is more aware and willing to invest in these sort of solutions?

David:

Absolutely, I think Data Privacy is a general topic is something that is being discussed and it's not just on the fact of,  what is 4% of our revenue globally, it's not it's not about that impact, it's like I just said it's about that brand reputation and it's about sort of setting that organization setting their store out to say, we're open, we treat your data with respect and you can trust us as a brand and is why we need the consent or therefore, we're gaining the consent, and this is what we're going to do with the information.

We've done a lot of work with Gartner over the last the last 18 months, and there's a really good quote from one of the analysts that we've been working with, and I will read this out, he says that;

Simply put customers today are more inclined than ever to cross the road over to the competition and some cases will pay a premium if that's where they believe their personal data will be best cared for.

I think that that demonstrates, particularly if Gartner are using that as a quote in the presentations that they do, that is something that's been discussed at C level and that something that needs to be you know that hat general mission statement or mission value of a business trickles down to the marketing departments and the people that are actually placing those cookies, innocently in some cases, onto a domain it can have a big effect or a big impact on your customer base.

So, there is a business opportunity to this, it's not all doom and gloom, I think the opportunity and certainly the organizations that we're engaged with are looking at it from that trust element and actually establishing out and retaining that customer so that if that customer trusts your brand and trusts the message that you'll relaying, then they're more likely to stay with loyal and you're more likely to engage deeper with them and they'll stay longer with you as a customer. The unquantifiable or the intangible there, is that how that trust or how has your brand increased in terms of its trust and it sets aside you as an organisation from your competition. We can see that people are waiting maybe for fine to come in terms of cookies, they're already coming into Europe, I think the Spanish and ICO equivalent have fined a Spanish airline and we've had the Planet 49 Ruling it's the easiest thing for the ICO or similar organisations to actually be able to run a scan on a site and to see what cookies have been placed onto a browser without consent they don't need to go and get a court order to come and doorstep and investigate you, they can do a lot of preliminary work in and assess what that first stage of a consent journey actually looks like. It should be it should be every organisation's priority to see what cookies they have within their domain existing, and then have a solution in place that offers that traceability, that transparency and that choice to their end user so they're confidently and competently engaging with their audience and starting that consent journey often in a positive way.

Tim:

I just going say this feel a lot like the DPAs are starting now to become a lot more active in upholding some of the GDPR, there's been this sort of hiatus almost whilst we knew that they were going to do something and the question was are they going to go off after the big scouts you know, Google and Facebook, I think they’ve already had quite a few issues lodged against them but are they going to go after some of the bigger companies, I suppose the thing we're still trying to see is whether those DPAs go to the ICO here in the UK, or if they're actually going to go after some of the smaller companies for breaches of GDPR. What I've heard lot, and I'd be interested to know whether you found this as well, with some your clients, think that when you initially approached them they say ‘oh, we're too small for this to be an issue’, where you'll talk to the CEO and you'll explain the risk and they'll say ‘oh it's fine they'll never find us, they'll never bother with us, we're too small’ and they might be a £10/50 million turnover company, is that something you've found? And how have you framed the risk to them in a way that maybe that makes them take action?

David:

We deal with a broad selection of SMEs, through to enterprise and you're right, everybody is affected, if you're handling data then it doesn't matter the size of the organization, you're still liable under the law. The law is the law isn't it at the end of the day?

Tim:

Yeah

David:

When GDPR they came to be enforced to 18 months ago, we did have those kinds of conversations with people that, yes, of course it affects you because you're handling data. I don't think we have that conversation as much and as an organization we've never really had to sell our services or our solution out as something that ‘prevents’ or say if you’re investigated and ‘the fine is going to be ‘X’, introduce our platform to prevent that happening’. Our platform allows people to, I guess, pre-empt that and prevent it ever happening because it does offer that transparency and choice, which I keep on saying, but it's true, the platform allows you to do that. We engage with organizations that recognize or see it as something positive and something that can gain market advantage by implementing. So to a lesser extent, when we have had those conversations historically but to a lesser extent more recently really I think people understand that the legislation applies to them and if they're handling data or personally personal identifiable data then it applies to them.

