Support Centre

EU: The updated IAB Guide on the post third-party cookie era - changes and residual challenges

The Interactive Advertising Bureau ('IAB') Europe released, on 4 February 2021, its updated guide on the post-third-party-cookie era ('the Updated Guide')1. The Updated Guide updates the guide originally released by IAB Europe in May 20202 and addresses, among other things, the impact of the depletion of third-party cookies on stakeholders and on digital advertising, the solutions that could replace the use of third-party cookies, and the suitability of said solutions for different businesses.

Photo by The Creative Exchange on Unsplash

Features of the updated guide

Regarding the most significant updates, Márton Domokos, Senior Counsel at CMS Cameron McKenna Nabarro Olswang LLP Budapest, highlighted that, "The guide mentions the applications of certain artificial intelligence ('AI') tools in the context of advertising (e.g. AI-driven approaches used to filter advertising and tracking, or contextual targeting). This clearly shows that the legal aspects of personalised advertisement affect not only data protection but must be investigated in a wider context. Advertisers must be ready to explain the nature of the algorithms and any automated data processing operations (e.g. data cleaning, match rates, attribution measurement) that help their advertising techniques. The Updated Guide puts a great emphasis on the impact on stakeholder usage of proprietary platforms. From a privacy perspective, this is still an unexplored area, and the Updated Guide provides a useful insight into the relationship of advertisers, publishers, consumers and the proprietary platforms."

Commenting on some attributes that the Updated Guide does not clarify, Domokos continued, "The Updated Guide does not provide detailed explanation on the underlying data flows – apparently this is an area that stakeholders should map for themselves. This must be assessed not only from a privacy perspective – for example, with regards to the ability to access ad-funded 'free' content, or the obligation to pay for content - but may from a competition law perspective as well."

Steps for preparing for the post-third-party-cookie era

With regards to how the operators will prepare for the depletion of third-party cookies, Domokos noted, "Operators must have updated information on these changes, to properly address alternative solutions they may have. This is not only a privacy question, stakeholders must also understand the underlying technology. Industry-wide solutions would be welcome, but this requires contribution from the stakeholders, in particular, communication between publishers, agencies and advertisers, and continuous identification and testing of ID solutions."

With respect to online operators relying on audience management, Domokos stated, "The Updated Guide also emphasises that agencies will create technology plans for advertisers to ensure that planning and buying continue in an audience activation manner. First-party data will become key again in understanding customers' behaviour. Hence, publishers will need to reorganise their audience data collection and extension strategies."

Third-party cookie alternatives

The Updated Guide outlines several solutions that are not based on third-party cookies and could be used as alternatives to third-party cookies, such as identity-based solutions, the use of other advertising data in making targeting solutions or the use of contextual solutions. Contextual solutions are presented by the Updated Guide as being closer to a 'consumer-centric strategy' and as focusing more on a deeper understanding of the context of a page, rather than analysing previous browsing behaviour or historical content or relying on cookies to effectively match content to people. Further commenting on the proposals for solutions not based on third-party cookies, Domokos highlighted, "The Updated Guide mentions ad verification as a specific example that does not need to rely on cookies to detect fraud, deliver brand safety or measure viewability. The use of these solutions falls within the legitimate business interests of the stakeholders; hence, they should be able to rely on the legal basis provided by Article 6 (1) (f) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')."

An issue that arises with the alternatives to third-party cookies is how such solutions will comply with data protection requirements. In relation to the compliance of these new solutions with data protection and privacy requirements, Domokos made the following three points:

  1. "While using data for advertising related purposes, companies must still comply with the combined requirements of the proposed Regulation Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) ('the ePrivacy Regulation') and the GDPR. Self-regulation tools will remain important, but organisations must be prepared that such tools will be under close scrutiny from the privacy professionals and data protection authorities, like in the case of the IAB Europe Transparency and Consent Framework.
  2. No matter how the tracking technology is called, user control and transparency of audience targeting will remain key principles. Operators must be aware and provide information to their users of what identifiable information they collect, to whom they can provide access and disclose information, when they delete it, and how they can ensure consumers' opt-out.
  3. Users' expectations will also be higher. As a result of the visible changes in the use of cookies (e.g. the rise of the cookie banners and cookie policies), users now also have a deeper understanding of the technologies, and it is likely that they would like to exercise more control over how their information is used in the digital advertising ecosystem."

Legislative changes and post-third-party-cookie solutions

With the adoption of the finalised mandate on the rules included in the ePrivacy Regulation3 and the inclusion of extended rules on the use of cookies within the mandate, a point that is still to be determined is how the ePrivacy Regulation will regulate the post-third-party-cookie era and its application to alternatives to third-party cookies. As such, Domokos concluded, "The use of identity-based solutions, or advertising data to make targeting decisions, and contextual intelligence may be subject to the ePrivacy Regulation as well. It is a recurring criticism that legislation is always far behind the technology, and studying the alternative approaches to the use of third-party cookies in digital advertising makes these concerns more valid than ever. We expect a strong debate in the next few years – during the finalisation, and in the course of the practical application of the ePrivacy Regulation – on the privacy treatment of the third-party cookie alternatives. The work of standards organisations and industry trade group initiatives may help in clarifying questions surrounding interpretation."

Suzanna Georgopoulou Privacy Analyst
[email protected]

Comments provided by:

Márton Domokos Senior Counsel
CMS Cameron McKenna Nabarro Olswang LLP Budapest
[email protected]