Website cookie consent changes 2022

The Key changes to website cookie consent in 2022 are:

• The consent used for all cookies on 80% of EU websites may be invalid in six months. (Note that some of the current consents and permissions may be unlawful now.);
• Consider taking steps to stop using Google Analytics or identify alternative means for gathering analytics data;
• Effective immediately, Google Analytics should not be used in France or Austria, with other countries close behind;
• Regulators are beginning to take a firm stance on transfers to the US; and
• The threshold for setting supplementary measures that effectively protect data from FISA 702 or the CLOUD ACT is high.

There has been a recent trend where regulators are finding against various aspects of how website operators manage their domains. It is evident that a shift in how the online space functions are coming sooner rather than later as we see the method of consent gathering that 80% of EU websites being found non-compliant. As well as this, two regulators have deemed the use of Google Analytics unlawful, with others soon to follow suit. We have reviewed these findings and broken out the key points and actions you should consider.

Background to website cookie consent changes 2022

The Transparency and Consent Framework (see more about TCF here) is an advertising industry framework to help publishers, agencies and advertisers to meet their transparency and consent requirement under GDPR. It is a framework issued to manage consent for 80% of EU websites. See the further reading section for some brief information on how TCF works. It was established by IAB Europe, the European-level association for the digital marketing and advertising ecosystem that develops standards, policy, and undertakes research in those fields.

Closely linked to TCF is the use of Google Analytics. After the Schrems II judgement in 2020, NOYB issued 101 complaints to several regulators on using cookies. These have culminated in decisions by the French and Austrian regulators where it was found that Google Analytics is unlawful.

What happened?

What do cookie consent changes mean for you?

These cases represent the new enforcement focus for many DPAs – "Cookie consent" and "third country data transfers". This focus will impact nearly every company that has an online presence. Essentially it means that the online world of business is poised to change.

What do you have to do?

When do you have to do it?

Conclusion

The digital world is changing as regulators become more active in enforcing the human right to privacy. Many organisations may need to change how they do business online, including how they market and sell. At present, the impact on Irish firms has yet to be fully felt, but it is a sign of things to come, as seen with the recent (21/02/2022) announcement of a draft decision by the DPC to stop Meta sending EU data to the US. As for the proper use of cookies and transparency, there appear to be some inconsistencies; the Belgian authority saying there must be a "reject all" and the DPC in their cookie guidance saying a "manage preferences" is acceptable. We are of the opinion that the former will prevail, and each consent management platform must have a reject all on it, but also allow users to go back and manage their preferences.

Organisations need to begin looking for alternatives to third-party cookies and reimagining their online presence.

Further reading

Transparency and Consent Framework Ecosystem

The  is a brief document designed to give an understanding of how the Transparency and Consent Framework (TCF) operates. For more information, please talk to your website developer or see the IAB Europe's website.

Main Parties of TCF

1. Publishers — Parties who make advertising space available on their website or in their application and who are in direct contact with users whose personal data are collected and processed. A publisher may provide a CMP on its website or in its app to enable it to seek and manage the consent of visitors/users to the processing of their personal data and to facilitate the operation of TCF. Publishers decide which adtech vendors may collect data through their website and process their users' personal data (and/or access their devices) and for what purposes.
2. Adtech vendors — Companies that receive personal data from publishers in order to fill advertising spaces on publisher websites or in publisher apps, such as advertisers, SSPs, DSPs, Ad Exchanges, and DMPs.
3. Consent Management Platforms — Specifically for TCF, there are also companies that offer so-called "Consent Management Platforms" (CMPs). Specifically, a CMP takes the form of a pop-up that appears during the first connection to a website to collect the Internet user's consent to the placement of cookies and other identifying information.

How the “Framework” works

1. User accesses webpage or app belonging to the publisher
2. Website or app activates a consent management platform (chosen by publisher)
3. The consent management platform checks for "eu-consent-v2" cookie on the user's device through the "consensus.org" domain
4. If there is no cookie identified or if there is an update necessary, then the consent management platform will show the permission UI
5. The user clicks "accept all", "reject all", or "save" in the consent pop up
6. The consent management platform generates an "eu-consent-v2" cookie to update the user's preference

Are you using the TCF?

Approximately 80% of websites in Europe rely on the TCF. To find out if a website does, you can search for the cookies mentioned above or get in touch with the website developer.