I think it is changing really and I don't know how this affects you Tim, but as consumers become more aware of how organizations are using their data and they become more informed about what their requirement or what their rights as an individual are, then they potentially will look to see how that organization that they're interacting with, respects the legislation and which side of the fence they're on, in terms of, ‘are they being open’ and true about it or are they on the wrong side of the fence. I mean, I don't know if you have experience of consumer knowledge actually driving change within the corporate world?

Tim:

Yeah, with this I think it's one of those instances where for so long, the legislation on those privacy has been behind the technology and then we've suddenly had this massive leap forward and the legislation is now ahead of consumer adoption, and what I mean by that is that, it's great but we have these laws in there but if once we've done surveys and focus groups talking to the man and women in the street, they're not really aware so much of the ins and outs of their rights. They quite like the idea when you explain it to them, but up to that point they were blissfully unaware, we know they find it more in irritation around having these cookies, cookie consent banners popping up all the time. And one of the things I had more than anything was even there one way that I can simplify that whole process because to the consumer, the UX, the user experience, it's pretty terrible, you're having really different windows, different websites and different types of questions, there doesn't seem from their perspective to be any consistency either in the format, the questions or indeed sometimes on the same website asking for consent several times. I think they're quite baffled and a bit frustrated by it, but they don't really understand the super power that they've been given, now that's not to say in a year or twos time, I truly believed that the consumers will start to be much more active, and of course we see though a number of developments here there's Google to announce their privacy sandbox, and they're opening up Chrome to developers and they're saying effectively, look, come in use Chrome and build privacy plugins and that will allow individual web users to take control their personal data and do cool stuff with it. It's really up to those developers coming in now to define what that is. You’ve got things like Brave as well, and from the guys who run Mozilla, which is, as well as you know, empowering these consumers to take control of the data, but from my perspective, it's still quite early days, but I've got no doubt that eventually whether that be in three years or five years probably no longer than that, the consumers will have this awakening and they'll start to want to take hold of it. But right now, there isn't an easy way for them to do that.

David:

Yeah, you're right, I guess until the ICO in the UK, start to levy fines against people for not gaining that positive consent before placing cookies then, ‘so what?’ I think is the attitude with a lot of organizations, it's a case of nobody else is getting fined, so we'll sit on our hands and wait until somebody does, and then we'll go and find a solution that solves that problem.

We’ll see how that pans out in the coming months, but I think that as GDPR changes, and we're eighteen months into it now, it's something that's constant and ongoing isn't it? As rulings come out and further layout and guidance in terms of what should be done, it's an evolving thing isn't it? I think one statement that we can make that is true is that legislation isn't going to get any less stringent in the coming years, in fact, it will tighten and we'll sit more in favour to the consumer than it will to the corporate world. So, in that sense, GDPR is the baseline standard, and anything that comes after that, it's not going to go back pre-98 days, it is the framework work we’ll be working from.

Tim:

And of course, we've still got the e-privacy regulation hovering over us, we don't know when that's going to land now is it going to be 2021/2022? And the Fins have taken over the EU Presidency and they're talking much more robustly about implementing the original language I think it's Article 10, that originally said they wanted to block third party tracking cookies by default, that was taken out by the previous Presidency but the Fins are now talking about maybe bring back the spirit of that in e-privacy, but there's been so much lobbying from  publishers, that nobody really knows where this is going to land, but I think you're right, that when that is cleared up that will be a significant challenge. And from my perspective, what I call it the cookie winter, I'm looking at this from a from an advertiser perspective and in advertising we want some way of being able to target individuals. Historically, there's two ways of doing that, one you place ads on pages because they're relevant for the person you're trying to reach or you track that individual and learn loads of stuff about them using cookies and then you target an ad based on that. And that whole cookie based approach is entering its winter phase, I mean, I’ll get into some of the more technical side of it later, but I think the legislation is part of that and this had massive repercussions for any business which does any form of advertising really so, it’s another way in which businesses and the C suites need to be aware of this and I think, it caught a lot of businesses a little bit on the hop, maybe in the same way that GDPR did, when a lot of C Suites weren't really thinking about, ‘it wasn't on my radar’, and then suddenly in May, all the data privacy experts were frantically busy trying to get everything sorted out in record time and I wonder whether where we're heading into that same situation, but maybe we don't have the hard fast state for this cookie winter but there's a number of different elements to it.

