Part I: What Are Third-Party Cookies and Why they are Important
— PART II —
Privacy Laws And Third-Party Cookies
Welcome to our second installment in our eight-part series preparing you for the post-cookie world. In our first post, we provided a deep dive into cookies for a baseline understanding of the technology and why the phase-out of third-party cookies in particular is so relevant to every player in the adtech ecosystem. In this post, we survey the current privacy legal landscape regulating the use of third-party cookies to collect, track, and share personal information.
The proliferation of European and U.S. state privacy laws and regulations over the last several years has directly impacted companies’ ability to leverage third-party cookies for digital advertising and is one of the main drivers behind the phase-out of the third-party cookie.
GDPR and the ePrivacy Directive
As most people know, the leading privacy law in the European Union (“EU”) is the General Data Protection Regulation (“GDPR”), which came into effect in May 2018. However, the regulation of cookies actually dates back to 2009, when the EU amended its ePrivacy Directive to extend to third-party cookies. Passed in 2002, and originally focused on the confidentiality of electronic communications, the ePrivacy Directive has come to be known as the “Cookie Directive” as its 2009 amendment required consumer consent for almost all third-party cookies. The only type of cookie excluded from the ePrivacy Directive consent requirement is the strictly necessary cookie.
The GDPR requires a legal basis for any personal data collected and removes any doubt that most cookies, by their nature, involve the processing of personal data. Under recital 30 of the GDPR, cookies are generally considered personal data if they can be used to identify users. Article 4(11) of the GDPR defines “consent” as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” With the adoption of the GDPR, EU regulators have combined the consent definition of the GDPR with the cookie consent requirement of the ePrivacy Directive.
Prior to the adoption of the GDPR, website publishers generally attempted to comply with the ePrivacy Directive’s consent requirement through a consent banner that notified website visitors that the website deployed cookies and provided a link to an opt-out mechanism. Since the implementation of the GDPR, EU regulators have required that website publishers obtain express opt-in consent before deploying non-essential cookies on a website visitor’s browser. And some EU regulators have gone even further. Recently, the Commission nationale de l’informatique et des libertés (“CNIL”), France’s independent administrative regulatory body tasked with ensuring the proper application of data privacy law, issued hefty sanctions totaling approximately 210 million Euros against two large tech companies for failing to allow their users to reject cookies as easily as they may accept them.
To comply with the GDPR and the ePrivacy Directive, advertisers must:
- receive consent from the user before cookies are used (except for strictly necessary cookies),
- disclose accurate information regarding the data each cookie tracks, as well as its purpose before consent is attained,
- document and store user consent,
- provide an easy method to withdraw consent that was previously given.
Notably, these regulations apply to first-party cookies as well.
The combined requirements of the GDPR and ePrivacy Directive have led to the creation and adoption of industry self-regulatory tools like the Interactive Advertising Bureau Europe’s Transparency and Consent Framework (“TCF)”. The TCF is a cross-industry approach to standardizing compliance with the GDPR and ePrivacy Directive requirements and how publishers, advertisers, and adtech vendors disclose the purposes for which they collect and use personal data and obtain user consent.
Finally, the draft ePrivacy Regulation (“EPR”) will eventually replace the ePrivacy Directive. The EPR is intended to ensure consistency between the ePrivacy rules and the GDPR as well as update the scope of the ePrivacy Directive based on new technological developments. The European Parliament (“EP”) and the Council of the EU (“Council”) are currently in trilogue discussions on the EPR. Although this is the final stage in the EU legislative process, it is anticipated that it will be a lengthy one. The EP signed off on a draft in 2017, but the Council took a number of years to agree on an acceptable draft. This draft substantially differs from the EP-approved text and is the basis of current discussions. If the trilogue is completed in 2022, the EPR would apply in 2024 after a 24-month grace period.
U.S. State Privacy Laws
In the United States, California continues to be the leader in privacy protection laws. The California Consumer Privacy Act (“CCPA”) came into effect in 2020 and, like the GDPR, shifted the privacy protection regulatory and compliance landscape. Under the CCPA, businesses that sell personal information (“PI”) are required to disclose these sales and provide consumers with the right to opt-out of the sale of PI through a Do Not Sell My Personal Information (“DNS”) link. The CCPA’s definition of PI includes a “unique identifier,” which is “a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, . . . cookies.” Sale is broadly defined to include all transfers of personal information to third parties for monetary or other valuable consideration.
