Website cookie consent changes 2022

The way in which organisations conduct business online, manage their websites, and design customer journeys is set to change, due to changes in website cookie consent across the web. The Key changes to website cookie consent in 2022 are:
  • The consent used for all cookies on 80% of EU websites may be invalid in six months. (Note that some of the current consents and permissions may be unlawful now.)
  • Consider taking steps to stop using Google Analytics or identify alternative means for gathering analytics data.
  • Effective immediately, Google Analytics should not be used in France or Austria, with other countries close behind.
  • Regulators are beginning to take a firm stance on transfers to the US.
  • The threshold for setting supplementary measures that effectively protect data from FISA 702 or the CLOUD ACT is high

There has been a recent trend where regulators are finding against various aspects of how website operators manage their domains. It is evident that a shift in how the online space functions are coming sooner rather than later as we see the method of consent gathering that 80% of EU websites being found non-compliant. As well as this, two regulators have deemed the use of Google Analytics unlawful, with others soon to follow suit. We have reviewed these findings and broken out the key points and actions you should consider.

Background to website cookie consent changes 2022

The Transparency and Consent Framework (see more about TCF here) is an advertising industry framework to help publishers, agencies and advertisers to meet their transparency and consent requirement under GDPR. It is a framework issued to manage consent for 80% of EU websites. See the further reading section for some brief information on how TCF works. It was established by IAB Europe, the European-level association for the digital marketing and advertising ecosystem that develops standards, policy, and undertakes research in those fields.

Closely linked to TCF is the use of Google Analytics. After the Schrems II judgement in 2020, NOYB issued 101 complaints to several regulators on using cookies. These have culminated in decisions by the French and Austrian regulators where it was found that Google Analytics is unlawful.

What happened?

Transparency and Consent Framework(TCF)

The Belgian regulator has found that the TCF is not valid and has fined IAB Europe €250,000 for non-compliance with the GDPR. Notably, it found that IAB Europe had:

  • failed to establish a legal basis for the processing of the TC String, and offered inadequate legal grounds for the subsequent processing by AdTech vendors;
  • provided generic and vague information to users through the consent management platform interface;

This essentially means that TCF is invalid even where website owners use it.

Google Analytics

The French and Austrian DPAs have concluded their investigations into the use of Google Analytics. They confirmed that the "unique identifier" used by Google Analytics to track the users of websites constitutes personal data. Google relies on standard contractual clauses (SCCs) with additional "supplementary" measures to transfer this data to the US. However, both DPAs concluded that Google would still be subject to US intelligence surveillance rendering these additional measures ineffective. This means that in France and Austria, the use of Google Analytics is non-compliant with the GDPR.

What do cookie consent changes mean for you?

These cases represent the new enforcement focus for many DPAs – "Cookie consent" and "third country data transfers". This focus will impact nearly every company that has an online presence. Essentially it means that the online world of business is poised to change.

TCF

If you have a cookie consent process that relies on TCF, then it means that all of the consents you have gathered may be invalid, and you will have to delete all of that data.

Whether you use a consent management process that relies on TCF or not, this case means that DPAs will evaluate organisations' use of cookies to ensure that they are transparent and adequately inform the data subject of how and where their data will be processed.

Organisations should ensure that when using cookies that:

  • They have made the data subject aware of their use,
  • Provide additional information on how they are to be used and,
  • Allow the data subject to reject the use of cookies (note there are inconsistencies with this and guidance from the DPC, more detail in conclusion) 

This reinforces an investigation that the DPC undertook on Cookies and other tracking technology in Ireland.

Google Analytics

By using Google Analytics, organisations potentially expose their customers to breaches of their human right to privacy. The DPC has not yet found this. However, the French and Austrians argue that "supplementary measures" are ineffective at protecting personal data due to far-reaching US surveillance laws. This renders the transfer of personal data to a company subject to FISA 702 or the CLOUD ACT incompatible with the GDPR, which means that anywhere you transfer data to an organisation subject to those items of legislation, you may be non-compliant with the GDPR.

What do you have to do?