David:

Absolutely, we found, with the greatest respect to any lawyers that are on the call, that the lawyers won out last April in terms of, we need to reconsent emails that were sent out in their thousands to everybody and at a point, I certainly stopped replying to them so that killed that particular company's database. I would have thought, in the same way, that cookie pre-banners that are popping up on pages as you visit domains, it's the process really isn't it, and I guess you're right in terms of that cookie winter is a good analogy of how you’ll be entering into a dark phase really, and will come out of it at some point once the legislation and lobbying is finished.

Tim:

David, what degree do you that it's the good guys that are going to be punished here? Because if you're a good guy or girl, and you're trying to do the right thing, you're trying to put your cookie consent in place, then actually now you'll say, ‘well hold on now I'm going to get beaten up because my cookie consent isn’t right, I tried, but I've got it wrong, at least I'm trying to do something’, and we know there's a whole load of bad players out there, who haven't even bothered to do the audit that we mentioned, the cookies on the website, well they haven't even bothered to put in place any sort of cookie consent or one which is very good and those the bad players are getting away with it, and there’s the good guys saying, well we're investing money, trying to get it right, but we're getting beaten up.

David:

I don’t know whether it has had an impact on their business in trying to do it the right way. There are some horror stories out there, where you go through a consent journey and decline cookies and find that more cookies are placed so you've gone through that whole process you've rejected everything but still find that you've got a couple of hundred cookies sat on your browser and they're not isolated incidents of that happening. I think if an organization is demonstrating that they're doing something in terms of an interpretation of the legislation I would find it grossly unfair if they were to be penalized for it. I think organizations that have embraced legislation and are adhering to legislation, and demonstrating to their end users that they understand the nuances of the legislation, towards their customer and they're being open and transparent about it, then I think that there's evidence to show that the brand is strengthened and they've got an increased reputation in terms of there's no negative press against their data privacy policies and I’m not sure whether that answers your question Tim, but I don't see that people are penalized for trying to do the right thing and I think it would be grossly unfair if they were to be honest.

Tim:

Yeah, absolutely and to relate to that, within the organisation I suppose one of the key things to resolve is ultimately who is responsible for sorting this out, we talked about the C-suite a lot, but actually we now come down a level below that which department is it, who's responsible for this? Historically, maybe you would have expected it to be the IT team, but now there's also a technology team, who might be being involved and slightly different, marketing have made a massive land grab as we mentioned earlier on, and of course now, most organizations should have a DPO or maybe even more Data Protection professionals working in the organization. So, where do you see the responsibility lying for sorting this out and so following the latest ruling such as the CJEU and making sure that it’s communicated in the organization.

David:

That’s a really a interesting one Tim, because I think it's changed over the last 18 months or so. I think initially we were talking to IT departments and the people who were responsible for the handling of that data, may be feeding into a CRM system, but more so recently we're finding that if we're not engaged with organizations that have a steering committee as an example, that had all of the departments that you've mentioned and somebody from legal and finance involved, then it's not going to be implemented or it's not going to be reflected properly within the organization. I think for data privacy to be properly handled and properly implemented within an organization, it needs to have the bind of the whole business, and it needs to form part of businesses ethos or mission statements and they actually need to sort of live by that really, in terms of their openness and how transparent they are about what they are doing with that data. I guess for me, if we're not talking to at least five departments within an organization, then there isn't that change or there isn't that respect of the data, it's just being lumped onto one person in the department and they don't have the teeth to actually implement the change or highlight to the business what the impact would be then it's not going to be treated with the respect that it should be. Like I’ve said, if we’re not dealing with multiple people within an organisation, then it’s not being taken seriously by that organisation.