Skip to main content

Clifford Chance

Clifford Chance
All

Data

Talking Tech

The European Commission Cookie Pledge – the state of play and way forward

Data Privacy Consumer 5 February 2024

Introduction

The European Commission is working towards introducing a voluntary Cookie Pledge in April this year, with the aim of better empowering consumers to make effective ad choices and alleviating cookie fatigue. The Commission hopes to see adoption by organisations across sectors, with a focus on those in the advertising space. While the Commission has attempted to engage externally through a series of discussions, stakeholders continue to have concerns about the latest draft of the Cookie Pledge. These include:

  • Conflicting legal frameworks and legal uncertainty
  • Negative impact on the consumer experience
  • Implications for companies' rights to determine their own business models
  • Detrimental effects on media plurality and the advertising ecosystem
  • Practical issues with implementation and the lack of a credible assurance ecosystem.

We have been tracking the development of the Cookie Pledge closely (see our previous article: The European Commission's Cookie Pledge Proposal – open questions and principles for possible ways forward), conducting legal and policy analysis and engaging with a broad range of stakeholders through a series of roundtable discussions. Drawing on this work, this article sets out our updated analysis on the latest pledging principles for the Cookie Pledge published by the Commission.

Background and recent developments

The Cookie Pledge initiative was first announced in March 2023 by the Commissioner for Justice and Consumers. Since then, the Commission has engaged in a series of discussions with stakeholders from across the advertising ecosystem regarding the proposed seven pledging principles of the Cookie Pledge. On 19 December 2023, the European Data Protection Board (EDPB) published its substantive comments on the draft pledging principles and the Commission held a second meeting with the stakeholders.

With European Parliament elections on the horizon, the Commission is moving quickly. It published the revised pledging principles in January this year, with organisations invited to respond with their comments by early February. Although the latest draft (seen by Clifford Chance) includes some helpful clarifications, stakeholders we have engaged with since felt that the changes did not go far enough, or to the heart of their concerns. A number of the EDPB's comments on the pledging principles, including in relation to conflicts with the GDPR, also remain unaddressed.

Parallel to the Cookie Pledge, the legal and regulatory landscape surrounding cookies and online advertising is continuing to evolve at pace. The EDPB recently issued the draft guidelines on the technical scope of Article 5(3) of the e-Privacy Directive (ePD). If adopted, these guidelines have the potential to significantly expand the scope of the ePD, and connectedly, the scope of the Cookie Pledge, exacerbating unresolved issues. [The EDPB response to the Commission on the Cookie Pledge clarified that the word "cookies" covers not just traditional cookies but any other systems tracking users' online navigation such as pixel tags, fingerprinting and local storage.] Organisations must also consider new case law, existing guidance from the GDPR supervisory authorities, as well as newer regulations such as the Digital Markets Act (DMA) and the Digital Services Act (DSA). Finally, the future of the long-awaited e-Privacy Regulation remains uncertain.

Conflicting Policy Aims and Legal Frameworks

There continues to be significant misalignment between the proposed pledging principles and the existing legal and regulatory framework, a key issue raised by the stakeholders from the outset of the Cookie Pledge initiative. The aim of the Cookie Pledge to reduce the amount of information consumers receive across the board runs counter to some of the GDPR's requirements – i.e., to provide transparency in relation to the personal data processing in sufficient detail, in advance of processing, particularly where user consent is required. The proposed pledging principles are unlikely to be fully reconcilable with the GDPR's standards for "specific" and "informed" consent, as expressed by the EDPB and several data protection authorities. For example:

  • Principle A aims to reduce the amount of information presented to consumers by specifying that consent request will exclude information on strictly necessary cookies. However, as the EDPB points out, regardless of whether the tracker is strictly necessary, where user personal data is processed, organisations must still comply with the consent and transparency requirements of the GDPR.
  • Principle E states that consent to cookies for advertising purposes should not be necessary for every tracker, and Principle F suggests that once a consumer opts for a particular business model, additional consent for related tracking activities is unnecessary.

