EU: IAB Europe guide on post-third-party cookies calls advertisers to adapt to a "more privacy-concerned environment"
The Guide addresses, among other things, the contributing factors to the depletion of third-party cookies, the impact of stakeholder usage of proprietary platforms, and the consequences of ad verification and measurement. Moreover, the Guide identifies challenges and solutions to the post-third-party cookie advertising ecosystem, as well as how organisations can contribute and become involved in the development and implementation of solutions.
Legal reforms and their impact on third-party cookies
The Guide outlines that the key development areas in digital advertising which have contributed to the depletion of third-party cookies are:
- The legal environment related to consent and tracking. In particular, the Guide notes that is no single overarching law or framework regulating online privacy, and that the legal landscape is continuously evolving. The following legislation is listed by the Guide as the main relevant regulations for consent and tracking:
- Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive') and the Proposed Regulation on Privacy and Electronic Communications ('the Draft ePrivacy Regulation');
- General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'); and
- California Consumer Privacy Act of 2018 ('CCPA').
- Browser gatekeeping. Companies are proactively offering increased privacy protections as a competitive advantage.
- Ad blocking. Defined by the Guide as a browser's capability which removes online advertisements displaying on a website or web page.
In relation to the above legal developments and their impact on the depletion of third-party cookies, Rafael Garcia del Poyo, Samuel Martinez, and Mario Gras, Partner, Senior Associate, and Associate respectively at Osborne Clark LLP, told OneTrust DataGuidance, "The current legal framework may play a significant role in the depletion of third-party cookies, [especially] after the recent publication of the Guidelines 05/2020 on consent under Regulation 2016/679 by the European Data Protection Board ('EDPB'). […] Thus, in the context of users generally refusing third-party cookies, which may potentially imply a throwback in publishers' income, it would be key to address and implement new sources of advertising-derived revenue that do not undermine data subjects' fundamental right of data protection. Mitigating the impact of third-party cookies' depletion in advertising monetisation would probably be a major milestone for publishers, as they shall optimise the use of their advertising space while respecting users' decisions over the processing of their data."
On the same, Dmitry Alekseev, Senior Associate at ECIJA LEGAL SLU, specified, "With regards to publishers, while still responsible for compliance with ePrivacy [rules] and data protection regulations, there will no longer be a need to provide […] information on third parties placing trackers on a webpage, nor explain what type of trackers are placed, with associated secondary obligations such as ensuring that links to their privacy policies actually work."
The impact on ad verification and measurement
The Guide outlines that whilst the depletion of cookies is the latest relevant change in the advertisement industry, ad verification and measurement have already started to adapt to a cookie-depleted world. On the one hand, the Guide states that ad verification will be able to continue as before, since it does not need to rely on cookies to detect fraud, deliver brand safety, or measure viewability. On the other hand, the Guide outlines that in relation to measurement practices, organisations can no longer rely on third-party cookies to identify exposure to advertising online.
In relation to the management of organisations' privacy programs, Márton Domokos, Senior Counsel at CMS Cameron McKenna Nabarro Olswang LLP Budapest, highlighted that, "[Considering both] the ePrivacy Directive and the GDPR (not to mention the upcoming Draft ePrivacy Regulation), publishers and advertisers must act carefully and in compliance with all that legislation when updating their privacy program. Transparency and a user-friendly explanation on any new advertisement verification and measurement solution must be an essential requirement."
Furthermore, Alekseev recommended, "With no third-party trackers, advertisers would have to come up with innovative solutions not based on third-party trackers; in this sense, one of the available options is to take into account both the current applicable regulation and, in particular, its forthcoming successor, leaving the solution outside of the definition of 'trackers.' However, […] this is not an obligation set out by applicable regulations, but rather a voluntary action which is intended to provide comfort to privacy-concerned users."
The Guide outlines some alternative approaches to the use of third-party cookies, including, among other options:
- identity solutions, such as the use of Customer Relationship Management ('CRM') platforms' data and Mobile Advertising IDs ('MAIDs');
- the use of other advertising data to make targeting decisions; and
- contextual intelligence.
In relation to potential alternatives to the use of third-party cookies, Alekseev commented, "The most common ones will rely on including an identifier within first-party cookies which later can be read by demand-side platforms ('DSPs'), thus excluding the usage of third-party cookies as the information (although subject to consent requirements) shall be contained in a cookie directly placed by the website operator. However, […] the final text of the Draft ePrivacy Regulation [will clarify whether] these mechanisms (e.g. third parties placing information within a first-party cookie) will not be considered as third-party tracers."
In addition, Garcia del Poyo, Martinez, and Gras, advised, "[…] There are tools that may be considered to perform digital marketing activities and that would not imply in principle as much impact on the privacy of users as third-party cookies and other digital advertising programs, [such as] sponsoring content and influencer marketing. If advertisers sponsor the adequate influencer for their marketing campaign, they may better target the audience they want to address."
The Guide reiterates that many advertisers and agencies have reverted to CRM platforms, which have seen, together with email, a renaissance in the recently more privacy-conscious environment, and become increasingly important in the programmatic and digital landscape.