Certain companies have taken the position that permitting third-party cookies on their websites is not a sale of personal information under the CCPA because there is arguably no transfer of personal information in that context. However, that conclusion is currently subject to serious debate. Last August, the California Office of the Attorney General (“OAG”) released a summary listing examples of its recent CCPA enforcement actions that make fairly clear that the OAG has effectively taken the position that allowing third-party tracking cookies on a publisher’s website constitutes a sale of PI under the CCPA. For instance, one enforcement example concerned a business that maintained “third-party trackers” on its website that shared consumer data with advertisers. The business neither imposed a contractual relationship on the third parties, nor processed consumer opt-out requests via a global privacy control. The company remedied noncompliance by working with a “privacy vendor to effectuate consumer opt-out requests and avoid sharing personal information with third parties under conditions that amounted to a sale in violation of the CCPA.” This enforcement example strongly suggests that the use of third-party trackers, i.e., third-party cookies, amounts to a sale of PI unless the cookie provider is a service provider to the business.
The CCPA was recently revised and expanded through the California Privacy Rights Act (“CPRA”), which becomes effective on January 1, 2023. The CPRA resolves any uncertainty on the third-party cookie sale debate and explicitly allows consumers to restrict businesses from sharing PI for cross-context behavioral advertising. The CPRA also introduces several new opt out rights, including the ability to opt out of “sharing” of consumers’ PI, which is distinct from selling. The statute defines sharing as disclosing consumers’ PI to third parties for “cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.” Cross-context behavioral advertising is defined as “the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly‐branded websites, applications, or services, other than the business, distinctly‐branded website, application, or service with which the consumer intentionally interacts”. The California Privacy Protection Agency (“CPPA”) – the newly formed regulatory agency charged with implementing the CPRA – will begin rulemaking to be completed by July 1, 2022, likely further defining businesses’ obligations under the CPRA with respect to the use of third-party cookies.
Two recently passed U.S. state laws that also take effect in 2023 have third-party cookies in their sights as well. The Virginia Consumer Data Protection Act (“VCDPA”) allows consumers to opt out of targeted advertising. The statute defines targeted advertising as “displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict such consumer’s preferences or interests.” It is important to note that unlike the CCPA, the VCDPA limits the definition of “sale” to an exchange of personal data for “monetary” consideration by the controller to a third party.
Similarly, the Colorado Privacy Act (“CPA”)grants consumers the right to opt out of the processing of their personal data for purposes of targeted advertising. Additionally, the CPA defines the “sale” of personal data broadly as “the exchange of personal data for monetary or other valuable consideration by a controller to a third party.” Under the CPA, when a business sells personal data or uses it for the purposes of targeted advertising, the business must clearly and conspicuously disclose that, as well as how the consumer can opt out. Similar to the CPRA, the CPA mandates rulemaking to implement the opt out obligations of the law to be completed by July 1, 2023.
Finally, it is important to note the two self-regulatory CCPA frameworks in the United States applicable to third-party cookies: (1) the Interactive Advertising Bureau (“IAB”) and its CCPA Compliance Framework and Limited Service Provider Agreement (“LSPA”), and (2) the Digital Advertising Alliance (“DAA”) and its CCPA Opt-Out Tool.
The IAB approach requires participating publishers who choose to deploy third-party tracking cookies to California residents in connection with the programmatic delivery of digital ads to include information about the rights of consumers under the CCPA, explain what will happen to data collected from them, and to communicate to downstream technology companies they do business with that such disclosures were given. It also requires participating publishers who deploy third-party tracking to provide a DNS link. When a consumer clicks on the DNS link, it sends a signal to downstream adtech companies that have signed on to the LSPA indicating the inclusion of that consumer’s information in profiles created for advertising purposes should cease. The IAB approach presumes that the deployment of a third-party tracking cookie may constitute a sale.
The DAA CCPA opt-out tool provides consumers with the ability to transmit requests under the CCPA for a browser to opt out of the sale of PI to one or more DAA participating companies. The DAA recommends a text link and green icon for publishers to display on their websites and apps. The text link should read “CA Do Not Sell My Personal Information” or other CCPA compliant language, and must take users to a notice, which includes recommended language, that provides user information and control. Lastly, the opt-out tool is intended to allow users the ability to opt out of the sale of their PI by any or all of the participating companies. Although the DAA tool arguably gives consumers broader privacy control than the CCPA requires, allowing consumers to opt out of the sale of PI across all DAA participating companies from one website or app, the DAA approach presumes that collection of data through third-party tracking cookies does not constitute a sale. As discussed above, recent enforcement actions by the OAG appear to undermine the DAA’s position.
Now that you have a better understanding of the legal and regulatory cookie landscape and the underlying technology of cookies from our last post, we will move on to the much-discussed demise of the third-party cookie. In the next several posts in this series, we will dive into the big tech phase-out of the third-party cookie and the emerging industry alternatives that will attempt to take its place.