Both principles aim to reduce the frequency of consent requests but may be incompatible with the GDPR which requires that consent is informed and unambiguous and for specific consent to be given for distinct processing activities. These concerns have been underlined by the EDPB's response to the Cookie Pledge. The EDPB not only highlighted the conflict between the pledging principles and the GDPR/ePD, but also stated that signing up to the Cookie Pledge will not equate to or guarantee compliance by organisations with the applicable data protection and privacy framework. It noted that "more work is needed to propose pledging principles that would allow a majority of interested parties to adhere to them".

There is also a lack of clarity on how the pledging principles will interact with the DMA and DSA. Article 5(2) of the DMA, for example, stops gatekeepers from processing combined user data without explicit consent. Articles 27 and 28 of the DSA impose information obligations in relation to advertising on online platforms and recommends system transparency. These are legal requirements for detailed information disclosure, that are still taking shape, and awaiting future regulatory guidance. They will, like the GDPR, be detailed and specific, and may not fully align with the approach being proposed by the Cookie Pledge, which is to seek to reduce the amount of certain information, but to also give other information greater prominence.

Impact on consumer experience

The suggested exploration of Consent Management Systems (CMS) by the Cookie Pledge could undermine organisations' ability to speak directly to consumers, potentially impacting consumer empowerment, and their ability to make specific choices and give informed consent. A CMS is effectively a tool that allows users to express their preferences about what they consent to, in terms of cookies and other questions, in advance. Encouraging the use of all-encompassing consent solutions could result in consumers losing the opportunity to express specific preferences for brands they have different relationships with.

Principle G states that a consumer who has refused to consent to cookies should not be asked to accept cookies again for one year. If a third-party CMS is used, organisations may not be able to effectively communicate new information or changes to their services that could later impact the consumer's decision, thereby depriving consumers of the opportunity to reconsider their choices in a highly competitive and quickly changing market. If a consumer chooses to "reject all" trackers through CMS, this may result in them seeing irrelevant ads, content or products, reducing the quality of the overall user experience. The use of CMS also risks the potential concentration of power in the hands of large browser services, raising competition issues in terms of market concentration and data access and control.

Implications for companies' flexibility to determine their own business models

The Commission appears to be commendably focused on empowering consumers by giving them the right information about a company's business model so that they can make informed choices. However, several principles – B, C and D – appear to go beyond promoting transparency and prompt businesses to reconsider important aspects of their business models. The voluntary adoption of policies that look to reshape legal business practices is likely to be a non-starter for a wide range of organisations currently working to assess an evolving legal landscape, case law and regulatory guidance on many of the issues impacted by the Cookie Pledge. It may also have implications for business' rights under the Treaty on European Union (TEU) and the Charter of Fundamental Rights.

Principle B states that when content is financed at least partially by advertising, it will be explained upfront when users access the website/app for the first time. The recitals to this principle (read in light of the EDPB response) explain that, from the moment a business obtains revenues either by

  • exposing consumers to tracking-based advertising by collecting and using information about consumers' online behaviour through trackers
  • selling to partners the right to put trackers on consumer's devices through their website
  • using other types of advertising (e.g., contextual advertising – which may also require consent), the consumers must be informed of the business model in question at least at the same time as when cookie consent is required.

Principle C states that each business model will be presented in a succinct, clear and easy to choose manner, including clear explanations of the consequences of accepting or not accepting trackers. The recitals explain that cookies may be used to implement a business model and therefore this concomitance should be easily described, understood and implemented in one joint consent banner regrouping the agreements under consumer law and consent under the ePD and GDPR. In this consent banner, the business model options:

  • accepting advertising based on tracking
  • accepting other types of advertising
  • agreeing to pay a fee (presented in plain and simple language together with the consequences in terms of the purpose of trackers).

