Drastic as it sounds, a whole range of cookies are on the verge of extinction in the EU’s latest online privacy turn. The French data protection agency (“CNIL”), whose director is the current chair of the Article 29 Working Party (“WP29”, grouping all of the national data protection agencies) has announced an EU-wide “Cookie Sweep” initiative starting tomorrow (September 15th) and lasting a week.
This initiative, aimed at getting a good understanding of the level of compliance across websites of all sorts, will soon (October 15th) be followed by a new wave of more worrisome audits.
Worst of all, this does not only affect European operators, but every world-wide operator whose website targets EU customers (yes, enforcement is another story). Not to mention the domino effect these initiatives normally have in Australia, Canada, Switzerland, Latin America or, eventually, the United States.
In essence, this is just a general crawl/scan of websites exploring the general level of compliance with the current legal framework.
What are the consequences in the short term? Being part of some general statistics at most.
What are the long-term consequences? Things will get uglier after October 15th, as you could receive a warning first (which could be published!) and be fined right after that.
It therefore becomes essential to bear in mind the most restrictive demands spanning across the European Union these days. In this regard, two very different realities await based on the type of cookies present in a website, always leaving behind the obviously exempted cookies “necessary for the delivery of the service” (session maintenance, shopping cart, etc.):
It had to be the French data protection agency (CNIL) who eventually came to the rescue with much more specific guidelines for this type of cookies, taking it up from where the UK’s ICO had previously left it.
These guidelines are fully consistent with a prior Opinion issued by the WP29 (Opinion 4/2012 on Cookie Consent Exemption). Going into the details, cookies associated to a web analytics or otherwise online measurement system will be exempt whenever five conditions are met:
What happens if you get all five points right? That you will escape what follows… And think, for a start, about the tremendous impact this can have on your cookie acceptance levels and the statistical significance of the resulting data.
Should the Cookie Sweep find advertising cookies or integration-driven analytical cookies of any sort… only a long awaited change in the current legal framework will save you from a very uncertain future. For a start:
To a very limited extent, it could. First-party cookies have generally been favored by regulatory bodies and privacy advocates (plus, as a result, they have better browser acceptance rates and easily pass Do Not Track checks), but the technical distinction that sets them apart -being tied to a domain name used by the website that serves them- has recently been dumped by the EU lawmaker in favor of a “first-party” definition that simply refers to the legal entity serving the cookie. This basically discriminates against any cloud-based service managed by anybody who is not the website operator or a given third party with whom a data controller-data processor agreement has been signed.
They clearly ARE doomed if you decide to deploy the highest level of compliance possible. You will not be serving any cookies prior to obtaining consent, and YOU KNOW what people do when asked to accept something they do not entirely understand. Just play around with the (great) tools provided by the likes of Ghostery and imagine those lightboxes welcoming users on your site.
Of course not, but the “analytical” cookie guidelines make it clear that they will cease to work in your benefit whenever data integration at granular (user) level becomes available. As a result:
TMS will definitely make your life easier in many ways, even automating the opt-out and notification process for you (as an alternative to ad hoc solutions), but they cannot change whatever it is you are doing under their surface.
So, if used for the sole purpose of intermediating with systems serving “analytical” cookies, you will escape the need for express consent, as you would without a TMS.
On the other hand, using a TMS-originated cookie to build a single profile of the customer across multiple properties and systems will take you in the opposite direction of the new regulatory regime and therefore require express, prior consent.
Forget it. The CNIL has already warned that fingerprinting is affected by these very same rules. In fact, the ePrivacy Directive that sets the basis for national cookie laws does not even mention “cookies” at all, aiming to be truly technology-agnostic.
I did say it was drastic. You can always forget about a few European countries and go on with your life hoping this annoying trend will never get to your corner of the world; expecting the Internet to work the way it is supposed to. Expecting people to have a minimum sense of personal responsibility, configure their browsers with the same diligence that they check the oil in their cars, and follow the rules that the websites they visit lay out in a transparent manner.
Now, if you still want to go for worldwide domination and future-proof universal coverage, perhaps you want to study the alternatives:
What do you think? Is it not worth exploring the many options of data aggregation prior to getting into further compliance hurdles with a never-ending data integration project?
Not Another Dashboard.