Clifford Chance

The phenomenon of "cookie fatigue" has been a feature of digital life for some time. To address this, the European Commission (EC) aims to launch a set of voluntary pledges for advertisers, publishers and other stakeholders in the ad-tech space. To that end, the EC has been engaging in dialogue with stakeholders in the form of roundtable discussions, focusing on transparency for users on cookies and other similar tracking technologies currently in use, as well as exploring options that are not based on cookies for user tracking and advertising.

The proposed pledges are a significant development for our clients, consumers, advocacy groups and others across the online advertising value chain. We have been tracking the development of the pledges closely, conducting legal and policy analysis and engaging with a broad range of stakeholders. This article sets out some of the key themes, findings and unresolved questions that have surfaced in the course of our work. It also aims to identify solutions that satisfy the EC’s objectives and are workable for organisations looking to adopt the pledges. Lastly, we propose a set of principles that could guide the design of both regulatory and market-led approaches to helping consumers make better choices online. 

The Current Situation

Currently, the use of cookies in the European Union is regulated by EU Directive 2002/58/EC (the e-Privacy Directive) and the EU General Data Protection Regulation 2016/679 (GDPR). The e-Privacy Directive is implemented in most EU Member States by their respective Data Protection Authorities (DPAs). The DPAs are independent of the EU, and alongside the European Data Protection Supervisor (EDPS), are members of the European Data Protection Board (EDPB), which also operates independently of the EC. The EC is tasked with drafting legislative proposals and ensuring that EU law is applied in a uniform manner, but enforcement of the GDPR falls to the DPAs and EDPB. Therefore, both the DPAs and EDPB are essential stakeholders when it comes to calibrating compliance with the GDPR. The EDPB is currently reviewing the draft pledges from the perspective of whether they conform to the requirements of the GDPR and the e-Privacy Directive.

Under the current framework, organisations using cookies are required to inform users about the cookies present, explain their purpose and obtain individual users’ consent to store cookies on their device, unless exempted. Consent must be informed, specific, unambiguous and freely given. This has resulted in organisations deploying either cookie walls or cookie banners when users visit their website to inform them about the cookies used and obtain consent, or where possible meet necessary requirements to use a legitimate interest legal basis under the GDPR for personal data processing. The proliferation of these banners, which are necessary for compliance with the EU laws mentioned above, have created a level of disruption to the user experience which is now being better understood and documented. It is important to note that consent is typically the only available basis for cookie-related processing under the e-Privacy Directive (See Bundesgerichtshof, BGH; I ZR 7/16 on 28 May 2020) “Planet 49”. See also guidance from the ICO and CNIL relating to cookie related personal data processing).

Challenges and unanswered questions

Reconciling the pledges with existing legal requirements and regulatory expectations

One of the key issues acknowledged by the EC in the latest roundtable discussions on the pledges was the need for solutions being proposed through the pledges to be compliant with all existing regulations in the EU, even if the pledges' primary objective is to elevate consumer protection. Practically, this entails compliance with local implementations of the e-Privacy Directive and the GDPR. Attempts to do so are likely to be made complex for a number of reasons ranging from regulatory guidance to the proposed e-Privacy Regulation [See our article: E-Privacy check-in: where we are, and where we're headed] to the Digital Markets Act (DMA). One of the issues the pledges will be looking to solve for is the disparate attempts by national laws and regulators to enforce cookie requirements over the last decade or more. Without clear, documented and consistent guidance from supervisory authorities, who will need to make a concerted effort to map and align their existing guidance to the pledges, it remains to be seen whether organisations will be able to meaningfully keep to the pledges within the existing legal framework, with the assurance that they will not face greater regulatory scrutiny around different EU states (See opinion issued by the the German Data Protection Conference (DSK) on the draft BMVD regulation).

As organisations consider alternative tracking methods to cookies, they will be aware of the potential data privacy issues they will have to deal with, as noted by the EDPB in its recently published draft guidelines in respect of new tracking methods that have emerged. It remains to be seen whether organisations can practically adopt aspects of the proposed pledges whilst still ensuring compliance with the existing legal framework. The guidelines clarify the broad interpretation of the scope of Article 5(3) of the e-Privacy Directive and addresses its applicability to emerging tracking tools, which organisations may be considering as alternatives to cookies (as prompted by the EC in the context of the pledges). As such, this will potentially result in more, rather than less, instances of prior, opt-in consent.

Antitrust law considerations, as well as GDPR and DMA requirements around consent (discussed in further detail below), and reconciling what the currently applicable e-Privacy Directive, and the proposed e-Privacy Regulation which both strengthens but also departs from current approaches in certain areas specific to cookies and advertising, also continues to pose a significant compliance hurdle.

Maintaining a level playing field for the digital economy and 'consent gatekeepers'

The EC has been considering a number of alternative technical solutions to the problem of consent fatigue the pledges could support. These include whether and how 'tracking-free' advertising may allow user consent choices to be more automated than they currently are. The EC notes that existing laws, including, importantly, antitrust law, must be taken into account when considering existing and proposed solutions being developed by key industry players. However, in the absence of a specific review by the EC in this regard, it may be difficult for organisations signing up to the pledges to select solutions developed by some of the larger companies with prominent hardware and software that users rely on for accessing their services, with the assurance that those solutions would provide for a level playing field. At present, centralised solutions offered by some of these players, while seemingly convenient from a user perspective, may be seen by the wider industry, and indeed regulators, as potentially concentrating power in a limited number of organisations acting as consent gatekeepers for all other organisations. Centralised solutions may also run counter to the objectives of the EU's DMA, especially if those solutions are controlled by a few organisations.

