Blog

BLOG

EU Cookie Sweep: Data integration is OUT, Data aggregation is IN

PUBLISHED ON 15 SEPTEMBER, 2014

Drastic as it sounds, a whole range of cookies are on the verge of extinction in the EU’s latest online privacy turn. The French data protection agency (“CNIL”), whose director is the current chair of the Article 29 Working Party (“WP29”, grouping all of the national data protection agencies) has announced an EU-wide “Cookie Sweep” initiative starting tomorrow (September 15th) and lasting a week.

This initiative, aimed at getting a good understanding of the level of compliance across websites of all sorts, will soon (October 15th) be followed by a new wave of more worrisome audits.

Worst of all, this does not only affect European operators, but every world-wide operator whose website targets EU customers (yes, enforcement is another story). Not to mention the domino effect these initiatives normally have in Australia, Canada, Switzerland, Latin America or, eventually, the United States.

How will the “Cookie Sweep Day” work?

In essence, this is just a general crawl/scan of websites exploring the general level of compliance with the current legal framework.

What are the consequences in the short term? Being part of some general statistics at most.

What are the long-term consequences? Things will get uglier after October 15th, as you could receive a warning first (which could be published!) and be fined right after that.

It therefore becomes essential to bear in mind the most restrictive demands spanning across the European Union these days. In this regard, two very different realities await based on the type of cookies present in a website, always leaving behind the obviously exempted cookies “necessary for the delivery of the service” (session maintenance, shopping cart, etc.):

1. “Analytical” cookies: Digital analytics cookies that do not require express, prior consent if they fulfil certain requirements (laid out below).
2. All other non-essential cookies (ad server, affiliate networks, email marketing… and web analytics cookies that do not fulfill the said requirements) do require express consent prior to being served, which up to this point has been associated to “inferred” consent in the act of browsing past a clear notice.

The new scenario for “analytical” cookies

It had to be the French data protection agency (CNIL) who eventually came to the rescue with much more specific guidelines for this type of cookies, taking it up from where the UK’s ICO had previously left it.

These guidelines are fully consistent with a prior Opinion issued by the WP29 (Opinion 4/2012 on Cookie Consent Exemption). Going into the details, cookies associated to a web analytics or otherwise online measurement system will be exempt whenever five conditions are met:

1. It obfuscates the last two bytes in its IP address (something that Google Analytics is already doing, and that you can easily enable in Adobe Analytics, for example)
2. Does not last more than 13 months
3. It does not allow the integration of website activity data with ad servers, email marketing platforms or any other digital advertising solutions at granular level
4. It is not used for anything that goes beyond “audience measurement”, expressly excluding CRM integration or the storage of user-specific properties (no matter how anonymous!).
5. Is accompanied by sufficient notice about its function and an opt-out is allowed.

What happens if you get all five points right? That you will escape what follows… And think, for a start, about the tremendous impact this can have on your cookie acceptance levels and the statistical significance of the resulting data.

What to expect if you have to go beyond “analytical” cookies

Should the Cookie Sweep find advertising cookies or integration-driven analytical cookies of any sort… only a long awaited change in the current legal framework will save you from a very uncertain future. For a start:

• A “prior consent” interpretation of the cookie law is spreading fast. This interpretation does not accept a simple pop-up or banner showing up on your screen while you keep on doing whatever it is you came to the website for. It calls instead for stopping short of serving *any* cookies (or browsing leading to their storage) prior to the individual’s express acceptance.
• Faced with this, should your opt-in system not really implement “prior consent”, you are in for months of legal limbo stress.
• On the other hand, should you decide to go ahead and implement the most restrictive option (proper opt-in) you will definitely risk rendering your cookies useless (a 42% rejection rate seems simply too optimistic). As a result, the effectiveness of whatever you do with your data is clearly in the air.

Can the first-party vs. third-party cookie distinction play in my favor?

To a very limited extent, it could. First-party cookies have generally been favored by regulatory bodies and privacy advocates (plus, as a result, they have better browser acceptance rates and easily pass Do Not Track checks), but the technical distinction that sets them apart -being tied to a domain name used by the website that serves them- has recently been dumped by the EU lawmaker in favor of a “first-party” definition that simply refers to the legal entity serving the cookie. This basically discriminates against any cloud-based service managed by anybody who is not the website operator or a given third party with whom a data controller-data processor agreement has been signed.

But do not dust off that old Webtrends 5 cd yet. Compliance with the above can be obtained with any solution, even in the worst case technical third-party + legal third-party scenario. You will simply need to make a stronger case in terms of privacy policy and internal controls (eg. restricting cross-domain tracking to your very own digital properties).

Does this mean multichannel attribution, customer journeys and the “single view of the customer” are doomed?

They clearly ARE doomed if you decide to deploy the highest level of compliance possible. You will not be serving any cookies prior to obtaining consent, and YOU KNOW what people do when asked to accept something they do not entirely understand. Just play around with the (great) tools provided by the likes of Ghostery and imagine those lightboxes welcoming users on your site.

Does it mean Google Analytics Premium or Adobe Data Connectors break the law?

Of course not, but the “analytical” cookie guidelines make it clear that they will cease to work in your benefit whenever data integration at granular (user) level becomes available. As a result:

• Google (Universal) Analytics Premium will have to go for the extra level of permission if integrated with DoubleClick, mobile identifiers, CRM or any other platforms, which is one of its main benefits.
• Data Connectors in Adobe Analytics (formerly Omniture Genesis) is faced with a very similar challenge, as their entire point is building a single view of the customer across different digital marketing tools.

How about Tag Management Systems? Do they not go around this hurdle?

TMS will definitely make your life easier in many ways, even automating the opt-out and notification process for you (as an alternative to ad hoc solutions), but they cannot change whatever it is you are doing under their surface.

So, if used for the sole purpose of intermediating with systems serving “analytical” cookies, you will escape the need for express consent, as you would without a TMS.

On the other hand, using a TMS-originated cookie to build a single profile of the customer across multiple properties and systems will take you in the opposite direction of the new regulatory regime and therefore require express, prior consent.

Ok, I give up the cookies. But I have something better: I will use Fingerprinting!

Forget it. The CNIL has already warned that fingerprinting is affected by these very same rules. In fact, the ePrivacy Directive that sets the basis for national cookie laws does not even mention “cookies” at all, aiming to be truly technology-agnostic.

This cannot be true. I want to comply fully, but I have my data integration needs!!

I did say it was drastic. You can always forget about a few European countries and go on with your life hoping this annoying trend will never get to your corner of the world; expecting the Internet to work the way it is supposed to. Expecting people to have a minimum sense of personal responsibility, configure their browsers with the same diligence that they check the oil in their cars, and follow the rules that the websites they visit lay out in a transparent manner.

Now, if you still want to go for worldwide domination and future-proof universal coverage, perhaps you want to study the alternatives:

1. Data integration at granular level is becoming harder every day. You wanted a 360-view of the customer and the customer is every day more distant from her/his other selves: mobile, web, social profiles, offline profiles.
2. Using the individual as a “primary key” in your over the top data warehouse was laudable in the 90s, the years of early CRMs and failed BI projects. “Liquid” integration based on anonymous aggregates is the new way to go. We just have much more data, and much less uniformity.
3. You can still dump the vast amount of information that you gather, however disperse, into large scale data repositories (Google BigQuery or Amazon Redshift are in the ascent), and that data does not necessarily have to be intertwined by unlimited “causality” relationships. Correlation is taking over, as a means of prediction and as a powerful decision-making tool.

What do you think? Is it not worth exploring the many options of data aggregation prior to getting into further compliance hurdles with a never-ending data integration project?