While Principles B and C aim to promote user education regarding the implications of their choices on privacy and content financing, there is no underlying legal requirement to supply this type of information on business models. In this sense, the pledging principles go beyond the current legal requirements to impose additional disclosure obligations for organisations.

Finally, Principle D requires that "if tracking based advertising or paying a fee option are proposed, consumers will always have an additional choice of another less privacy intrusive form of advertising". It should be noted that three data protection authorities have recently requested the EDPB to give an opinion on the "consent or pay" business model but that this business model remains legal (see article in Global Data Review). The request was made on 26 January 2024 under Article 64(2) of the GDPR and the EDPB must adopt an opinion within 8 weeks, with a possible extension of a further 6 weeks. This also appears to be targeted at specific scenarios, and there is the question of whether a voluntary pledge that is meant to be generally applicable is the best place to address this. 

Effects on media plurality and the advertising ecosystem

Another area which the Commission does not appear to have scrutinised is the impact of the Cookie Pledge on the financial viability of media organisations, and the potential knock-on effect on the diversity of the EU's media and advertising ecosystem.

As set out above, Principle D states that "if tracking based advertising or paying a fee option are proposed, consumers will always have an additional choice of another less privacy intrusive form of advertising". This would mean that an organisation signing up to the Cookie Pledge must offer not to show targeted ads and reject the use of the "consent or pay" business model which has legal support from a European Court of Justice judgment and guidance from several data protection authorities including those of Austria, Germany, France and Spain. As noted above, it is also under review by the EDPB.

Businesses such as publishers who rely on varying forms of advertising for their primary revenue will likely be impacted the most by adopting this pledge, though others across the ecosystem will also struggle to agree with this approach. A decrease in advertising revenue may lead to financial strain for publishers, potentially reducing media diversity and plurality, and ultimately limiting consumer choice and access to free content – potentially risking the viability of the free and open internet and taking away what consumers are able to enjoy currently.

Principles B and C do not appear to consider the reality of the ad-tech ecosystem. For example, Principle C refers to presenting three business model options. This appears to ignore the fact that different businesses use different business models, and not all businesses will have the same level of reliance on advertising, and therefore personal data processing and onward sharing. Additionally, changes can be effected in a variety of ways (e.g., limiting data points on customers or differential treatment between first party and third-party cookies). Organisations may use tracking technologies not just for placing targeted ads but also other purposes such as website personalisation, providing a personalised shopping experience or monitoring performance of certain content. The Cookie Pledge will have a more significant impact on businesses that rely on digital advertising models and therefore would impact certain businesses more than others.

Practical issues with implementation

The pledging principles as currently drafted do not resolve the aforementioned stakeholder concerns nor provide sufficient practical solutions or suggestions on how organisations can fully comply with the existing legal and regulatory requirements whilst upholding the pledging principles. Even if an organisation agrees with the objective of the Cookie Pledge, the expectations of the pledging principles are unclear and it is difficult to see what implementation will look like in practice.

While this is a voluntary pledge, many organisations are concerned that if certain businesses sign-up to the Cookie Pledge whilst others do not, this will cause fragmentation of data practices amongst the ad-tech ecosystem. A question of whether a business can commit to some (but not all) of the pledging principles was raised in the previous Commission meeting, but such "pick and choose" approach is likely to be problematic as it may aggravate the issue of non-uniform application, creating confusion for consumers, and potentially reduce the value of the Cookie Pledge.

More information on governance would be required. It is currently unclear what would count as being "pledge compliant" and how and whether any sort of auditing would work, who would conduct it, and whether the outcomes of any such auditing would have relevance for any other regulatory or legal purposes. The Commission has stated that it will prepare a document on the practical aspects of the Cookie Pledge and its governance, however this remains to be seen.

Possible ways forward – principles for consideration

In light of the above, we proposed a set of principles the Commission and organisations could consider as they seek workable solutions, in our first article. These have since been updated to reflect further stakeholder engagement and updates to the pledging principles.