TCF

The Belgian DPA has allowed IAB Europe to make changes to comply with the framework. If the Belgian DPA approves the amended framework, we can view it as a transnational Code of Conduct, and it would be possible to continue to use the framework. However, suppose the amended framework is rejected. In that case, the framework will be deemed illegal, and any consent data collected through it will need to be erased, and you would also have to find a new system for collecting and managing consent.

While we await the results from the reassessment of the TCF, you should take steps to provide users with more detail about how their data will be used and shared within the framework:

  • Assess of the transparency information you are providing is sufficient
  • Establish if you have gathered personal data based on a non-compatible lawful basis. These include legitimate interest or assumed consent
  • Delete any data that has been captured without an adequate legal basis
  • Prepare to move away from the use of a consent management process that uses TCF

Google Analytics

The French and Austrian DPAs have recommended that users of Google Analytics should begin switching to alternative software that does not rely on transfers to third countries with inadequate protection of personal data (i.e. the US). These are not yet enforced in Ireland, but it is only a matter of time. If you currently use Google Analytics, you should:

  • Assess the need of using the data at all
  • Begin to take steps to identify alternative means of capturing the data

When do you have to do it?

TCF

IAB Europe has been given six months to make the necessary amendments before reassessing its framework by the Belgian DPA. This means that the TCF can continue to be relied upon until the Belgian DPA concludes its assessment of the updated TCF, although steps should be taken to improve transparency.

Google Analytics

Google Analytics has not been given a transition period and has been ruled incompatible with GDPR. DPAs in other countries across Europe are currently investigating the use of Google Analytics and have shared their approval of the ruling and intended to have similar conclusions.

While the decision is not yet enforced in Ireland, the fact that several regulators have come to the same conclusion indicates that the DPC will not be far behind. Begin preparations for changing how you monitor and conduct your online presence.

  

Conclusion

The digital world is changing as regulators become more active in enforcing the human right to privacy. Many organisations may need to change how they do business online, including how they market and sell. At present, the impact on Irish firms has yet to be fully felt, but it is a sign of things to come, as seen with the recent (21/02/2022) announcement of a draft decision by the DPC to stop Meta sending EU data to the US. As for the proper use of cookies and transparency, there appear to be some inconsistencies; the Belgian authority saying there must be a "reject all" and the DPC in their cookie guidance saying a "manage preferences" is acceptable. We are of the opinion that the former will prevail, and each consent management platform must have a reject all on it, but also allow users to go back and manage their preferences.

Organisations need to begin looking for alternatives to third-party cookies and reimagining their online presence.

  

Further reading

Transparency and Consent Framework Ecosystem

The  is a brief document designed to give an understanding of how the Transparency and Consent Framework (TCF) operates. For more information, please talk to your website developer or see the IAB Europe's website.

Main Parties of TCF

  1. Publishers — Parties who make advertising space available on their website or in their application and who are in direct contact with users whose personal data are collected and processed. A publisher may provide a CMP on its website or in its app to enable it to seek and manage the consent of visitors/users to the processing of their personal data and to facilitate the operation of TCF. Publishers decide which adtech vendors may collect data through their website and process their users' personal data (and/or access their devices) and for what purposes.
  2. Adtech vendors — Companies that receive personal data from publishers in order to fill advertising spaces on publisher websites or in publisher apps, such as advertisers, SSPs, DSPs, Ad Exchanges, and DMPs.
  3. Consent Management Platforms — Specifically for TCF, there are also companies that offer so-called "Consent Management Platforms" (CMPs). Specifically, a CMP takes the form of a pop-up that appears during the first connection to a website to collect the Internet user's consent to the placement of cookies and other identifying information.

How the “Framework” works

  1. User accesses webpage or app belonging to the publisher
  2. Website or app activates a consent management platform (chosen by publisher)
  3. The consent management platform checks for "eu-consent-v2" cookie on the user's device through the "consensus.org" domain
  4. If there is no cookie identified or if there is an update necessary, then the consent management platform will show the permission UI
  5. The user clicks "accept all", "reject all", or "save" in the consent pop up
  6. The consent management platform generates an "eu-consent-v2" cookie to update the user's preference

Are you using the TCF?

Approximately 80% of websites in Europe rely on the TCF. To find out if a website does, you can search for the cookies mentioned above or get in touch with the website developer.