Ensuring meaningful consent

Alongside this, the EC also acknowledges that users must be able to take granular approaches to making user choices, rather than being forced to adopt one-size-fits all choices. This is not just good for consumers, but a hard requirement under the GDPR, which requires user consent to be freely given, specific, informed and unambiguous. It is likely to be challenging to reconcile this requirement with catch-all browser or device level consent mechanisms being applied across the hundreds of diverse services and business models that users engage with, because it might be argued that such blanket consent is not sufficiently specific, granular and unambiguous. This requirement is further complicated by the consent requirements for advertising and data pooling being introduced through the DMA, which run parallel to the GDPR and e-Privacy Directive. As things stand, data controllers looking to manage consent, and consumers using their service, risk facing more complex, rather than simpler and streamlined consent banners.

Informed decision-making based on market research and industry feedback

The EC has been making a concerted effort, through roundtables and the establishment of working groups, to establish industry consensus on the proposed pledges, and input from these stakeholders has been reflected in some of the EC's publications. However, it is unclear whether and to what degree the draft pledges will be informed by market research on (a) the scale and nature of the problems the pledges seek to address, and (b) feedback on practical compliance challenges being raised by industry. For example, do consumers believe that contextual ads are more desirable than interest-based ads, and are consumers equally concerned about all business models? A serious concern being voiced by a number of stakeholders is the risk that, where the EC does rely on market research, this research runs the risk of being pooled and conflated across different sectors, and provided without sufficient context, ignoring the value of advertising. With transparency and choices across different business models sitting at the heart of the pledges, it is imperative that market research relating to the risks posed by different business models and the consumers' risk appetite for the different business models are considered at a granular level. Bespoke solutions for different sectors are then likely to be required, proportionate to the evidence-based risk posed to consumers.

It is also important to note that the advertisers and brands are the ones driving the popularity, or not, of certain business models, as they decide where to invest in the market. This will make some business models more prominent and popular than others.

Consent management platforms may be able to fill some of the gaps this creates for consumers, but would need to build both services and user experiences at an unprecedented scale, based on what is as yet an unclear incentive structure and legal/commercial mandates. Stakeholders have already called for a diversity in approaches, allowing organisations to communicate directly with users to explain their service. This would not only be helpful for users, but critical to ensuring organisations being able meet the required standard of consent under law.

Other questions that also remain include whether the pledges increase the likelihood that effective market solutions will be created and whether any proposed solutions allow publishers to effectively monetise their content.

Possible ways forward – principles for consideration

While the challenges outlined above are substantial, organisations and policymakers agree that "cookie fatigue" is affecting the consumer experience and needs to be addressed in a way that ensures consumers can make informed choices.

We propose some principles that both the EC and organisations might consider as they seek to agree on workable solutions. These are not advanced as an alternative to the EC's proposed pledges, but as points for consideration and discussion.

Best practice and proportionality should guide approaches to informing consumers about the business model of a website or company, and about the different tracking methods used, in an upfront and clear manner.

• Many organisations agree that it is important to disclose information and already take steps to be more transparent in this regard.
• The evolution of best practice around providing users clear and simple explanations of the different forms of tracking employed by a website would be a positive step. This sort of information would not all have to be presented to the user when they first use a site, but could be flagged for the user to engage with as they wish on a separate page, e.g. in a privacy policy or cookies help page.
• A graded and tailored approach to how much information is required for different business models may be worth considering. Some B2C organisations already invest heavily in transparency and marketing, to make consumers aware of their business model. Ecommerce marketplaces are an example of this, where the service offering and wider ecosystem is clear to most consumers, and user concerns are low.
• Improved education of consumers would also be a positive development in this space.

Organisations should be able to offer consumers a choice of advertising models other than tracking-based ones, depending on the model of the organisation, and communicating and presenting those choices in a clear and transparent manner.

• Depending on their business model, organisations should have the option to offer users advertising models other than tracking-based ones, if that is feasible. However, that approach may not be universally applicable, especially where the user's immediate activity may not provide enough context for meaningful contextual advertisements. Organisations should not be obliged to offer advertising models that they do not consider are suitable for them.
• Emphasising that organisations should retain the right to communicate to their users independently would be a constructive and positive step.
• Users should have simple and clear ways of changing their preferences later on as a result of choices they make.
• Organisations should have the right within these pledges to remind users that the advertising model adopted by them is compliant with the relevant legal frameworks.

Organisations should have the option to give consumers the choice to use automated solutions implementing tracking-free personalisation technologies for ads, such as Consent Management System (CMS) models, and if they do, present those choices in a clear and transparent manner.

• It should be possible for organisations to choose a CMS or other systems that works best for them.
• CMS providers should be encouraged to collaborate with industry and agree on transparency and UX approaches for how choices will be presented to users.
• It should be emphasised that some organisations will follow a CMS route, whilst others may not consider it appropriate, and as long as transparency exists, that is entirely acceptable.
• Organisations should be able to communicate with users via a just-in-time pop-up asking consumers if they are sure they want to continue on the basis of the preferences they have expressed in the CMS they have chosen, as it may be the case that those preferences may restrict personalisation of selection, or users may not recall/be able to easily update their choices. The use of a CMS should not preclude organisations from flagging to a user, the various benefits or personalisation they may be losing should they adopt more restrictive CMS settings.
• If an organisation supports a user’s preferences as expressed via a CMS, it should be made clear that this will satisfy the requirement that consent be freely given.
• Any pledge should be endorsed by the relevant authorities e.g. the EDPB.