The way in which organisations conduct business online, manage their websites, and design customer journeys is set to change, due to changes in website cookie consent across the web. The Key changes to website cookie consent in 2022 are:
- The consent used for all cookies on 80% of EU websites may be invalid in six months. (Note that some of the current consents and permissions may be unlawful now.)
- Consider taking steps to stop using Google Analytics or identify alternative means for gathering analytics data.
- Effective immediately, Google Analytics should not be used in France or Austria, with other countries close behind.
- Regulators are beginning to take a firm stance on transfers to the US.
- The threshold for setting supplementary measures that effectively protect data from FISA 702 or the CLOUD ACT is high
There has been a recent trend where regulators are finding against various aspects of how website operators manage their domains. It is evident that a shift in how the online space functions are coming sooner rather than later as we see the method of consent gathering that 80% of EU websites being found non-compliant. As well as this, two regulators have deemed the use of Google Analytics unlawful, with others soon to follow suit. We have reviewed these findings and broken out the key points and actions you should consider.
Background to website cookie consent changes 2022
The Transparency and Consent Framework (see more about TCF here) is an advertising industry framework to help publishers, agencies and advertisers to meet their transparency and consent requirement under GDPR. It is a framework issued to manage consent for 80% of EU websites. See the further reading section for some brief information on how TCF works. It was established by IAB Europe, the European-level association for the digital marketing and advertising ecosystem that develops standards, policy, and undertakes research in those fields.
Closely linked to TCF is the use of Google Analytics. After the Schrems II judgement in 2020, NOYB issued 101 complaints to several regulators on using cookies. These have culminated in decisions by the French and Austrian regulators where it was found that Google Analytics is unlawful.
What do cookie consent changes mean for you?
These cases represent the new enforcement focus for many DPAs – "Cookie consent" and "third country data transfers". This focus will impact nearly every company that has an online presence. Essentially it means that the online world of business is poised to change.
What do you have to do?
When do you have to do it?
Organisations need to begin looking for alternatives to third-party cookies and reimagining their online presence.
Transparency and Consent Framework Ecosystem
The is a brief document designed to give an understanding of how the Transparency and Consent Framework (TCF) operates. For more information, please talk to your website developer or see the IAB Europe's website.
Main Parties of TCF
- Publishers — Parties who make advertising space available on their website or in their application and who are in direct contact with users whose personal data are collected and processed. A publisher may provide a CMP on its website or in its app to enable it to seek and manage the consent of visitors/users to the processing of their personal data and to facilitate the operation of TCF. Publishers decide which adtech vendors may collect data through their website and process their users' personal data (and/or access their devices) and for what purposes.
- Adtech vendors — Companies that receive personal data from publishers in order to fill advertising spaces on publisher websites or in publisher apps, such as advertisers, SSPs, DSPs, Ad Exchanges, and DMPs.
- Consent Management Platforms — Specifically for TCF, there are also companies that offer so-called "Consent Management Platforms" (CMPs). Specifically, a CMP takes the form of a pop-up that appears during the first connection to a website to collect the Internet user's consent to the placement of cookies and other identifying information.
How the “Framework” works
- User accesses webpage or app belonging to the publisher
- Website or app activates a consent management platform (chosen by publisher)
- The consent management platform checks for "eu-consent-v2" cookie on the user's device through the "consensus.org" domain
- If there is no cookie identified or if there is an update necessary, then the consent management platform will show the permission UI
- The user clicks "accept all", "reject all", or "save" in the consent pop up
- The consent management platform generates an "eu-consent-v2" cookie to update the user's preference
Are you using the TCF?
Approximately 80% of websites in Europe rely on the TCF. To find out if a website does, you can search for the cookies mentioned above or get in touch with the website developer.