In relation to the legal basis for processing CRMs data, Domokos outlined, "Historically, the management of CRMs data has been based on the individual's consent. However, the use of Recital 47 of the GDPR might be tempting. [In fact], relying on legitimate interest is easier than consent management in the CRM system. [However], companies must be careful. A proper industry and customer specific 'legitimate interest balancing test' is a must, and […] companies must prepare for the management of costumers' complaints [on the same]; otherwise, they [won't be able to] fully utilise the benefits of CRMs."
On this matter, Garcia del Poyo, Martinez, and Gras, commented, "Although legitimate interest is expressly envisaged in the GDPR as a potential legitimate basis for the processing of personal data for direct marketing purposes, the safest approach for such processing would be to require consent from users. Processing personal data under a legitimate interest in the context of programmatic advertising may be a risky business if conducted without care, especially as it might be complicated to assess and justify that such legitimate interest must prevail over the rights of the user."
The Guide highlights that, unlike cookies, a MAID is an identifier provided by the mobile device's operating system, and that it is transparently designed with advertising in mind. As a consequence, the Guide provides that MAIDs offer a reliable, pseudonymous, stable, and safe identifier of mobile activity, as well as a more permanent way to meet compliance with privacy legislation and protect consumer privacy.
Specifically, Garcia del Poyo, Martinez, and Gras, noted, "MAIDs may rely on identifiers, which (although pseudonymised) ultimately relates to the personal data of the user whose processing requires a legitimate basis in order to be conducted. It is important to note that pseudonymisation should not be used as an instrument to freely enable data processing activities at the sole discretion of the operator, but a due security measure (expressly envisaged in the GDPR) for the processing."
In addition, Domokos emphasised that, "[Although] MAIDs appear less intrusive from a privacy perspective, [operators] must not forget that they can still be considered as personal data, and that the GDPR must apply. [Therefore, in order to] ensure Privacy by Design, data security measures and pseudonymisation techniques [must be taken into account]. Privacy information must also be transparent and explain the nature and purpose of the identifiers in a user-friendly manner."
The Guide states that contextual targeting has evolved considerably in the age of Big Data and artificial intelligence ('AI'). The incorporation of advanced statistical methods, machine learning, and semantic analysis has the potential to create insights at scale. Therefore, the Guide provides that advertisers could use contextual targeting at scale as a substitute for cookie-based targeting, since contextual advertising uses information about the content of the page, and not bid or impression data.
On the potential impact of contextual advertising, Domokos commented, "Contextual advertising requires machine learning, and companies must consider not only the current customary privacy requirements, but also the upcoming AI regulations. Although these legal requirements are not expressly regulated at this day, it is very likely that they will become GDPR-like standards in the next few years."
Moreover, Alekseev noted, "Analytical or predictive approach would (have to) prevail over deterministic models. With the non-stop development and enhancement of Big Data AI solutions, [operators] should be able to create models (including audiences) on the basis of information coming from first or second-party cookies experience and statistical analysis, without the need to acquire third-party data."
The use of first-party data
The Guide stresses that it is important for advertisers to better understand their own customers, and that their first-party data will be key to this. For example, publishers may offset the loss of third-party cookies by establishing more first-party data through subscriptions or logged in users.
In relation to the use of first-party data, Domokos outlined, "First-party data is a company's most valuable dataset and, as such, the risk of a potential data breach is also higher, in particular from a reputational perspective. On the other hand, digital advertising programs require a continuous discovery of new ways to utilise the available data. [Therefore], organisations must [collect] consent carefully, [covering] the specific data use scenarios, also bearing in mind potential new advertising techniques."
In addition, Garcia del Poyo, Martinez, and Gras, commented, "Optimisation of the use of first-party data could be a good solution for the purpose of adapting advertising programmes to provide a more intelligent targeted advertising free of third-party cookies, without ignoring the requirements from data protection laws. However, [operators] might face similar privacy concerns to the use of third-party cookies, as long as data processing for direct marketing purposes is involved. [Therefore], direct electronic communications may also be an alternative, implementing subscription programs that enable the sending of marketing communications to the user, [bearing in mind that] these programs require the consent from the user."
Lastly, Alekseev highlighted, "Another point to take into consideration is the renewal of the sources from which the data is obtained. […] Organisations might want to focus on building audiences through combination of information on the visitors of their websites obtained through first-party cookies with data from offline databases."
The Guide reveals that the industry is embracing the changes related to the depletion of third-party cookies, providing the necessary steps to ensure digital advertising will continue to function. As such, the Guide calls industry stakeholders to work together in order to ensure that digital advertising continues to deliver relevant content to consumers and support quality European media.
Garcia del Poyo, Martinez, and Gras noted, "The digital marketing industry is moving towards a more privacy-concerned environment, and the current programmatic advertising practices will need to adapt to this new reality. In other words, advertisers and publishers shall provide users with control over the processing of their personal data for marketing purposes."
Lastly, the IAB stated that its Programmatic Trading Committee will be updating the Guide on a regular basis to provide the latest information and guidance on market alternatives to third-party cookies.
Matteo Quartieri Privacy Analyst
Comments provided by:
Rafael Garcia del Poyo Partner
Samuel Martinez Senior Associate
Mario Gras Associate
Osborne Clark LLP
Dmitry Alekseev Senior Associate
ECIJA LEGAL SLU
Márton Domokos Senior Counsel
CMS Cameron McKenna Nabarro Olswang LLP Budapest