Organisations should be able to offer consumers a choice of advertising models other than tracking-based ones, communicating and presenting those choices in a clear and transparent manner.

  • The primary underlying legal instrument (the ePD) does not prohibit advertising. Depending on their business model, organisations should have the option to offer users advertising models other than tracking-based ones, where feasible. However, that approach may not be universally applicable, especially where the user's immediate activity may not provide enough context for meaningful contextual advertisements. Organisations should not be obliged to offer advertising models that they do not consider viable. Further, as we note above, more work is needed by the Commission on the interplay between contextual advertising and the ePD's requirements for consent.
  • Emphasising that organisations should retain the right to communicate to their users independently would be a constructive and positive step.
  • Users should have simple and clear ways of changing their preferences later on as a result of choices they make.
  • Organisations should have the right within the Cookie Pledge to remind users that the advertising model adopted by them is compliant with the relevant legal frameworks.
  • The Cookie Pledge should not force organisations to reject certain business models.

Organisations should have the option to give their customers a choice whether or not to use automated solutions implementing tracking-free personalisation technologies for ads, such as CMS models.

  • It should be possible for organisations to choose a CMS or other approach that works best for them, and is legally compliant.
  • CMS providers should be encouraged to collaborate with industry and agree on transparency and UX approaches for how choices will be presented to users.
  • It should be emphasised that some organisations will follow a CMS route, whilst others may not consider it appropriate. This should be acceptable as long as adequate, legally compliant transparency is delivered.
  • Organisations should be able to communicate with customers via a just-in-time pop-up asking whether they would like to continue on the basis of the preferences they have expressed through CMS, clarifying that those preferences may restrict personalisation, and they may not be able to configure their choices as easily as declining. The use of CMS should not preclude organisations from flagging to a user, the various benefits or personalisation they may be losing should they adopt more restrictive CMS settings.
  • Any voluntary pledging principles in this regard should be endorsed by the GDPR supervisory authorities and the EDPB, with clear guidance on the question of when and how CMS may be used in a lawful manner.

The evolving legal landscape, best practice and proportionality should guide approaches to informing consumers about the business model of a website or company, and about the different tracking methods used, in an upfront and transparent manner.

  • Many organisations agree that it is important to disclose information and already take steps to be more transparent in this regard.
  • A graded and tailored approach to how much information is required for different business models may be worth considering. Some B2C organisations already invest heavily in transparency and marketing, to make consumers aware of their business model. Ecommerce marketplaces are an example of this, where the service offering and wider ecosystem is clear to most consumers, and user concerns are low.

Conclusion

The Cookie Pledge initiative is a well-intentioned effort to address the issue of cookie fatigue and consumer transparency, particularly given the stalemate around the long-awaited e-Privacy Regulation. However, the current draft of the pledging principles has raised a number of significant concerns from stakeholders, highlighting the complexities and challenges inherent in aligning voluntary measures with existing legal and regulatory frameworks.

The pledging principles, as they stand, risk creating further legal uncertainty, undermining the consumer experience, and potentially adversely impacting the current advertising and media landscape, which could have significant democratic and economic consequences. The concerns raised by stakeholders and the EDPB suggest that in its current form, the Cookie Pledge may not be the best solution for simplifying how consumers better manage personalised advertising choices.

A voluntary pledge would be more effective if it were to explicitly align with existing legal requirements, closely tracking those on the horizon, and should also respect the diversity of business models and consumer preferences. A collaborative effort between the Commission, stakeholders, and data protection authorities is essential to ensure that any future iterations of the Cookie Pledge are practical, proportionate, and capable of achieving the intended goals without unintended consequences.

The principles we have proposed offer a starting point for further dialogue and refinement. They emphasise the importance of choice, transparency, and the right of organisations to communicate directly with consumers. These principles also recognise the need for flexibility and proportionality in informing consumers about business models and tracking methods.

Toolkits & Client Log-in